# Center for Internet Security (CIS) scans for Amazon EC2 instance operating systems
Amazon Inspector CIS scans (CIS scans) benchmark your Amazon EC2 instance operating systems to make sure you configured them according to best practice recommendations established by the Center for Internet Security. [CIS Security Benchmarks](https://aws.amazon.com/what-is/cis-benchmarks/) provides industry standard configuration baselines and best practices for configuring a system securely. You can perform or schedule CIS scans after you enable Amazon Inspector EC2 scanning for an account. For information about how to activate Amazon EC2 scanning, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html).
**Note**
CIS standards are intended for x86\$164 operating systems. Some checks may not be evaluated or return invalid remediation instructions on ARM-based resources.
Amazon Inspector performs CIS scans on target Amazon EC2 instances based on instance tags and your defined scanning schedule. Amazon Inspector performs a series of instance checks on each targeted instance. Each check evaluates whether your system configuration meets specific CIS Benchmark recommendations. Each check has a CIS check ID and title, which correspond with a CIS Benchmark recommendation for that platform. When a CIS scan completes, you can view the results to see which instance checks passed, skipped, or failed for that system.
**Note**
To perform or schedule CIS scans, you must have a secure internet connection. However, if you want to run CIS scans on private instances, you must use a VPC endpoint.
**Topics**
+ [Amazon EC2 instance requirements for Amazon Inspector CIS scans](#cis-requirements)
+ [Running CIS scans](#running-cis-scans)
+ [Considerations for managing Amazon Inspector CIS scans with AWS Organizations](#CIS-organizations)
+ [Amazon Inspector owned Amazon S3 buckets used for Amazon Inspector CIS scans](#cis-buckets)
+ [Creating a CIS scan configuration](scanning-cis-create-cis-scan-configuration.md)
+ [Viewing CIS scan results](scanning-cis-view-cis-scan-configuration.md)
+ [Editing a CIS scan configuration](scanning-cis-view-edit-cis-scan-configuration.md)
+ [Downloading a CIS scan results](scanning-cis-view-download-cis-scan-configuration.md)
## Amazon EC2 instance requirements for Amazon Inspector CIS scans
To run a CIS scan on your Amazon EC2 instance, the Amazon EC2 instance must meet the following criteria:
+ The instance operating system is one of the supported operating systems for CIS scans. For more information, see [Operating systems and programming languages supported by Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-os-cis).
+ The instance is an Amazon EC2 Systems Manager instance. For more information, see [Working with the SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) in the *AWS Systems Manager User Guide*.
+ The Amazon Inspector SSM plugin is installed on the instance. Amazon Inspector automatically installs this plugin on manged instances.
+ The instance has an instance profile that grants permissions for SSM to manage the instance and Amazon Inspector to run CIS scans for that instance. To grant these permissions, attach the [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) and [AmazonInspector2ManagedCisPolicy](https://docs.aws.amazon.com/inspector/latest/user/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonInspector2ManagedCisPolicy) policies to an IAM role. Then attach the IAM role to your instance as an instance profile. For instructions on creating and attaching an instance profile, see [Work with IAM roles](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#working-with-iam-roles) in the *Amazon EC2 User Guide*.
**Note**
You're not required to enable Amazon Inspector deep inspection before running a CIS scan on your Amazon EC2 instance. If you disable Amazon Inspector deep inspection, Amazon Inspector automatically installs the SSM Agent, but the SSM Agent won't be invoked to run deep inspection anymore. However, as a result, the `InspectorLinuxDistributor-do-not-delete` association is present in your account.
### Amazon Virtual Private Cloud endpoint requirements for running CIS scans on private Amazon EC2 instances
You can run CIS scans on Amazon EC2 instances over an Amazon network. However, if you want to run CIS scans on private Amazon EC2 instances, you must [create Amazon VPC endpoints](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html). The following endpoints are required when you create Amazon VPC endpoints for Systems Manager:
+ `com.amazonaws.region.ec2messages`
+ `com.amazonaws.region.inspector2`
+ `com.amazonaws.region.s3`
+ `com.amazonaws.region.ssm`
+ `com.amazonaws.region.ssmmessages`
For more information, see [Creating Amazon VPC endpoints for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create) in the *AWS Systems Manager User Guide*.
**Note**
Currently, some AWS Regions don't support the `amazonaws.com.region.inspector2` endpoint.
## Running CIS scans
You can either run a CIS scan once on-demand or as a scheduled recurring scan. To run a scan, you first create a scan configuration.
When you create a scan configuration, you specify tag key-value pairs to use to target instances. If you are the Amazon Inspector delegated administrator for an organization, you can specify multiple accounts in the scan configuration, and Amazon Inspector will look for instances with the specified tags in each of those accounts. You choose the CIS Benchmark level for the scan. For each benchmark, CIS supports a level 1 and level 2 profile designed to provide baselines for different levels of security that different environments may require.
+ **Level 1** – recommends essential basic security settings that can be configured on any system. Implementing these settings should cause little or no interruption of service. The goal of these recommendations is to reduce the number of entry points into your systems, reducing your overall cybersecurity risks.
+ **Level 2** – recommends more advanced security settings for high-security environments. Implementing these settings requires planning and coordination to minimize the risk of business impact. The goal of these recommendations is to help you achieve regulatory compliance.
Level 2 extends level 1. When you choose Level 2, Amazon Inspector checks for all configurations recommended for level 1 and level 2.
After defining the parameters for your scan, you can choose whether to run it as a one time scan, which runs after you complete the configuration, or a recurring scan. Recurring scans can run daily, weekly, or monthly, at a time of your choice.
**Tip**
We recommend choosing a day and time that's least likely to impact your system while the scan is running.
## Considerations for managing Amazon Inspector CIS scans with AWS Organizations
When you run CIS scans in an organization, Amazon Inspector delegated administrators and member accounts interact with CIS scan configurations and scan results differently.
**How Amazon Inspector delegated administrators can interact with CIS scan configurations and scan results**
When the delegated administrator creates a scan configuration, either for all accounts or a specific member accounts, the organization owns the configuration. Scan configurations that an organization owns have an ARN specifying the organization ID as the owner:
`arn:aws:inspector2:Region:111122223333:owner/OrganizationId/cis-configuration/scanId`
The delegated administrator can manage scan configurations that an organization owns, even if another account created them.
The delegated administrator can view scan results for any account in its organization.
If the delegated administrator creates a scan configuration and specifies `SELF` as the target account, the delegated administrator owns scan configuration, even if they leave the organization. However, the delegated administrator cannot change the target of a scan configuration with `SELF` as the target.
**Note**
The delegated adminstrator cannot add tags to CIS scan configurations the organization owns.
**How Amazon Inspector member accounts can interact with CIS scan configurations and scan results**
When a member account creates a CIS scan configuration, it owns the configuration. However, the delegated administrator can view the configuration. If a member account leaves the organization, the delegated administrator won't be able to view the configuration.
**Note**
The delegated administrator cannot edit a scan configuration the member account creates.
Member accounts, delegated administrators with `SELF` as the target, and standalone accounts all own scan configurations they create. These scan configurations have an ARN that shows the account ID as the owner:
`arn:aws:inspector2:Region:111122223333:owner/111122223333/cis-configuration/scanId`
A member account can view scan results in their account, including scan results from CIS scans the delegated administrator scheduled.
## Amazon Inspector owned Amazon S3 buckets used for Amazon Inspector CIS scans
Open Vulnerability and Assessment Language (OVAL) is an information security effort that standardizes how to assess and report the machine state of computer systems. The following table lists all of the Amazon Inspector owned Amazon S3 buckets with OVAL defintions that are used for CIS scans. Amazon Inspector stages OVAL definition files that are required for CIS scans. The Amazon Inspector owned Amazon S3 buckets should be allowlisted in VPCs if necessary.
**Note**
The details for each of the following Amazon Inspector owned Amazon S3 buckets aren't subject to change. However, the table might be updated to reflect newly supported AWS Regions. You can't use Amazon Inspector ownerd Amazon S3 buckets for other Amazon S3 operations or in your own Amazon S3 buckets.
| CIS bucket | AWS Region |
| --- | --- |
| `cis-datasets-prod-arn-5908f6f` | Europe (Stockholm) |
| `cis-datasets-prod-bah-8f88801` | Middle East (Bahrain) |
| `cis-datasets-prod-bjs-0f40506` | China (Beijing) |
| `cis-datasets-prod-bom-435a167` | Asia Pacific (Mumbai) |
| `cis-datasets-prod-cdg-f3a9c58` | Europe (Paris) |
| `cis-datasets-prod-cgk-09eb12f` | Asia Pacific (Jakarta) |
| `cis-datasets-prod-cmh-63030b9` | US East (Ohio) |
| `cis-datasets-prod-cpt-02c5c6f` | Africa (Cape Town) |
| `cis-datasets-prod-dub-984936f` | Europe (Ireland) |
| `cis-datasets-prod-fra-6eb96eb` | Europe (Frankfurt) |
| `cis-datasets-prod-gru-de69f99` | South America (São Paulo) |
| `cis-datasets-prod-hkg-8e30800` | Asia Pacific (Hong Kong) |
| `cis-datasets-prod-iad-8438411` | US East (N. Virginia) |
| `cis-datasets-prod-icn-f4eff1c` | Asia Pacific (Seoul) |
| `cis-datasets-prod-kix-5743b21` | Asia Pacific (Osaka) |
| `cis-datasets-prod-lhr-8b1fbd0` | Europe (London) |
| `cis-datasets-prod-mxp-7b1bbce` | Europe (Milan) |
| `cis-datasets-prod-nrt-464f684` | Asia Pacific (Tokyo) |
| `cis-datasets-prod-osu-5bead6f` | AWS GovCloud (US-East) |
| `cis-datasets-prod-pdt-adadf9c` | AWS GovCloud (US-West) |
| `cis-datasets-prod-pdx-acfb052` | US West (Oregon) |
| `cis-datasets-prod-sfo-1515ba8` | US West (N. California) |
| `cis-datasets-prod-sin-309725b` | Asia Pacific (Singapore) |
| `cis-datasets-prod-syd-f349107` | Asia Pacific (Sydney) |
| `cis-datasets-prod-yul-5e0c95e` | Canada (Central) |
| `cis-datasets-prod-zhy-5a8eacb` | China (Ningxia) |
| `cis-datasets-prod-zrh-67e0e3d` | Europe (Zurich) |
# Creating a CIS scan configuration
This topic describes how to create a CIS scan configuration.
**To run a CIS scan**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Use the AWS Region dropdown to select the AWS Region where you want to run a CIS scan.
1. From the navigation pane, choose **On-demand scans**, and then choose **CIS scans**.
1. Choose **Create new scan**.
1. For **Scan configuration name**, enter a **Scan configuration name**.
1. For **Target resource tags**, enter a **Key** and corresponding **Value** for the instances you want to scan. You can specify up to five different values for each key and a total of 25 tags to include in the scan.
1. For **CIS Benchmark level**, you can select **Level 1** for basic security configurations or **Level 2** for advanced security configurations.
1. For **Target accounts**, specify which accounts to include in the CIS scan. For more information, see [Considerations for managing Amazon Inspector CIS scans with AWS Organizations](scanning-cis.md#CIS-organizations).
If your account is the delegated administrator account, you can select **All accounts** or **Specify accounts**. The **All accounts** option targets all accounts in your organization. The **Specify accounts** only targets individual accounts in your organization. If you choose this option, you can specify more than one account by separating the account numbers with a comma. You can also enter `SELF` instead of an account ID to create a scan configuration for your account
If your account is a standalone account or member account in an organization, you can select **Self** to create a scan configuration for your account.
1. For **Schedule**, choose **One time scan**, which runs as soon as you finish creating your scan configuration, or **Recurring scans**, which runs at the time you specify.
1. Confirm your choices, and then choose **Create**.
# Viewing CIS scan results
Amazon Inspector creates a scan job for every scan configuration that runs and collects results of a scan with a unique scan ID. CIS scan results are available for 90 days. You can view CIS scan results by its checks or scanned resources:
+ **Scan results aggregated by checks** – Groups the results of a scan by each individual check performed during the scan. For each check, you get a report of how many resources failed, skipped, or passed.
+ **Scan results aggregated by scanned resources** – Groups the results of a scan by each scanned resource the scan targets during the scan. For each resource, you get a report of how many checks that a resource failed, skipped, or passed.
This topic describes how to view results for a CIS scan.
**To view scan results**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Use the AWS Region dropdown to select the AWS Region where you created your CIS scan configuration.
1. From the navigation pane, choose **On-demand scans**, and then choose **CIS scans**.
1. Choose the **Scan results** tab.
1. Under the **Scheduled by** column, choose the scan schedule ID you want to view. Or select the row with the scan schedule ID you want to view, and then choose **View details**.
1. Choose **Checks** to view each check that was performed performed or **Scanned resources** to view each scanned resource that was targeted during the scan.
You can also view details for scheduled CIS scans.
**To view details for scheduled CIS scans**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Use the AWS Region dropdown to select the AWS Region where you created your CIS scan configuration.
1. From the navigation pane, choose **On-demand scans**, and then choose **CIS scans**.
1. Choose the **Scheduled** tab.
1. Under the **Scan configuration name** column, choose the name of the scan configuration you want to view. Or select the row with the scan configuration you want to view, and then choose **View details**.
# Editing a CIS scan configuration
This topic describes how to edit a CIS scan configuration.
**To edit a CIS scan configuration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Use the AWS Region dropdown to select the AWS Region where you created your CIS scan configuration.
1. From the navigation pane, choose **On-demand scans**, and then choose **CIS scans**.
1. Choose the **Scheduled** tab.
1. Select the row with the scan configuration you want to edit, and then choose **Edit**.
# Downloading a CIS scan results
You can download a PDF or CSV of a CIS scan using the Amazon Inspector console or API.
**Note**
You can only download a CSV file of your CIS scan results for CIS scans collected after 05/03/2024.
This topic describes how to download a CIS scan using the Amazon Inspector console.
**To download CIS scan results from the console**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Use the AWS Region dropdown to select the AWS Region where you created your CIS scan configuration.
1. From the navigation pane, choose **On-demand scans**, and then choose **CIS scans**.
1. Choose the **Scan results** tab.
1. Under the **Scheduled By** column, choose the scan schedule ID that you want to view. Or select the row with the scan schedule ID that you want to view, and then choose **View details**.
1. Choose **Download**, and then choose **PDF** or **CSV**. If your account is the delegated administrator account, you can choose **Select account** to download results for a specific member account.