View a markdown version of this page

Enabling Inspector VM Scanner - Amazon Inspector
RequirementsEnabling Enhanced EC2 ScanningAmazon VPC endpoint requirements for Enhanced EC2 Scanning on private Amazon EC2 instances

Enabling Inspector VM Scanner

When you enable Enhanced EC2 Scanning in the Amazon Inspector console, Amazon Inspector uses Amazon EC2 Systems Manager (SSM) to automatically install the VM Scanner on your managed Amazon EC2 instances. Once installed, the scanner executes periodically (every 3 hours by default) and sends results to the Amazon Inspector Telemetry Service.

Requirements

To use the automatic installation method, your Amazon EC2 instances must meet the following requirements:

  • The SSM Agent must be installed and running on the instance. For more information, see Working with SSM Agent in the AWS Systems Manager User Guide.

  • The instance must have an IAM instance profile that allows SSM to manage the instance. For more information, see Configure instance permissions for Systems Manager in the AWS Systems Manager User Guide.

  • The instance must have network connectivity to the SSM service endpoints.

Note

If your instances do not have SSM Agent installed or cannot meet these requirements, you can use the manual installation method instead. For more information, see Manual installation and configuration.

Enabling Enhanced EC2 Scanning

To enable Enhanced EC2 Scanning and automatically install the VM Scanner:

  1. Open the Amazon Inspector console at Getting Started with the AWS Management Console.

  2. In the navigation pane, choose Account management.

  3. Under EC2 scanning, choose Edit.

  4. Enable Enhanced EC2 Scanning.

After you enable Enhanced EC2 Scanning, Amazon Inspector creates an SSM association that installs the VM Scanner on all eligible instances in your account. The scanner begins executing vulnerability assessments automatically.

Amazon VPC endpoint requirements for Enhanced EC2 Scanning on private Amazon EC2 instances

You can run Enhanced EC2 Scanning on Amazon EC2 instances over an Amazon network. However, if you want to run Enhanced EC2 Scanning on private Amazon EC2 instances, you must create Amazon VPC endpoints. The following endpoints are required:

  • com.amazonaws.region.ec2messages

  • com.amazonaws.region.inspector2-telemetry

  • com.amazonaws.region.s3

  • com.amazonaws.region.ssm

  • com.amazonaws.region.ssmmessages

Where region is the Region code for the applicable AWS Region.

For more information, see Improve the security of Amazon EC2 instances by using Amazon VPC endpoints for Systems Manager in the AWS Systems Manager User Guide.