# Scanning Amazon EC2 instances with Amazon Inspector
<a name="scanning-ec2"></a>

 Amazon Inspector Amazon EC2 scanning extracts metadata from your EC2 instance before comparing the metadata against rules collected from security advisories. Amazon Inspector scans instances for package vulnerabilities and network reachability issues to produce [findings](https://docs.aws.amazon.com/inspector/latest/user/findings-types.html). Amazon Inspector performs network reachability scans once every 12 hours and package vulnerability scans on a variable cadence that depends on the scan method associated with the EC2 instance. 

 Package vulnerability scans can be performed using an [agent-based](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agent-based) or [agentless](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless) scan method. Both of these scan methods determine how and when Amazon Inspector collects the software inventory from an EC2 instance for package vulnerability scans. Agent-based scanning collects software inventory using the SSM agent, and agentless scanning collects software inventory using on Amazon EBS snapshots. 

 Amazon Inspector uses the scan methods that you activate for your account. When you activate Amazon Inspector for the first time, your account is automatically enrolled in hybrid scanning, which uses both scan methods. However, you can [change this setting](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#scan-mode) at any time. For information about how to activate a scan type, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). This section provides information about Amazon EC2 scanning. 

**Note**  
 Amazon EC2 scanning does not scan filesystem directories related to virtual environment even if they are provisioned through deep inspection. For example, the path `/var/lib/docker/` is not scanned because it's commonly used for container run times. 

## Agent-based scanning
<a name="agent-based"></a>

Agent-based scans are performed continuously using the SSM agent on all eligible instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages in Linux-based instances through [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md).

The following process explains how Amazon Inspector uses SSM to collect inventory and perform agent-based scans:

1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. For some Instance types (Windows, and Linux), these associations install plugins on individual instances to collect inventory. 

1. Using SSM, Amazon Inspector extracts package inventory from an instance.

1. Amazon Inspector evaluates the extracted inventory and generates findings for any detected vulnerabilities.

**Note**  
 For agent-based scanning, the Amazon EC2 instance must be managed by SSM in same AWS account. 

### Eligible instances
<a name="agent-based-eligible"></a>

Amazon Inspector will use the agent-based method to scan an instance if it meets the following conditions:
+ The instance has a supported OS. For a list of supported OS see the **Agent-based scan support** column of [Supported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
+ The instance is not excluded from scans by Amazon Inspector EC2 exclusion tags.
+ The instance is SSM managed. For instructions on verifying and configuring the agent, see [Configuring the SSM Agent](#configure-ssm).

### Agent-based scan behaviors
<a name="ec2-scan-behavior"></a>

When using the agent-based scan method, Amazon Inspector initiates new vulnerability scans of EC2 instances in the following situations:
+ When you launch a new EC2 instance.
+ When you install new software on an existing EC2 instance (Linux and Mac).
+ When Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your EC2 instance (Linux and Mac).

Amazon Inspector updates the **Last scanned** field for an EC2 instance when an initial scan is completed. After this, the **Last scanned** field is updated when Amazon Inspector evaluates SSM inventory (every 30 minutes by default), or when an instance is re-scanned because a new CVE impacting that instance was added to the Amazon Inspector database.

You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the **Account management** page or by using the [https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html) command.

### Configuring the SSM Agent
<a name="configure-ssm"></a>

In order for Amazon Inspector to detect software vulnerabilities for an Amazon EC2 instance using the agent-based scan method, the instance must be a [managed instance](https://docs.aws.amazon.com//systems-manager/latest/userguide/managed_instances.html) in Amazon EC2 Systems Manager (SSM). An SSM managed instance has the SSM Agent installed and running, and SSM has permission to manage the instance. If you are already using SSM to manage your instances, no other steps are needed for agent-based scans.

The SSM Agent is installed by default on EC2 instances created from some Amazon Machine Images (AMIs). For more information, see [About SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-ssm-agent.html) in the *AWS Systems Manager User Guide*. However, even if it's installed, you may need to activate the SSM Agent manually, and grant SSM permission to manage your instance.

The following procedure describes how to configure an Amazon EC2 instance as a managed instance using an IAM instance profile. The procedure also provides links to more detailed information in the *AWS Systems Manager User Guide*.

[https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) is the recommended policy to use when you attach an instance profile. This policy has all the permissions needed for Amazon Inspector EC2 scanning.

**Note**  
You can also automate SSM management of all your EC2 instances, without the use of IAM instance profiles, by using SSM Default Host Management Configuration. For more information, see [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html). When an IAM instance profile is configured on an instance, Amazon Inspector uses that profile and ignores the Default Host Management Configuration (DHMC) role.

**To configure SSM for an Amazon EC2 instance**

1. If it's not already installed by your operating system vendor, install the SSM Agent. For more information, see [Working with SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html).

1. Use the AWS CLI to verify that the SSM Agent is running. For more information, see [Checking SSM Agent status and starting the agent](https://docs.aws.amazon.com//systems-manager/latest/userguide/ssm-agent-status-and-restart.html).

1. Grant permission for SSM to manage your instance. You can grant permission by creating an IAM instance profile and attaching it to your instance. We recommend using the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy, because this policy has the permissions for SSM Distributor, SSM Inventory and SSM State manager, that Amazon Inspector needs for scans. For instructions on creating an instance profile with these permissions and attaching it to an instance, see [Configure instance permissions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-add-permissions).

1. (Optional) Activate automatic updates for the SSM Agent. For more information, see [Automating updates to SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html).

1. (Optional) Configure Systems Manager to use an Amazon Virtual Private Cloud (Amazon VPC) endpoint. For more information, see [Create Amazon VPC endpoints](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html).

**Important**  
Amazon Inspector requires a Systems Manager State Manager association in your account to collect software application inventory. Amazon Inspector automatically creates an association called `InspectorInventoryCollection-do-not-delete` if one doesn't already exist.  
Amazon Inspector also requires a resource data sync and automatically creates one called `InspectorResourceDataSync-do-not-delete` if one doesn't already exist. For more information, see [Configuring resource data sync for Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html) in the *AWS Systems Manager User Guide*. Each account can have a set number of resource data syncs per Region. For more information, see Maximum number of resource data syncs (per AWS account per Region) in [SSM endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm). 

#### SSM resources created for scanning
<a name="ssm-resources"></a>

 Amazon Inspector requires a number of SSM resources in your account to run Amazon EC2 scans. The following resources are created when you first activate Amazon Inspector EC2 scanning: 

**Note**  
 If any of these SSM resources are deleted while Amazon Inspector Amazon EC2 scanning is activated for your account, Amazon Inspector will attempt to recreate them at the next scan interval. 

`InspectorInventoryCollection-do-not-delete`  
This is a Systems Manager State Manager (SSM) association that Amazon Inspector uses to collect software application inventory from your Amazon EC2 instances. If your account already has an SSM association for collecting inventory from `InstanceIds*`, Amazon Inspector will use that instead of creating its own.

`InspectorResourceDataSync-do-not-delete`  
This is a resource data sync that Amazon Inspector uses to send collected inventory data from your Amazon EC2 instances to an Amazon S3 bucket owned by Amazon Inspector. For more information, see [Configuring resource data sync for Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html) in the *AWS Systems Manager User Guide*.

`InspectorDistributor-do-not-delete`  
This is an SSM association Amazon Inspector uses for scanning Windows instances. This association installs the Amazon Inspector SSM plugin on your Windows instances. If the plugin file is inadvertently deleted this association will reinstall it at the next association interval. 

`InvokeInspectorSsmPlugin-do-not-delete`  
This is an SSM association Amazon Inspector uses for scanning Windows instances. This association allows Amazon Inspector to initiate scans using the plugin, you can also use it to set custom intervals for scans of Windows instances. For more information, see [Setting custom schedules for Windows instance scans](windows-scanning.md#windows-scan-schedule). 

`InspectorLinuxDistributor-do-not-delete`  
 This is an SSM association that Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association installs the Amazon Inspector SSM plugin on your Linux instances. 

`InvokeInspectorLinuxSsmPlugin-do-not-delete`  
This is an SSM association Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association allows Amazon Inspector to initiate scans using the plugin. 

**Note**  
 When you deactivate Amazon Inspector Amazon EC2 scanning or deep inspection, the SSM resource `InvokeInspectorLinuxSsmPlugin-do-not-delete` is no longer invoked. 

## Agentless scanning
<a name="agentless"></a>

 Amazon Inspector uses the agentless scanning method on eligible instances when your account is in hybrid scanning mode. Hybrid scanning mode includes agent-based and agentless scans and is automatically enabled when you activate Amazon EC2 scanning. 

 For agentless scans, Amazon Inspector uses EBS snapshots to collect a software inventory from your instances. Agentless scanning scans instances for operating system and application programming language package vulnerabilities.. 

**Note**  
When scanning Linux instances for application programming language package vulnerabilities, the agentless method scans all available paths, whereas agent-based scanning only scans the default paths and additional paths you specify as part of [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md). This may result in the same instance having different findings depending on whether it is scanned using the agent-based method or agentless method.

The following process explains how Amazon Inspector uses EBS snapshots to collect inventory and perform agentless scans:

1. Amazon Inspector creates an EBS snapshot of all volumes attached to the instance. While Amazon Inspector is using it, the snapshot is stored in your account and tagged with `InspectorScan` as a tag key, and a unique scan ID as the tag value.

1. Amazon Inspector retrieves data from the snapshots using [EBS direct APIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html) and evaluates them for vulnerabilities. Findings are generated for any detected vulnerabilities.

1. Amazon Inspector deletes the EBS snapshots it created in your account.

### Eligible instances
<a name="agentless-eligible"></a>

 Amazon Inspector will use the agentless method to scan an instance if it meets the following conditions: 
+  The instance has a supported OS. For more information, see the >Agent-based scan support column of [Supported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2). 
+  The instance has a status of `Unmanaged EC2 instance`, `Stale inventory`, or `No inventory`. 
+  The instance is backed by Amazon EBS and has one of the following file system formats: 
  + `ext3`
  + `ext4`
  + `xfs`
+  The instance isn't excluded from scans through Amazon EC2 exclusion tags. 
+  The number of volumes attached to the instance is less than 8 and have a combined size that's less than or equal to 1200 GB. 

### Agentless scan behaviors
<a name="agentless-ec2-scan-behavior"></a>

When your account is configured for **Hybrid scanning**, Amazon Inspector performs agentless scans on eligible instances every 24 hours. Amazon Inspector detects and scans newly eligible instances every hour, which includes new instances without SSM agents, or pre-existing instances with statuses that have changed to `SSM_UNMANAGED`.

Amazon Inspector updates the **Last scanned** field for an Amazon EC2 instance whenever it scans extracted snapshots from an instance after an agentless scan.

You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the Account management page or by using the [https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html) command.

## Managing scan mode
<a name="scan-mode"></a>

Your EC2 scan mode determines which scan methods Amazon Inspector will use when performing EC2 scans in your account. You can view the scan mode for your account from the EC2 scanning settings page under **General settings**. Standalone accounts or Amazon Inspector delegated administrators can change the scan mode. When you set the scan mode as the Amazon Inspector delegated administrator that scan mode is set for all member accounts in your organization. Amazon Inspector has the following scan modes:

**Agent-based scanning** – In this scan mode, Amazon Inspector will exclusively use the agent-based scan method when scanning for package vulnerabilities. This scan mode only scans SSM managed instances in your account, but has the benefit of providing continuous scans in response to new CVE’s or changes to the instances. Agent-based scanning also provides Amazon Inspector deep Inspection for eligible instances. This is the default scan mode for newly activated accounts.

**Hybrid scanning** – In this scan mode, Amazon Inspector uses a combination of both agent-based and agentless methods to scan for package vulnerabilities. For eligible EC2 instances that have the SSM agent installed and configured, Amazon Inspector uses the agent-based method. For eligible instances that aren't SSM managed, Amazon Inspector will use the agentless method for eligible EBS-backed instances.

**To change the scan mode**

1.  Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1. Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to change your EC2 scan mode.

1. From the side navigation panel, under **General settings**, select **EC2 scanning settings**.

1. Under **Scan Mode**, select **Edit**.

1. Choose a scan mode and then select **Save changes**.

## Excluding instances from Amazon Inspector scans
<a name="exclude-ec2"></a>

 You can exclude Linux and Windows instances from Amazon Inspector scans by tagging these instances with the `InspectorEc2Exclusion` key. Tag key is case-insensitive. Including a tag value is optional. For information about adding tags, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). 

 When you tag an instance for exclusion from Amazon Inspector scans, Amazon Inspector marks the instance as excluded and won't create findings for it. However, the Amazon Inspector SSM plugin will continue to be invoked. To prevent the plugin from being invoked, you must [allow access to tags in instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-tags-in-IMDS.html#allow-access-to-tags-in-IMDS). 

**Note**  
 You're not charged for excluded instances. 

 Additionally, you can exclude an encrypted EBS volume from agentless scans by tagging the AWS KMS key used to encrypt that volume with the `InspectorEc2Exclusion` tag. For more information, see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys). 

## Supported operating systems
<a name="supported-instance"></a>

Amazon Inspector scans supported Mac, Windows, and Linux instances for vulnerabilities in operating system packages. For Linux instances, Amazon Inspector can produce findings for application programming language packages using [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md). For Mac and Windows instances only operating system packages are scanned. 

For information about supported operating systems, including which operating systems can be scanned without an SSM agent, see [Amazon EC2 instances status valuesSupported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).

# Amazon Inspector deep inspection for Linux-based Amazon EC2 instances
<a name="deep-inspection"></a>

 Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection. With deep inspection, Amazon Inspector detects package vulnerabilities for application programming language packages in your Linux-based Amazon EC2 instances. Amazon Inspector scans default paths for programming language package libraries. However, you can [configure custom paths](https://docs.aws.amazon.com//inspector/latest/user/deep-inspection.html#deep-inspection-paths) in addition to the paths that Amazon Inspector scans by default. 

**Note**  
 Deep inspection requires `ssm:PutInventory` and `ssm:GetParameter` permissions. If an IAM instance profile is configured on the instance, Amazon Inspector uses that profile and ignores the DHMC role. The instance profile must include these permissions. If no instance profile is set, Amazon Inspector uses the configured [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role, which must include these permissions. 

 To perform deep inspection scans for your Linux-based Amazon EC2 instances, Amazon Inspector uses data collected with the Amazon Inspector SSM plugin. To manage the Amazon Inspector SSM plugin and perform deep inspection for Linux, Amazon Inspector automatically creates the SSM association `InvokeInspectorLinuxSsmPlugin-do-not-delete` in your account. Amazon Inspector collects updated application inventory from your Linux-based Amazon EC2 instances every 6 hours. 

**Note**  
 Deep inspection is not supported for Windows or Mac instances. 

 This section describes how to manage Amazon Inspector deep inspection for Amazon EC2 instances, including how to set custom paths for Amazon Inspector to scan. 

**Topics**
+ [Accessing or deactivating deep inspection](#deep-inspection-activate)
+ [Custom paths for Amazon Inspector deep inspection](#deep-inspection-paths)
+ [Custom schedules for Amazon Inspector deep inspection](#deep-inspection-schedules)
+ [Supported programming languages](#supported-deep-inspection)

## Accessing or deactivating deep inspection
<a name="deep-inspection-activate"></a>

**Note**  
 For accounts that activate Amazon Inspector after April 17, 2023, deep inspection is automatically activated as part of Amazon EC2 scanning. 

**To manage deep inspection**

1.  Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home) 

1.  From the navigation pane, choose **General settings**, and then choose Amazon EC2 scanning settings. 

1.  Under **Deep inspection of Amazon EC2 instance**, you can [set custom paths for your organization or for your own account](https://docs.aws.amazon.com/inspector/latest/user/deep-inspection.html#deep-inspection-paths). 

 You can check the activation status programmatically for a single account with the [GetEc2DeepInspectionConfiguration](https://docs.aws.amazon.com/inspector/v2/APIReference/API_GetEc2DeepInspectionConfiguration.html) API. You can check the activation status programmatically for multiple accounts with the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API. 

 If you activated Amazon Inspector before April 17, 2023, you can activate deep inspection through the console banner or the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) API. If you're the delegated administrator for an organization in Amazon Inspector, you can use the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API to activate deep inspection for yourself and your member accounts. 

 You can deactivate deep inspection through the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) API. Member accounts in an organization can't deactivate deep inspection. Instead, the member account must be deactivated by their delegated administrator using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API. 

## Custom paths for Amazon Inspector deep inspection
<a name="deep-inspection-paths"></a>

 You can set custom paths for Amazon Inspector to scan during deep inspection of your Linux Amazon EC2 instances. When you set a custom path, Amazon Inspector scans packages in that directory and all of the sub-directories in it. 

 All accounts can define up to 5 custom paths. The delegated administrator for an organization can define 10 custom paths. 

 Amazon Inspector scans all custom paths in addition to the following default paths, which Amazon Inspector scans for all accounts: 
+ `/usr/lib`
+ `/usr/lib64`
+ `/usr/local/lib`
+ `/usr/local/lib64`

**Note**  
 Custom paths must be local paths. Amazon Inspector doesn't scan mapped network paths, such as Network File System mounts or Amazon S3 file system mounts. 

### Formatting custom paths
<a name="deep-inspection-paths-format"></a>

 A custom path cannot be longer than 256 characters. The following is an example of how a custom path might look: 

**Example path**  
 `/home/usr1/project01` 

**Note**  
 The package limit per instance is 5,000. The maximum package inventory collection time is 15 minutes. Amazon Inspector recommends that you choose custom paths to avoid these limits. 

### Setting a custom path in the Amazon Inspector console and with the Amazon Inspector API
<a name="deep-inspection-add-paths"></a>

 The following procedures describe how to set a custom path for Amazon Inspector deep inspection in the Amazon Inspector console and with the Amazon Inspector API. After you set a custom path, Amazon Inspector includes the path in the next deep inspection. 

------
#### [ Console ]

1.  Sign in to the AWS Management Console as the delegated administrator, and open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home) 

1.  Use the AWS Region selector to choose the Region where you want to activate Lambda standard scanning. 

1.  From the navigation pane, choose **General settings**, and then choose **EC2 scanning settings**. 

1.  Under **Custom paths for your own account**, choose **Edit**. 

1.  In the path text boxes, enter your custom paths. 

1.  Choose **Save**. 

------
#### [ API ]

 Run the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) command. For `packagePaths` specify an array of paths to scan. 

------

## Custom schedules for Amazon Inspector deep inspection
<a name="deep-inspection-schedules"></a>

 By default, Amazon Inspector collects an application inventory from Amazon EC2 instances every 6 hours. However, you can run the following commands to control how often Amazon Inspector does this. 

 **Example command 1: List associations to view association ID and current interval ** 

 The following command shows the association ID for the association `InvokeInspectorLinuxSsmPlugin-do-not-delete`. 

```
aws ssm list-associations \
--association-filter-list "key=AssociationName,value=InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--region your-Region
```

 **Example command 2: Update association to include new interval** 

 The following command uses the association ID for the association `InvokeInspectorLinuxSsmPlugin-do-not-delete`. You can set the rate for `schedule-expression` from 6 hours to a new interval, such as 12 hours. 

```
aws ssm update-association \
--association-id "your-association-ID" \
--association-name "InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--schedule-expression "rate(6 hours)" \
--region your-Region
```

**Note**  
 Depending on your use case, if you set the rate for `schedule-expression` from 6 hours to an interval like 30 minutes, you can [exceed the daily ssm inventory limit](https://docs.aws.amazon.com/inspector/latest/user/assessing-coverage.html#viewing-coverage-instances). This causes results to be delayed, and you might encounter Amazon EC2 instances with partial error statuses. 

## Supported programming languages
<a name="supported-deep-inspection"></a>

 For Linux instances, Amazon Inspector deep inspection can produce findings for application programming language packages and operating system packages. 

 For Mac and Windows instances, Amazon Inspector deep inspection can produce findings only for operating system packages. 

 For more information about supported programming languages, see [Supported programming languages: Amazon EC2 deep inspection](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-programming-languages-deep-inspection). 

# Scanning Windows EC2 instances with Amazon Inspector
<a name="windows-scanning"></a>

 Amazon Inspector automatically discovers all supported Windows instances and includes them in continuous scanning without any extra actions. For information about which instances are supported, see [Operating systems and programming languages supported by Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/supported.html). Amazon Inspector runs Windows scans at regular intervals. Windows instances are scanned at discovery and then every 6 hours. However, you can [adjust the default scan interval](https://docs.aws.amazon.com/inspector/latest/user/windows-scanning.html#windows-scan-schedule) after the first scan. 

 When Amazon EC2 scanning is activated, Amazon Inspector creates the following SSM associations for your Windows resources: `InspectorDistributor-do-not-delete`, `InspectorInventoryCollection-do-not-delete`, and `InvokeInspectorSsmPlugin-do-not-delete`. To install the Amazon Inspector SSM plugin on your Windows instances, the `InspectorDistributor-do-not-delete` SSM association uses the [`AWS-ConfigureAWSPackage` SSM document](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) and the [`AmazonInspector2-InspectorSsmPlugin` SSM Distributor package](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html). For more information, see [The Amazon Inspector SSM plugin for Windows](https://docs.aws.amazon.com/inspector/latest/user/deep-inspection.html#inspector/latest/user/deep-inspection.html). To collect instance data and generate Amazon Inspector findings, the `InvokeInspectorSsmPlugin-do-not-delete` SSM association runs the Amazon Inspector SSM plugin at 6-hour intervals. However, you can [customize this setting using a cron or rate expression](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html). 

**Note**  
 Amazon Inspector stages updated Open Vulnerability and Assessment Language (OVAL) definition files to the S3 bucket `inspector2-oval-prod-your-AWS-Region`. The Amazon S3 bucket contains OVAL definitions used in scans. These OVAL definitions shouldn't be modified. Otherwise, Amazon Inspector won't scan for new CVEs when they release. 

## Amazon Inspector scan requirements for Windows instances
<a name="windows-requirements"></a>

To scan a Windows instance, Amazon Inspector requires the instance to meet the following criteria:
+ The instance is an SSM managed instance. For instructions about setting up your instance for scanning, see [Configuring the SSM Agent](scanning-ec2.md#configure-ssm).
+ The instance operating system is one of the supported Windows operating systems. For a complete list of supported operating systems, see [Amazon EC2 instances status valuesSupported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
+ The instance has the Amazon Inspector SSM plugin installed. Amazon Inspector automatically installs the Amazon Inspector SSM plugin for managed instances upon discovery. See the next topic for details about the plugin.

**Note**  
If your host is running in an Amazon VPC without outgoing internet access, Windows scanning requires your host to be able to access Regional Amazon S3 endpoints. To learn how to configure an Amazon S3 Amazon VPC endpoint, see [Create a gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3) in the *Amazon Virtual Private Cloud User Guide*. If your Amazon VPC endpoint policy is restricting access to external S3 buckets, you must specifically allow access to the bucket maintained by Amazon Inspector in your AWS Region that stores the OVAL definitions used to evaluate your instance. This bucket has the following the format: `inspector2-oval-prod-REGION`. 

## Setting custom schedules for Windows instance scans
<a name="windows-scan-schedule"></a>

You can customize the time between your Windows Amazon EC2 instance scans by setting a cron expression or rate expression for the `InvokeInspectorSsmPlugin-do-not-delete` association using SSM. For more information, see [Reference: Cron and rate expressions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html) in the *AWS Systems Manager User Guide* or use the following instructions. 

Select from the following code examples to change the scan cadence for Windows instances from the default 6 hours to 12 hours using either a rate expression or a cron expression.

The following examples require you to use the **AssociationId** for the association named `InvokeInspectorSsmPlugin-do-not-delete`. You can retrieve your **AssociationId** by running the following AWS CLI command:

```
$ aws ssm list-associations --association-filter-list "key=AssociationName,value=InvokeInspectorSsmPlugin-do-not-delete" --region us-east-1
```

**Note**  
The **AssociationId** is Regional, so you need to first retrieve a unique ID for each AWS Region. You can then run the command to change the scan cadence in each Region where you want to set a custom scan schedule for Windows instances.

------
#### [ Example rate expression ]

```
$ aws ssm update-association \
--association-id "YourAssociationId" \
--association-name "InvokeInspectorSsmPlugin-do-not-delete" \
--schedule-expression "rate(12 hours)"
```

------
#### [ Example cron expression ]

```
$ aws ssm update-association \
--association-id "YourAssociationId" \
--association-name "InvokeInspectorSsmPlugin-do-not-delete" \
--schedule-expression "cron(0 0/12 * * ? *)"
```

------