Amazon Inspector
User Guide (Version Latest)

Amazon Inspector Assessment Templates and Assessment Runs

Amazon Inspector helps you discover potential security issues by using security rules to analyze your AWS resources. Amazon Inspector monitors and collects behavioral data (telemetry) about your resources. The data includes information about the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, Amazon Inspector analyzes and compares the data against a set of security rules packages. Finally, Amazon Inspector produces a list of findings that identify potential security issues of various levels of severity.

To get started, you create an assessment target (a collection of the AWS resources that you want Amazon Inspector to analyze). Next, you create an assessment template (a blueprint that you use to configure your assessment). You use the template to start an assessment run, which is the monitoring and analysis process that results in a set of findings.

Amazon Inspector Assessment Templates

An assessment template allows you to specify a configuration for your assessment runs, including the following:

  • Rules packages that Amazon Inspector uses to evaluate your assessment target

  • Duration of the assessment run

    Note

    You can set your duration to any of the following available values:

    • 15 minutes

    • 1 hour (recommended)

    • 8 hours

    • 12 hours

    • 24 hours

    The longer that your running assessment template's duration is, the more thorough and complete is the set of telemetry that Amazon Inspector can collect and analyze. A longer analysis allows Amazon Inspector to observe the behavior of your assessment target in more detail and to produce fuller sets of findings. Similarly, the more thoroughly you use the AWS resources included in your target during the assessment run, the more thorough and complete is the telemetry set that Amazon Inspector collects and analyzes.

  • Amazon SNS topics that Amazon Inspector sends notifications to about your assessment run states and findings

  • Amazon Inspector attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template

After Amazon Inspector creates the assessment template, you can tag it like any other AWS resource. For more information, see Tag Editor. Tagging assessment templates enables you to organize them and get better oversight of your security strategy. For example, Amazon Inspector offers a large number of rules that you can assess your assessment targets against. You might want to include various subsets of the available rules in your assessment templates to target specific areas of concern or to uncover specific security issues. Tagging assessment templates allows you to locate and run them quickly at any time in accordance with your security strategy and goals.

Important

After you create an assessment template, you can't modify it.

Amazon Inspector Assessment Templates Limits

You can create up to 500 assessment templates for each AWS account.

For more information, see Amazon Inspector Service Limits.

Creating an Assessment Template

To create an assessment template

  1. Sign in to the AWS Management Console and open the Amazon Inspector console at https://console.aws.amazon.com/inspector/.

  2. In the navigation pane, choose Assessment Templates, and then choose Create.

  3. For Name, enter a name for your assessment template.

  4. For Target name, choose an assessment target to analyze.

    Note

    When you create an assessment template, you can use the Preview Target button on the Assessment Templates page to review all EC2 instances included in the assessment target. For each EC2 instance, you can review the hostname, instance ID, IP address, and, if applicable, the status of the agent. The agent status can have the following values: HEALTHY, UNHEALTHY, and UNKNOWN. Amazon Inspector displays an UNKNOWN status when it can't determine whether there is an agent running on the EC2 instance.

    You can also use the Preview Target button on the Assessment Templates page to review EC2 instances that make up assessment targets included in your previously created templates.

  5. For Rules packages, choose one or more rules packages to include in your assessment template.

  6. For Duration, specify the duration for your assessment template.

  7. For SNS topics, specify an SNS topic that you want Amazon Inspector to send notifications to about assessment run states and findings. Amazon Inspector can send SNS notifications about the following events:

    • An assessment run has started

    • An assessment run has ended

    • An assessment run's status has changed

    • A finding was generated

    For more information about setting up an SNS topic, see Setting Up an SNS Topic for Amazon Inspector Notifications.

  8. (Optional) For Tag, enter values for Key and Value. You can add multiple tags to the assessment template.

  9. (Optional) For Attributes added to findings, enter values for Key and Value. Amazon Inspector applies the attributes to all findings that are generated by the assessment template. You can add multiple attributes to the assessment template. For more information about findings and tagging findings, see Amazon Inspector Findings.

  10. (Optional) To set up a schedule for your assessment runs using this template, select the Set up recurring assessment runs once every <number_of_days>, starting now check box and specify the recurrence pattern (number of days) using the up and down arrows.

    Note

    When you use this check box, Amazon Inspector automatically creates an Amazon CloudWatch Events rule for the assessment runs schedule that you are setting up. Amazon Inspector then also automatically creates an IAM role named AWS_InspectorEvents_Invoke_Assessment_Template. This role enables CloudWatch Events to make API calls against the Amazon Inspector resources. For more information, see What is Amazon CloudWatch Events? and Using Resource-Based Policies for CloudWatch Events.

    Note

    You can also set up automatic assessment runs through an AWS Lambda function. For more information, see Setting Up Automatic Assessment Runs Through a Lambda Function.

  11. Choose Create and run or Create.

Deleting an Assessment Template

To delete an assessment template, perform the following procedure.

To delete an assessment template

  • On the Assessment Templates page, choose the template that you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.

    Important

    When you delete an assessment template, all assessment runs, findings, and versions of the reports associated with this template are also deleted.

You can also delete an assessment template by using the DeleteAssessmentTemplate API.

Assessment Runs

After you create an assessment template, you can use it to start assessment runs. You can start multiple runs using the same template as long as you stay within the runs limit for each AWS account. For more information, see Amazon Inspector Assessment Runs Limits .

If you use the Amazon Inspector console, you must start the first run of your new assessment template from the Assessment templates page. After you start the run, you can use the Assessment runs page to monitor the run's progress. Use the Run, Cancel, and Delete buttons to start, cancel, or delete a run. You can also view the run's details, including the ARN of the run, the rules packages selected for the run, the tags and attributes that you applied to the run, and more.

For subsequent runs of the assessment template, you can use the Run, Cancel, and Delete buttons on either the Assessment templates page or the Assessment runs page.

Deleting an Assessment Run

To delete an assessment run, perform the following procedure.

To delete a run

  • On the Assessment runs page, choose the run that you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.

    Important

    When you delete an run, all findings and all versions of the report from that run are also deleted.

You can also delete a run by using the DeleteAssessmentRun API.

Amazon Inspector Assessment Runs Limits

You can create up to 50,000 assessment runs for each AWS account.

You can have multiple runs occurring at the same time as long as the targets used for the runs don't contain overlapping EC2 instances.

For more information, see Amazon Inspector Service Limits.

Setting Up Automatic Assessment Runs Through a Lambda Function

If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a Lambda function using the AWS Lambda console. For more information, see Lambda Functions.

To set up automatic assessment runs using the AWS Lambda console, perform the following procedure.

To set up automatic runs through a Lambda function

  1. Sign in to the AWS Management Console, and open the AWS Lambda console.

  2. In the navigation pane, choose either Dashboard or Functions, and then choose Create a Lambda Function.

  3. On the Select blueprint page, choose the inspector-scheduled-run blueprint. You can find this blueprint by entering inspector in the Filter field.

  4. On the Configure triggers page, set up a recurring schedule for automated runs by specifying a CloudWatch event that triggers your function. To do this, enter a rule name and description, and then choose a schedule expression. The schedule expression determines how often the run occurs, for example, every 15 minutes or once a day. For more information about CloudWatch events and concepts, see What is Amazon CloudWatch Events?

    If you select the Enable trigger check box, the run begins immediately after you finish creating your function. Subsequent automated runs follow the recurrence pattern that you specify in the Schedule expression field. If you don’t select the Enable trigger check box while creating the function, you can edit the function later to enable this trigger.

  5. On the Configure function page, specify the following:

    • For Name, enter a name for your function.

    • (Optional) For Description, enter a description that will help you identify your function later.

    • For runtime, keep the default value of Node.js 8.10. AWS Lambda supports the inspector-scheduled-run blueprint only for the Node.js 8.10 runtime.

    • The assessment template that you want to run automatically using this function. You do this by providing the value for the environment variable called assessmentTemplateArn.

    • Keep the handler set to the default value of index.handler.

    • The permissions for your function using the Role field. For more information, see AWS Lambda Permissions Model.

      To run this function, you need an IAM role that allows AWS Lambda to start the runs and write log messages about the runs, including any errors, to Amazon CloudWatch Logs. AWS Lambda assumes this role for every recurring automated run. For example, you can attach the following sample policy to this IAM role:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector:StartAssessmentRun", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
  6. Review your selections, and then choose Create function.

Setting Up an SNS Topic for Amazon Inspector Notifications

Amazon Simple Notification Service (Amazon SNS) is a web service that sends messages to subscribing endpoints or clients. You can use Amazon SNS to set up notifications for Amazon Inspector. For more information, see What is Amazon Simple Notification Service Service?.

To set up an SNS topic for notifications

  1. Create an SNS topic. For more information, see Create a Topic.

  2. Subscribe to the SNS topic that you created. For more information, see Subscribe to a Topic.

  3. Publish to the SNS topic. For more information, see Publish to a Topic.

  4. Enable Amazon Inspector to publish messages to the topic:

    1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/.

    2. Choose your SNS topic, and for Actions, choose Edit topic policy.

    3. For Allow these users to publish messages to this topic, choose Only these AWS users. Enter one of the following ARNs, depending on your Region:

      • Asia Pacific (Mumbai) - arn:aws:iam::162588757376:root

      • Asia Pacific (Seoul) - arn:aws:iam::526946625049:root

      • Asia Pacific (Sydney) - arn:aws:iam::454640832652:root

      • Asia Pacific (Tokyo) - arn:aws:iam::406045910587:root

      • EU (Frankfurt) - arn:aws:iam::537503971621:root

      • EU (Ireland) - arn:aws:iam::357557129151:root

      • US East (Northern Virginia) - arn:aws:iam::316112463485:root

      • US East (Ohio) - arn:aws:iam::646659390643:root

      • US West (Northern California) - arn:aws:iam::166987590008:root

      • US West (Oregon) - arn:aws:iam::758058086616:root

      • AWS GovCloud (US-East) - arn:aws-us-gov:iam::206278770380:root

      • AWS GovCloud (US-West) - arn:aws-us-gov:iam::850862329162:root