Getting started with Amazon Inspector Classic - Amazon Inspector Classic
One-click setupAdvanced setup

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/, and then choose Amazon Inspector Classic in the navigation pane.

Getting started with Amazon Inspector Classic

This tutorial shows you how to set up Amazon Inspector Classic and get started by creating and running your first assessment.

One-click setup

The following procedure shows you how to create and run an automatic assessment using a pre-built template and pre-defined scheduling parameters (once a week or one time only) on all available Amazon Elastic Compute Cloud (Amazon EC2) instances in the current AWS account and AWS Region.

  1. Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.

  2. On the Welcome page, choose the type of assessment that you would like to run. Network Assessments analyze the network configurations of your AWS environment for vulnerabilities, and do not require an Amazon Inspector Classic agent. Host Assessments analyze the on-host software and configurations of your EC2 instances for vulnerabilities, and require an agent to be installed on the EC2 instances.

    Choose either Run weekly (recommended) or Run once. As soon as you make your choice, the service automatically creates the assessment for you. Specifically, the service does the following:

    1. Creates a service-linked role.

      Note

      To identify the EC2 instances that are specified in the assessment targets, Amazon Inspector Classic needs to enumerate your EC2 instances and tags. Amazon Inspector Classic gets access to these resources in your AWS account through a service-linked role called AWSServiceRoleForAmazonInspector. For more information about service-linked roles, see Using service-linked roles for Amazon Inspector Classic and Using Service-Linked Roles.

    2. If applicable, installs an Amazon Inspector Classic agent on all available EC2 instances in your AWS account and Region.

      Note

      The service installs an Amazon Inspector Classic agent only on those EC2 instances that allow AWS Systems Manager Run Command. To use this option, make sure that all of your EC2 instances in the current AWS account and AWS Region have the SSM Agent installed and have an IAM role that allows Run Command. For more information, see Installing the agent on multiple EC2 instances using the Systems Manager Run Command.

    3. Adds those instances to an assessment target.

    4. Includes that target in an assessment template with a standardized set of rules packages.

    5. Runs the assessment weekly or only once, depending on whether you chose Run weekly (recommended) or Run once.

  3. In the Confirmation dialog box, choose OK. Amazon Inspector Classic automatically runs your assessment.

Advanced setup

The following procedure shows you how to choose specific Amazon EC2 instances, rules packages, and scheduling parameters to include in an assessment target and template.

  1. On the Welcome page, choose Advanced setup.

  2. On the Define an assessment target page, enter the name of your assessment target.

  3. For All Instances, you can keep the check box selected to include all EC2 instances in your AWS account and Region in the assessment target. If you want to choose which EC2 instances to include, clear the All Instances check box, and enter the Key and Value tags that are associated with the target EC2 instances. For more information about tagging your EC2 instances, see Tagging Your Amazon EC2 Resources.

  4. For Install Agents, you can keep the check box selected by default if your instances allow System Manager Run Command. The service installs an Amazon Inspector Classic agent on all EC2 instances in the assessment target that allow AWS Systems Manager. To use this option, make sure that all of your EC2 instances in the current AWS account and AWS Region have the SSM Agent installed and have an IAM role that allows Run Command. For more information, see Installing the agent on multiple EC2 instances using the Systems Manager Run Command. If you want to manually install the agent, see Installing Amazon Inspector Agents.

  5. Choose Next.

  6. On the Define an assessment template page, enter the name of your assessment template.

  7. For Rules packages, choose the rules packages to include in the assessment template. For more information about rules packages, see Amazon Inspector Rules Packages and Rules.

  8. For Duration, choose the duration of your assessment run.

  9. (Optional) For Assessment Schedule, set a schedule for recurring assessment runs.

  10. Choose Next.

  11. On the Review page, review your choices for the assessment target and template. If you're satisfied with the configuration, choose Create. If you set an assessment schedule for your assessment template, the assessment automatically runs after you choose Create.

    Note

    To identify the EC2 instances that are specified in the assessment targets, Amazon Inspector Classic needs to enumerate your EC2 instances and tags. Amazon Inspector Classic gets access to these resources in your AWS account through a service-linked role called AWSServiceRoleForAmazonInspector. For more information about using service-linked roles in Amazon Inspector Classic, see Using service-linked roles for Amazon Inspector Classic. For detailed information about using service-linked roles, see Using service-linked roles in the AWS Identity and Access Management User Guide.

  12. If you didn't set up an assessment schedule, navigate to your assessment template through the console, and then choose Run.

  13. To track the progress of the assessment run, in the navigation pane of the console, choose Assessment runs, and then choose Findings. For more information about findings, see Amazon Inspector Classic findings.