Posted On: Dec 5, 2017
AWS is announcing three new enhancements that make it easier to get started with Amazon Inspector and to run security assessments. You can now automatically configure Inspector assessments through AWS CloudFormation as your Amazon EC2 instances are deployed. Next, you can now select an Amazon Linux Amazon Machine Image (AMI) pre-installed with the Inspector Agent and run security assessments without having to manually install the agent. Finally, Inspector now uses AWS Identity and Access Management (IAM) service-linked roles, which means you can leave the registration and management of IAM roles for Inspector to us.
AWS CloudFormation support: Starting today, you can create Inspector resource groups, assessment targets, and assessment templates using CloudFormation templates. This allows you to automatically set up security assessments for your EC2 instances as they are deployed. In your CloudFormation template, you can also bootstrap installation of the Inspector Agent on EC2 instances by using agent installation commands in either AWS::CloudFormation::Init or EC2 user data. Alternatively, you can create EC2 instances in your CloudFormation template using an AMI with the Inspector Agent pre-installed. For more information on CloudFormation, see AWS CloudFormation website.
Amazon Linux AMI pre-installed with the Amazon Inspector Agent: You can now choose to launch your EC2 instances using an Amazon Linux 2017.09 AMI that is pre-installed with the Inspector Agent. This AMI, now available from the EC2 Console and the AWS Marketplace, enables you to quickly deploy a fleet of EC2 instances that are ready to run Inspector assessments. The AMI comes pre-installed with the Inspector Agent and is provided and supported by Amazon Web Services at no additional charge. You can learn more about the AMI on the AWS Marketplace.
Service-linked roles: Amazon Inspector now uses IAM service-linked roles to describe EC2 instances and tags for an assessment target, so you no longer need to create and register IAM roles for Inspector. Starting today, a new service-linked role will be created for new customers when they start using Inspector, and for existing customers when they create a new assessment target or assessment template. The Inspector service-linked role is managed by us, so you don’t have to worry about inadvertently revoking permissions required by Inspector. In the future, when Inspector launches new features that require additional IAM permissions, we will update the Inspector service-linked role and notify you of the change. If and when you no longer want to use Inspector, you can delete the Inspector service-linked role via the IAM console. For more information on service-linked roles, see IAM documentation.