Amazon Inspector deep inspection for Amazon EC2 Linux instances
Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection. With deep inspection, Amazon Inspector detects package vulnerabilities for application programming language packages in your Linux-based Amazon EC2 instances.
Amazon Inspector scans default paths for programming language package libraries. You can also configure custom paths in addition to default paths.
Note
You can use deep inspection with the Default Host Management Configuration setting.
However, you must create an instance profile and attach the ssm:PutInventory and ssm:GetParameter permissions.
Amazon Inspector uses data that's collected with the Amazon Inspector SSM plugin to perform deep inspection scans.
To manage the Amazon Inspector SSM plugin and perform deep inspection for Linux, Amazon Inspector automatically creates the SSM association InvokeInspectorLinuxSsmPlugin-do-not-delete in your account.
Amazon Inspector collects updated application inventory from instances for deep inspection every 6 hours.
Deep inspection is not supported for Windowsor Mac instances.
Activating or deactivating deep inspection
Note
Deep inspection is automatically activated as part of Amazon EC2 scanning for accounts that activate Amazon Inspector after April 17, 2023.
You can check to see if deep inspection is active for an account in the Amazon Inspector console from the Amazon EC2 scanning column on the Account management page. If deep inspection isn't active, this column will say Activated (deep inspection deactivated). To check the activation status programmatically, use the GetEc2DeepInspectionConfiguration API. Or, for multiple accounts, use the BatchGetMemberEc2DeepInspectionStatus API.
If you activated Amazon Inspector before April 17, 2023, you can activate deep inspection through the console banner or the UpdateEc2DeepInspectionConfiguration API. If you're the delegated administrator for an organization in Amazon Inspector, you can use the BatchUpdateMemberEc2DeepInspectionStatus API to activate it for yourself and your member accounts.
You can deactivate deep inspection through the UpdateEc2DeepInspectionConfiguration API. Member accounts in an organization can't deactivate deep inspection. Instead, the member account must be deactivated by their delegated administrator using the BatchUpdateMemberEc2DeepInspectionStatus API.
About the Amazon Inspector SSM plugin for Linux
Amazon Inspector uses the Amazon Inspector SSM plugin to perform deep inspection of your Linux
instances. The Amazon Inspector SSM plugin is automatically installed on your Linux
instances in the following directory: /opt/aws/inspector/bin. The
name of the executable is inspectorssmplugin.
Note
Amazon Inspector uses Systems Manager Distributor to deploy the plugin in your Amazon EC2 instance. Systems Manager Distributor supports the operating systems listed as Supported package platforms and architectures in the Systems Manager guide. Your Amazon EC2 instance's operating system must be supported by Systems Manager Distributor and Amazon Inspector for Amazon Inspector to perform deep inspection scans.
Amazon Inspector creates the following file directories to manage data collected for deep inspection by the Amazon Inspector SSM plugin:
-
/opt/aws/inspector/var/input -
/opt/aws/inspector/var/output-
The
packages.txtin this directory stores the full paths to packages discovered by deep inspection. If Amazon Inspector detected the same package multiple times on your instance this file lists each location that package was found.
-
Amazon Inspector stores logs for the plugin in the /var/log/amazon/inspector
directory.
Uninstalling the Amazon Inspector SSM plugin
If the inspectorssmplugin file is inadvertently deleted, the
InspectorLinuxDistributor-do-not-delete SSM association
will try to reinstall the plugin at the next scan interval.
If you deactivate Amazon EC2 scanning, the plugin will be automatically uninstalled from all Linux hosts.
Custom paths for Amazon Inspector deep inspection
You can configure custom paths for Amazon Inspector to search when it performs deep inspection of your Linux Amazon EC2 instances. When you add a custom path Amazon Inspector scans for packages in that directory and all sub-directories within it.
All accounts can define up to 5 custom paths for their individual account. If you're the delegated administrator for your organization, you can define 5 additional paths that will apply across your entire organization. This amounts to a total of up to 10 custom paths scanned per account in the organization.
Amazon Inspector scans all custom paths in addition to the following default paths that are scanned for all accounts:
-
/usr/lib -
/usr/lib64 -
/usr/local/lib -
/usr/local/lib64
Note
Custom paths must be local paths. Amazon Inspector doesn't scan mapped network paths like Network File System (NFS) mounts or Amazon S3 file system mounts.
Formatting for custom paths
The following is an example of the format for a custom path:
/home/usr1/project01
Your custom paths can't be longer than 256 characters.
There is a 5,000 package limit per instance and a maximum package inventory collection time limit of 15 minutes. We recommend that you try to choose custom paths to help you avoid these limits.
Set a custom path in the console
Supported programming languages
For Linux instances, Amazon Inspector deep inspection can produce findings for application programming language packages in addition to vulnerabilities in operating system packages. For Mac and Windows instances only operating system packages are scanned.
For information about supported programming languages, see Supported programming languages for Amazon Inspector deep inspection.
