π‘οΈ AWS Inspector EC2 Scanning is not enabledπ’
- Contextual name: π‘οΈ Inspector EC2 Scanning is not enabledπ’
- ID:
/ce/ca/aws/inspector/ec2-scanning - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π AWS Account
- π AWS Account - object.extracts.yaml
- π§ͺ test-data.json
Similar Policiesβ
- AWS Security Hub: [Inspector.1] Amazon Inspector EC2 scanning should be enabled
Descriptionβ
Descriptionβ
This policy identifies AWS accounts where Amazon EC2 scanning is not enabled.
Amazon Inspector is a vulnerability discovery service that automates continuous security assessments for Amazon EC2 instances. It helps identify software vulnerabilities (CVEs) and unintended network exposure, enabling organizations to proactively manage security risks.
Rationaleβ
Enabling Amazon Inspector for EC2 provides the following benefits:
- Automated Discovery: Automatically detects newly launched EC2 instances and initiates vulnerability scans without manual intervention.
- Near Real-Time Intelligence: Triggers scans based on environmental changes, such as new software installations or newly disclosed CVEs.
- Risk-Based Prioritization: Delivers contextual risk scores by correlating vulnerability data with factors such as network exposure and instance configuration.
Auditβ
This policy flags an AWS Account as
INCOMPLIANTifInspector: EC2 StatusorInspector: Statusis not set to Enabled for the Account.
Remediationβ
Remediationβ
Enable Amazon Inspector EC2 Scanningβ
If you are the delegated administrator for an AWS Organization, you can enable Amazon Inspector scan types across multiple accounts and Regions using the AWS CLI and automation scripts. For additional guidance, refer to the inspector2-enablement-with-cli repository on GitHub.
From Consoleβ
To activate Amazon Inspector EC2 scanning:
Open the Amazon Inspector console: https://console.aws.amazon.com/inspector/v2/home
Using the AWS Region selector in the upper-right corner, select the Region in which you want to enable EC2 scanning.
In the navigation pane, choose Account management.
Select the account(s) for which you want to enable a scan type.
Choose Activate, then select EC2 scanning.
Repeat these steps for each AWS Region where EC2 instances are deployed to ensure comprehensive coverage.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Inspector.1] Amazon Inspector EC2 scanning should be enabled | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Threat Protection | 48 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all βhigh riskβ vulnerabilities are resolved in accordance with the entity's vulnerability ranking. | 2 | no data | |||
| πΌ PCI DSS v4.0.1 β πΌ 11.3.1 Internal vulnerability scans are performed. | 3 | 2 | no data | ||
| πΌ PCI DSS v4.0 β πΌ 11.3.1 Internal vulnerability scans are performed. | 3 | 2 | no data |