Enable Amazon Inspector2 for Vulnerability Scanning
Overview
Amazon Inspector2 is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure. This check verifies that Inspector2 is enabled and scanning your EC2 instances, ECR container images, Lambda functions, and Lambda code.
Risk
Without Inspector2 enabled, you lack visibility into security vulnerabilities across your AWS resources. Attackers could exploit known vulnerabilities (CVEs) to gain unauthorized access, move laterally within your environment, or exfiltrate sensitive data. Continuous vulnerability scanning is essential for maintaining a strong security posture.
Remediation Steps
Prerequisites
You need access to the AWS Console with permissions to enable Inspector2 (specifically inspector2:Enable and related permissions).
Required IAM permissions
To enable Inspector2, your IAM user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"inspector2:Enable",
"inspector2:BatchGetAccountStatus",
"inspector2:Disable",
"iam:CreateServiceLinkedRole"
],
"Resource": "*"
}
]
}
The iam:CreateServiceLinkedRole permission is needed only for the initial setup.
AWS Console Method
- Sign in to the AWS Console and navigate to Amazon Inspector
- If this is your first time using Inspector2:
- Click Get started
- Review the service overview and click Enable Inspector
- If Inspector is already partially enabled:
- Go to Settings in the left navigation
- Select Account management
- Ensure all scan types are enabled:
- EC2 scanning
- ECR container image scanning
- Lambda function scanning
- Lambda code scanning
- Click Save to apply your changes
AWS CLI
Enable Inspector2 with all resource types:
aws inspector2 enable \
--resource-types EC2 ECR LAMBDA LAMBDA_CODE \
--region us-east-1
To check the current status:
aws inspector2 batch-get-account-status \
--region us-east-1
Terraform
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
# Enable Amazon Inspector2 for EC2, ECR, Lambda, and Lambda code scanning
resource "aws_inspector2_enabler" "this" {
account_ids = [data.aws_caller_identity.current.account_id]
resource_types = ["EC2", "ECR", "LAMBDA", "LAMBDA_CODE"]
}
data "aws_caller_identity" "current" {}
Apply the configuration:
terraform init
terraform apply
CloudFormation
CloudFormation does not have native support for enabling Inspector2. You can use a Custom Resource with Lambda to enable it programmatically.
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Amazon Inspector2 for vulnerability scanning
Resources:
Inspector2EnablerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: inspector2-enabler
Runtime: python3.11
Handler: index.handler
Timeout: 60
Role: !GetAtt Inspector2EnablerRole.Arn
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
try:
if event['RequestType'] in ['Create', 'Update']:
client = boto3.client('inspector2')
client.enable(
resourceTypes=['EC2', 'ECR', 'LAMBDA', 'LAMBDA_CODE']
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
print(f"Error: {e}")
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
Inspector2EnablerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: Inspector2Enable
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- inspector2:Enable
- inspector2:BatchGetAccountStatus
Resource: '*'
EnableInspector2:
Type: Custom::EnableInspector2
Properties:
ServiceToken: !GetAtt Inspector2EnablerFunction.Arn
Outputs:
Status:
Description: Inspector2 enablement status
Value: Enabled via Custom Resource
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name inspector2-enabler \
--capabilities CAPABILITY_IAM \
--region us-east-1
Verification
After enabling Inspector2, verify the configuration:
- In the AWS Console, go to Amazon Inspector > Dashboard
- Confirm you see scanning status for:
- EC2 instances
- ECR container images
- Lambda functions
- The dashboard should show active scanning with no "not enabled" warnings
CLI verification
aws inspector2 batch-get-account-status \
--region us-east-1 \
--query 'accounts[0].state'
Expected output shows ENABLED status for all resource types:
{
"status": "ENABLED"
}
You can also verify specific resource type coverage:
aws inspector2 batch-get-account-status \
--region us-east-1 \
--query 'accounts[0].resourceState'
Additional Resources
- Amazon Inspector User Guide
- Getting started with Amazon Inspector
- Inspector2 API Reference
- AWS Security Best Practices
Notes
- Cost considerations: Inspector2 pricing is based on the number of resources scanned. Review the pricing page before enabling.
- Multi-region: Inspector2 must be enabled separately in each AWS region you want to scan. Consider enabling it in all regions where you have resources.
- Multi-account: For AWS Organizations, you can designate a delegated administrator to manage Inspector2 across all member accounts.
- Initial scan time: After enabling, the initial scan may take some time depending on the number of resources. EC2 instance scans require the SSM agent to be installed and running.
- Findings integration: Inspector2 findings can be sent to AWS Security Hub for centralized security visibility.