HAQM Inspector FAQs

You can activate HAQM Inspector for your entire organization or an individual account with a few steps in the AWS Management Console. Once activated, HAQM Inspector automatically discovers running HAQM EC2 instances, Lambda functions, and HAQM ECR repositories and immediately starts continually scanning workloads for software vulnerabilities and unintended network exposure. If you’re new to HAQM Inspector, there’s a 15-day free trial as well.

An HAQM Inspector finding is a potential security vulnerability. For example, when HAQM Inspector detects software vulnerabilities or open network paths to your compute resources, it creates security findings.

Yes. HAQM Inspector is integrated with AWS Organizations. You can assign a DA account for HAQM Inspector, which acts as the primary administrator account for HAQM Inspector and can manage and configure it centrally. The DA account can centrally view and manage findings for all the accounts that are part of your AWS organization.

The AWS Organizations Management account can assign a DA account for HAQM Inspector in the HAQM Inspector console or by using HAQM Inspector APIs.

If you’re starting HAQM Inspector for the first time, all scanning types, including EC2 scanning, Lambda scanning, and ECR container image scanning are activated by default. However, you can deactivate any or all of these across all accounts in your organization. Existing users can activate new features in the HAQM Inspector console or by using HAQM Inspector APIs.

No, you don’t need an agent for scanning. For vulnerability scanning of HAQM EC2 instances, you can use the AWS Systems Manager Agent (SSM Agent) for an agent-based solution. HAQM Inspector also offers agentless scanning (preview) if you don’t have the SSM Agent deployed or configured. For assessing network reachability of HAQM EC2 instances, vulnerability scanning of container images, or vulnerability scanning of Lambda functions, no agents are necessary. 

To successfully scan HAQM EC2 instances for software vulnerabilities, HAQM Inspector requires that these instances are managed by AWS Systems Manager and the SSM agent. See Systems Manager prerequisites in the AWS Systems Manager User Guide for instructions to activate and configure Systems Manager. For information about managed instances, see the Managed Instances section in the AWS Systems Manager User Guide.

HAQM Inspector supports the configuration of inclusion rules to select which ECR repositories are scanned. Inclusion rules can be created and managed under the registry settings page within the ECR console or using ECR APIs. The ECR repositories that match the inclusion rules are configured for scanning. Detailed scanning status of repositories is available in both the ECR and HAQM Inspector consoles.

The Environmental Coverage panel in the HAQM Inspector dashboard shows the metrics for accounts, HAQM EC2 instances, Lambda functions, and ECR repositories being actively scanned by HAQM Inspector. Each instance and image have a scanning status: Scanning or Not Scanning. Scanning means the resource is continually being scanned in near real time. A status of Not Scanning could mean the initial scan has not been performed yet, the OS is unsupported, or something else is preventing the scan.

All scans are automatically performed based on events. All workloads are initially scanned upon discovery and subsequently rescanned.

• For HAQM EC2 instances: For SSM agent-based scans, rescans are started when a new software package is installed or uninstalled on an instance, when a new CVE is published, and after a vulnerable package is updated (to confirm there are no additional vulnerabilities). For agentless scans, scans are performed every 24 hours.
• For HAQM ECR container images: Automated re-scans are started for eligible container images when a new CVE affecting an image is published. The automated rescans for container images are based on the rescan durations configured for both image push date and pull date in the HAQM Inspector console or APIs. If the push date of an image is less than the configured “Push date rescan duration” and image has been pulled within the configured “Pull date rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. Available re-scan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days.
• For Lambda functions: All new Lambda functions are initially assessed upon discovery, and continually reassessed when there is an update to the Lambda function or a new CVE is published.

Container images residing in HAQM ECR repositories that are configured for continual scanning are scanned for the duration configured in the HAQM Inspector console or APIs. Available rescan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days.

• When HAQM Inspector ECR scanning is activated, HAQM Inspector only picks up images pushed or pulled in last 30 days for scanning, but continually scans them for the rescan duration configured for push and pull date. i.e, 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. If the push date of an image is less than the configured “Push date rescan duration” AND image has been pulled within the configured “Pull date rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. For example, when activating HAQM Inspector ECR scanning, HAQM Inspector will pick up images pushed or pulled in the last 30 days for scanning. However post-activation, if you select 180 days rescan duration for both push date and pull date configurations, HAQM Inspector will continue to scan the images if they were pushed in the last 180 days or have been pulled at least once in the last 180 days. If an image hasn’t been push or pulled in the last 180 days, HAQM Inspector will stop monitoring it.
• All images pushed to ECR after HAQM Inspector ECR scanning is activated are continually scanned for the duration configured in “Push date rescan duration” and “Pull date rescan duration”. Available rescan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days. The automated re-scan duration is calculated based on last push or pull date of a container image. For example, after activating HAQM Inspector ECR scanning, if you select 180 days rescan duration for both push data and pull date configurations, HAQM Inspector will continue to scan the images if they were pushed in the last 180 days or have been pulled at least once in the last 180 days. However, if an image hasn’t been pushed or pulled in the last 180 days, HAQM Inspector will stop monitoring it.
• If the image is in “scan eligibility expired” state, you can pull the image to bring it back under HAQM Inspector monitoring. The image will be continually scanned for the push and pull date rescan durations configured from the last pulled date.

• For HAQM EC2 instances: Yes, an EC2 instance can be excluded from scanning by adding a resource tag. You can use the key ‘InspectorEc2Exclusion’, and value is <optional>.
• For container images residing in HAQM ECR: Yes. Although you can select which HAQM ECR repositories are configured for scanning, all images within a repository will be scanned. You can create inclusion rules to select which repositories should be scanned.
• For Lambda functions: Yes, a Lambda function can be excluded from scanning by adding a resource tag. For standard scanning, use the key 'InspectorExclusion' and the value 'LambdaStandardScanning'. For code scanning, use the key 'InspectorCodeExclusion' and the value 'LambdaCodeScanning'.

In a multi-account structure, you can activate HAQM Inspector for Lambda vulnerabilities assessments for all your accounts within the AWS Organization from the HAQM Inspector console or APIs through the Delegated Administrator (DA) account, while other member accounts can activate HAQM Inspector for their own account if the central security team hasn’t already activated it for them. Accounts that are not a part of the AWS Organization can activate HAQM Inspector for their individual account through the HAQM Inspector console or APIs.

HAQM Inspector will continually monitor and assess only the $LATEST version. Automated rescans will continue only for the latest version, so new findings will be generated only for the latest version. In the console, you will be able to see the findings from any version by selecting the version from the dropdown.

No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or embedded secrets.

Changing the default SSM inventory collection frequency can have an impact on the continual nature of scanning. HAQM Inspector relies on SSM Agent to collect the application inventory to generate findings. If the application inventory duration is increased from the default of 30 minutes, that will delay the detection of changes to the application inventory, and new findings might be delayed.

The HAQM Inspector risk score is a highly contextualized score that is generated for each finding by correlating common vulnerabilities and exposures (CVE) information with network reachability results, exploitability data, and social media trends. This makes it easier for you to prioritize findings and focus on the most critical findings and vulnerable resources. You can see how the Inspector risk score was calculated and which factors influenced the score in the Inspector Score tab within the Findings Details side panel.

For example: There is a new CVE identified on your HAQM EC2 instance, which can only be exploited remotely. If the HAQM Inspector continual network reachability scans also discover that the instance is not reachable from the internet, it knows that the vulnerability is less likely to be exploited. Therefore, HAQM Inspector correlates the scan results with the CVE to adjust the risk score downward, more accurately reflecting the impact of the CVE on that particular instance.

HAQM Inspector allows you to suppress findings based on the customized criteria you define. You can create suppression rules for findings that are considered acceptable by your organization.

You can generate reports in multiple formats (CSV or JSON) with a few steps in the HAQM Inspector console or through the HAQM Inspector APIs. You can download a full report with all findings, or generate and download a customized report based on the view filters set in the console.

No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or embedded secrets.

You can generate and export SBOMs for all resources monitored with HAQM Inspector, in multiple formats (CycloneDx or SPDX), with a few steps in the HAQM Inspector console or through the HAQM Inspector APIs. You can download a full report with SBOM for all resources, or selectively generate and download SBOMs for a few select resources based on the set view filters.

For existing HAQM Inspector customers using a single account, you can enable agentless scanning (preview) by visiting the account management page within the HAQM Inspector console or using APIs.

For existing HAQM Inspector customers using AWS Organizations, your Delegated Admin needs to either completely migrate the entire organization to an agentless solution or continue using the SSM agent-based solution exclusively. You can change the scan mode  configuration from the EC2 settings page in the console or through APIs.

For new HAQM Inspector customers, during the agentless scanning preview period, instances are scanned in agent-based scan mode when you enable EC2 scanning. You can switch to hybrid scan mode if needed. In the hybrid scan mode, HAQM Inspector relies on SSM Agents for application inventory collection to perform vulnerability assessments and automatically falls back on agentless scanning for instances that don’t have SSM Agents installed or configured.

HAQM Inspector will automatically trigger a scan every 24 hours for instances that are marked for agentless scanning (preview). There will be no change to the continuous scanning behavior for instances marked for SSM agent-based scans. 

You can see the scanning mode in the ‘monitored using’ column by simply visiting the resource coverage pages in the HAQM Inspector console or by using HAQM Inspector coverage APIs. 

No, in a multi-account setup, only delegated admins can set up scan mode configuration for the complete organization.

Application and platform teams can integrate HAQM Inspector into their build pipelines using purpose-built HAQM Inspector plugins designed for various CI/CD tools, such as Jenkins and TeamCity. These plugins are available in the marketplace of each respective CI/CD tool. Once the plugin is installed, you can add a step in the pipeline to perform an assessment of the container image and take actions, such as blocking the pipeline based on the assessment results. When vulnerabilities are identified in the assessment, actionable security findings are generated. These findings include vulnerability details, remediation recommendations, and exploitability details. They are returned to the CI/CD tool in both JSON and CSV formats, which can then be translated into a human-readable dashboard by the HAQM Inspector plugin or can be downloaded by teams.

No, you don’t need to enable HAQM Inspector to use this feature provided you have an active AWS account.

Yes. HAQM Inspector uses SSM Agent to collect application inventory, which can be set up as HAQM Virtual Private Cloud (VPC) endpoints to avoid sending information over the internet.

You can find the list of operating systems (OS) supported here.

You can find the list of programming language packages supported here.

Yes. Instances that use NAT are automatically supported by HAQM Inspector.

Yes. See how to configure SSM Agent to use a proxy for more information.

HAQM Inspector integrates with HAQM EventBridge to provide notification for events such as a new finding, change of state of a finding, or creation of a suppression rule. HAQM Inspector also integrates with AWS CloudTrail for call logging.

Yes. You can run HAQM Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for HAQM EC2 instances across your AWS Organization.

Yes. See HAQM Inspector Partners for more information.

Yes. You can deactivate all scanning types (HAQM EC2 scanning, HAQM ECR container image scanning, and Lambda function scanning) by deactivating the HAQM Inspector service, or you can deactivate each scanning type individually for an account.

No. HAQM Inspector does not support a suspended state.