How can I set up Amazon Inspector to perform a security assessment on my Amazon Elastic Compute Cloud (Amazon EC2) instance? 

You can use Amazon Inspector service to create and run security assessments for your Amazon EC2 instances by following these steps:

  1. Open the Amazon Inspector console, and choose Get Started.
  2. Review the Amazon Inspector prerequisites, and configure the following:
    - Create an AWS Identity and Access Management (IAM) role.
    - Tag the Amazon EC2 instances on which you want Amazon Inspector to perform the assessment.
    - Install the Amazon Inspector Agent on your EC2 instances.
  3. Define the assessment target.
  4. Define the assessment template.
  5. Run the Amazon Inspector assessment.

Create an IAM role

  1. Open the Amazon Inspector console.
  2. Select Create or choose role or choose Manage Inspector Service Role.
  3. Choose Allow to give Amazon Inspector read-only access to resources in your account.

Tag your Amazon EC2 instances

  1. Open the Amazon EC2 console, and choose Instances from the left navigation menu.
  2. Select the instances that you want Amazon Inspector to perform an assessment on, and choose the Tags view.
  3. Choose Add/Edit Tags, and enter a key, such as "examplekey," for the Key.
  4. Enter a Value, such as "examplevalue," and choose Save.

Install the Amazon Inspector agent

The instructions for installing the Amazon Inspector agent depend on the OS of the Amazon EC2 instance:

For information about automating the installation of the Amazon Inspector agent, see How to Simplify Security Assessment Setup Using Amazon EC2 Systems Manager and Amazon Inspector.

Define the assessment target

  1. After you've installed the Amazon Inspector agent, choose Next or choose Define an assessment target, or open the Amazon Inspector console, and from the left navigation menu choose Define an assessment target.
  2. Enter the name for your assessment target that you want to create, and choose the Key and Value pairs for the Amazon EC2 instances you want to include in the assessment, such as "examplekey" and "examplevalue." You can then choose Preview to view and verify the instances that are included.
  3. Choose Next.

Define the assessment template

  1. Enter a name for your assessment template.
  2. Select Common Vulnerabilities for the rule package.
  3. Select the Duration you want your assessment to run.
    Note: It's recommended that you choose a duration of one hour if you have more than one Rule Package or instance.
  4. Choose Next, and choose Create.
  5. Review the assessment template, and choose Create.

Run the assessment

  1. After completing the previous steps, open the Amazon Inspector console.
  2. Select the Assessment templates section to see available assessments.
  3. Choose the template you created, and choose Run to start the assessment immediately, or create an Assessment Event.
  4. After the assessment completes, from the left navigation menu choose Findings or Assessment runs.
    - Assessment runs include a list of all assessment runs, from which you can review information about that particular assessment, generate a report from that assessment, or navigate to the security Findings for specific assessments.
    - Findings include a list of all Findings for all assessment runs, which you can then filter.

Findings are identified security vulnerabilities or configuration exposures discovered during the Amazon Inspector assessment. To learn more about a Finding, choose the arrow next to the Finding to expand the detailed view. For help addressing these security issues, follow the instructions in the Recommendation section.

Assessment Reports include a summary of all the Amazon EC2 instances evaluated in the assessment and the Rules Packages used, a summary of the security Findings, details of each security Finding, and a list of the security rules passed during the assessment.

Note: Amazon Inspector assessment targets can only include Amazon EC2 instances that have a supported OS installed. See Amazon Inspector Supported Operating Systems and Regions for more information.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-11-14