Amazon Inspector
User Guide (Version Latest)

Amazon Inspector Assessment Targets

You can use Amazon Inspector to evaluate whether your AWS assessment targets (your collections of AWS resources) have potential security issues that you need to address.


In this release of Amazon Inspector, your assessment targets can consist only of EC2 instances that run on a number of supported operating systems. For more information about supported Linux-based and Windows-based operating systems, and supported AWS regions, see Amazon Inspector Service Limits.


For more information about launching EC2 instances, see Amazon Elastic Compute Cloud Documentation.

Tagging Resources to Create an Assessment Target

To create an assessment target for Amazon Inspector to assess, you start by tagging the EC2 instances that you want to include in your target. Tags are words or phrases that act as metadata for identifying and organizing your instances and other AWS resources. Amazon Inspector uses the tags that you create to identify the instances that belong to your target.

Every AWS tag consists of a key and value pair of your choice. For example, you might choose to name your key "Name" and your value "MyFirstInstance". After you tag your instances, you use the Amazon Inspector console to add the instances to your assessment target. It is not necessary that any instance match more than one tag key-value pair.

When you tag your EC2 instances to build assessment targets for Amazon Inspector to assess, you can create your own custom tag keys or use tag keys created by others in the same AWS account. You also can use the tag keys that AWS automatically creates, for example, the Name tag key that is automatically created for the EC2 instances that you launch.

You can add tags to EC2 instances when you create them or add, change, or remove those tags one at a time within each EC2 instance's console page. You can also add tags to multiple EC2 instances at once using the Tag Editor.

For more information, see Tag Editor. For more information about tagging EC2 instances, see Resources and Tags.

Amazon Inspector Assessment Targets Limits

You can create up to 50 assessment targets per AWS account. For more information, see Amazon Inspector Service Limits.

Creating an Assessment Target (Console)

You can use the Amazon Inspector console to create assessment targets.

To create an assessment target

  1. Sign in to the AWS Management Console and open the Amazon Inspector console at

  2. In the navigation pane, choose Assessment Targets, and then choose Create.

  3. For Name, type a name for your assessment target.

  4. Use the Tags' Key and Value fields to type the tag key name and key-value pairs in order to select the EC2 instances that you want to include in this assessment target.

  5. Choose Save.


For your existing assessment targets, you can use the Preview Target button on the Assessment Targets page to review all EC2 instances that are currently included in the assessment targets. For every EC2 instance listed, you can review the hostname, instance ID, IP address, and the status of the Amazon Inspector Agent that is running on the EC2 instance. The agent status can have the following values: HEALTHY, UNHEALTHY (displayed when the agent is reporting that it is not in a healthy state), and UNKNOWN (displayed when Amazon Inspector is unable to determine whether there is an Amazon Inspector Agent running on the EC2 instance).

Deleting an Assessment Target (Console)

To delete an assessment target, perform the following procedure:

  • In the Assessment targets page, choose the target you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.


    When you delete an assessment target, all assessment templates, assessment runs, findings and versions of the reports associated with the target are also deleted.

You can also delete an assessment target by using the DeleteAssessmentTarget API.