Menu
Amazon Inspector
User Guide (Version Latest)

Amazon Inspector Assessment Templates and Assessment Runs

Amazon Inspector helps you discover potential security issues by using security rules to analyze your AWS resources. Amazon Inspector monitors and collects behavioral data (telemetry) about your resources, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, Amazon Inspector analyzes and compares the data against a set of security rules packages. Finally, Amazon Inspector produces a list of findings that identify potential security issues of various severity.

To get started, you create an assessment target (a collection of the AWS resources that you want Amazon Inspector to analyze) and an assessment template (a blueprint that you use to configure your assessment). You use the template to start an assessment run, the monitoring and analysis process that results in a set of findings.

Amazon Inspector Assessment Templates

An assessment template allows you to specify a configuration for your assessment runs, including the following:

  • Rules packages that Amazon Inspector uses to evaluate your assessment target

  • Duration of the assessment run

    Note

    You can set your duration to any of the following available values:

    • 15 minutes

    • 1 hour (recommended)

    • 8 hours

    • 12 hours

    • 24 hours

    The longer your running assessment template's duration is, the more thorough and complete is the set of telemetry that Amazon Inspector can collect and analyze. In other words, longer analysis allows Amazon Inspector to observe the behavior of your assessment target in greater detail and to produce fuller sets of findings. Similarly, the more thoroughly you use your AWS resources that are included in your target during the assessment run, the more thorough and complete is the telemetry set that Amazon Inspector collects and analyzes.

  • Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings

  • Amazon Inspector-specific attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template

After Amazon Inspector creates the assessment template, you can tag it like any other AWS resource. For more information, see Tag Editor. Tagging assessment templates enables you to organize them and get better oversight of your security strategy. For example, Amazon Inspector offers a large number of rules that you can assess your assessment targets against, but you might want to include various subsets of the available rules in your assessment templates in order to target specific areas of concern or to uncover specific security problems. Tagging assessment templates allows you to locate and run them quickly at any time in accordance with your security strategy and goals.

Important

After you create an assessment template, you can't modify it.

Amazon Inspector Assessment Templates Limits

You can create up to 500 assessment templates per AWS account.

For more information, see Amazon Inspector Service Limits.

Creating an Assessment Template (Console)

  1. Sign in to the AWS Management Console and open the Amazon Inspector console at https://console.aws.amazon.com/inspector/.

  2. From the navigation pane on the left, choose Assessment Templates, and then choose Create.

  3. For Name, type a name for your assessment template.

  4. For Target name, choose an assessment target to analyze.

  5. For Rules packages, choose one or more rules packages to include in your assessment template.

  6. For Duration, specify the duration for your assessment template.

  7. For SNS topics, specify an SNS topic to which you want Amazon Inspector to send notifications about assessment run states and findings. Amazon Inspector can send SNS notifications about the following events:

    • An assessment run has started

    • An assessment run has ended

    • An assessment run's status has changed

    • A finding was generated

    For more information about setting up an SNS topic to which Amazon Inspector can send notifications, see Setting Up an SNS Topic for Amazon Inspector Notifications (Console).

  8. (Optional) For Tag, type values for Key and Value. You can add multiple tags to the assessment template.

  9. (Optional) For Attributes added to findings, type values for Key and Value. Amazon Inspector applies the attributes to all findings generated by the assessment template. You can add multiple attributes to the assessment template. For more information about findings and tagging findings, see Amazon Inspector Findings.

  10. Choose Create and run or Create.

Assessment Runs

After you create an assessment template, you can use it to start assessment runs. You can start multiple assessment runs using the same template as long as you stay within the assessment runs limit per AWS account. For more information, see Amazon Inspector Assessment Runs Limits .

If you use the Amazon Inspector console, you must start the first run of your new assessment template from the Assessment templates page. After you start the run, you can use the Assessment runs page to monitor the run's progress. Use the Stop and Delete buttons to stop or delete a run. Use the XYZ widget next to the run's Start time to view the run's details, including the ARN of the run, the rules packages selected for the run, the tags and attributes that you applied to the run, and more.

For subsequent runs of the assessment template, you can use the Run, Stop, and Delete buttons on either the Assessment templates page or the Assessment runs page.

Amazon Inspector Assessment Runs Limits

You can create up to 50,000 assessment runs per AWS account.

You can have multiple assessment runs happening at the same time as long as the assessment targets used for these runs do not contain overlapping EC2 instances.

For more information, see Amazon Inspector Service Limits.

Setting Up Automatic Assessment Runs (Console)

If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a Lambda function through the AWS Lambda console. For more information, see Lambda Functions.

To set up automatic assessment runs using the AWS Lambda console, perform the following procedure:

  1. Sign in to the AWS Management Console, and open the AWS Lambda console.

  2. From the navigation pane on the left, choose either Dashboard or Functions, and then choose Create a Lambda Function.

  3. On the Select blueprint page, choose the inspector-scheduled-run blueprint. You can find this blueprint by typing inspector in the Filter field.

  4. On the Configure triggers page, set up a recurring schedule for automated assessment runs by specifying a CloudWatch event that triggers your function. To do this, type a rule name and description, and then choose a schedule expression. The schedule expression determines how often the run will occur, for example, every 15 minutes or once a day. For more information about CloudWatch events and concepts, see What is Amazon CloudWatch Events?

    If you select the Enable trigger check box, the assessment run begins immediately after you finish creating your function. Subsequent automated runs will follow the recurrence pattern that you specify in the Schedule expression field. If you don’t select the Enable trigger check box while creating the function, you can edit the function later to enable this trigger.

  5. On the Configure function page, specify the following:

    • For Name, type a name for your function.

    • (Optional) For Description, type a description that will help you identify your function later.

    • For runtime, keep the default value of Node.js 4.3. AWS Lambda supports the inspector-scheduled-run blueprint only for the Node.js 4.3 runtime.

    • The assessment template that you want to run automatically using this function. You do this by providing the value for the environment variable called assessmentTemplateArn.

    • Keep the handler set to the default value of index.handler.

    • The permissions for your function using the Role field. For more information, see AWS Lambda Permissions Model.

      To run this function, you need an IAM role that allows AWS Lambda to start assessment runs and write log messages about assessment runs, including any errors, to Amazon CloudWatch logs. AWS Lambda assumes this role for every recurring automated assessment run. For example, you can attach the following sample policy to this IAM role:

      Copy
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector:StartAssessmentRun", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
  6. Review your selections, and then choose Create function.

Setting Up an SNS Topic for Amazon Inspector Notifications (Console)

Amazon Simple Notification Service (Amazon SNS) is a web service that sends messages to subscribing endpoints or clients. You can use Amazon SNS to set up notifications for Amazon Inspector. For more information, see What is Amazon Simple Notification Service?.

To set up an SNS topic for notifications

  1. Create an SNS topic. For more information, see Create a Topic.

  2. Subscribe to the SNS topic that you created. For more information, see Subscribe to a Topic.

  3. Publish to the SNS topic. For more information, see Publish to a Topic.

  4. Enable Amazon Inspector to subscribe and publish messages to the topic:

    1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/.

    2. Select your SNS topic, and for Actions, choose Edit topic policy.

    3. For Allow these users to publish messages to this topic and Allow these users to subscribe to this topic, choose Only these AWS users, and then type one of the following ARNs, depending on your region:

      • for Asia Pacific (Mumbai) - arn:aws:iam::162588757376:root

      • for Asia Pacific (Seoul) - arn:aws:iam::526946625049:root

      • for Asia Pacific (Sydney) - arn:aws:iam::454640832652:root

      • for Asia Pacific (Tokyo) - arn:aws:iam::406045910587:root

      • for EU (Ireland) - arn:aws:iam::357557129151:root

      • for US East (Northern Virginia) - arn:aws:iam::316112463485:root

      • for US West (Northern California) - arn.aws.iam::166987590008:root

      • for US West (Oregon) - arn:aws:iam::758058086616:root