# Automated scan types in Amazon Inspector
Amazon Inspector uses a purpose-built scanning engine that monitors your resources for actionable software vulnerabilities and unintended network exposure. When Amazon Inspector detects a software vulnerability or unintended network exposure, it creates a [finding](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html). When you activate Amazon Inspector for the first time, your account is automatically enrolled in [all scan types](https://docs.aws.amazon.com/inspector/latest/user/scanning-resources.html#scan-types), which include Amazon Amazon EC2 scanning, Amazon ECR Scanning, and Lambda standard scanning.
**Note**
Lambda code scanning is an optional layer of Lambda function scanning that you can activate at any time.
**Topics**
+ [Overview of Amazon Inspector scan types](#scan-types)
+ [Activating a scan type](activate-scans.md)
+ [Scanning Amazon EC2 instances with Amazon Inspector](scanning-ec2.md)
+ [Scanning Amazon Elastic Container Registry container images with Amazon Inspector](scanning-ecr.md)
+ [Scanning AWS Lambda functions with Amazon Inspector](scanning-lambda.md)
+ [Deactivating a scan type in Amazon Inspector](deactivate-scans.md)
## Overview of Amazon Inspector scan types
Amazon Inspector provides different scan types, which focus on specific resource types in your AWS environment.
**Amazon EC2 scanning**
When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances for common vulnerabilities and exposures (CVEs), network exposure issues, network reachability issues, operating system and programming language package vulnerabilities. Amazon Inspector performs scans through the use of the SSM agent installed on your instance or through Amazon EBS snapshots of instances. For more information, see [Scanning Amazon EC2 instances with Amazon Inspector](scanning-ec2.md). By default, when you activate Amazon EC2 scanning, you automatically enable hybrid scanning mode. For more information, see [Agentless scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless).
**Amazon ECR scanning**
When you activate Amazon ECR scanning, Amazon Inspector converts all of the repositories in your private registry from basic scanning container repositories to enhanced scanning repositories. You can configure this setting with inclusion rules to scan on-push only or to scan select repositories. Amazon Inspector only scans ECR container images which are active (`imageStatus` field is `ACTIVE`) in ECR. Amazon Inspector scans all images pushed or transitioned to active (`lastActivatedAt`) in ECR within the last 30 days or pulled within the last 90 days. Amazon Inspector continues to monitor images for 90 days by default. You can change this setting at any time. For more information, see [Scanning Amazon Elastic Container Registry container images with Amazon Inspector](scanning-ecr.md).
**Lambda standard scanning**
When you activate Lambda standard scanning, Amazon Inspector discovers all of the Lambda functions in your account and immediately scans them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they're deployed. Amazon Inspector rescans them when they're updated or when new CVEs are published. For more information, scanning, see [Scanning AWS Lambda functions with Amazon Inspector](scanning-lambda.md).
**Lambda standard scanning \$1 Lambda code scanning**
When you activate Lambda code scanning, Amazon Inspector discovers the Lambda functions and layers in your account and scans them for code vulnerabilities. This type of scanning evaluates application package dependencies used in a Lambda function for CVEs. When you activate this scan type, you also activate Lambda standard scanning. For more information, see [Scanning AWS Lambda functions with Amazon Inspector](scanning-lambda.md).
**Code Security for Amazon Inspector**
This scan type leverages the Amazon Q Developer scanning engine to scan first-party application code, third-party application dependencies, and Infrastructure as Code for vulnerabilities For more information, see [Code Security for Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html).
# Activating a scan type
You can activate a scan type at any time. When you activate a scan type, Amazon Inspector begins scanning eligible resources for the scan type.
**[Amazon EC2 scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html)**
This scan type extracts metadata from an Amazon EC2 instance before comparing the metadata against rules collected from security advisories. When you activate this scan type, Amazon Inspector scans all eligible Amazon EC2 instances in your account for package vulnerabilities and network reachability issues. After you activate this scan type, you can view how many instances are being scanned in the **Instances** tab.
**[Amazon ECR scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html)**
This scan type scans container images and container repositories in Amazon ECR. When you activate this scan type, you change the scanning configuration setting for your private registry from basic scanning to enhanced scanning. After you activate Amazon ECR scanning, you can view how many images and repositories are being scanned in the **Container images** and **Container repositories** tabs.
**[Lambda standard scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-standard-scans) \$1 [Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-code-scans)**
Lambda standard scanning is the default Lambda scan type. When you activate Lambda standard scanning, all of your Lambda functions are scanned for software vulnerabilities, as long as they were invoked or updated in the last 90 days. After you activate Lambda standard scanning, you view how many Lambda functions are being scanned in the **Lambda functions** tab.
Lambda code scanning scans custom application code in a Lambda function. When you activate Lambda code scanning, all of your Lambda functions will be scanned for code vulnerabilities, as long as they were invoked or updated in the last 90 days. After you activate Lambda standard scanning, you can view how many Lambda functions are being scanned for code vulnerabilities in the **Lambda functions** tab.
**Note**
If you want to activate Lambda code scanning, you must activate Lambda standard scanning first.
**[Amazon Inspector Code Security](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html)**
This scan type scans first-party application code, third-party application dependencies, and Infrastructure as Code for vulnerabilities. When you activate Code Security, Amazon Inspector begins scanning your code repositories for code vulnerabilities based on your scan configurations. After you activate Amazon Inspector Code Security, you can view how many code repositories are being scanned in the **Code repositories** tab.
## Activating scans
The following procedure describes how to activate a scan type in Amazon Inspector.
**Note**
If you're the delegated administrator for an AWS organization, you can enable Amazon Inspector scan types for multiple accounts in multiple Regions using a shell script. For more information, see [inspector2-enablement-with-cli](https://github.com/aws-samples/inspector2-enablement-with-cli) on GitHub. Otherwise, complete the following steps while signed in as the Amazon Inspector delegated administrator.
------
#### [ Console ]
**To activate scans**
1. Open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to activate a new scan type.
1. In the navigation pane, choose **Account management**.
1. On the **Account management** page, select the accounts for which you would like to activate a scan type.
1. Choose **Activate** and select the type of scanning you would like to activate.
1. (Recommended) Repeat these steps in each AWS Region for which you want to activate that scan type.
------
#### [ API ]
Run the [Enable](https://docs.aws.amazon.com/inspector/v2/APIReference/API_Enable.html) API operation. In the request, provide the account IDs you are activating scans for, and idempotency token, and one or more of `EC2`, `ECR`, `LAMBDA`, or `LAMBDA_CODE` for `resourceTypes` to activate scans of that type.
------
# Scanning Amazon EC2 instances with Amazon Inspector
Amazon Inspector Amazon EC2 scanning extracts metadata from your EC2 instance before comparing the metadata against rules collected from security advisories. Amazon Inspector scans instances for package vulnerabilities and network reachability issues to produce [findings](https://docs.aws.amazon.com/inspector/latest/user/findings-types.html). Amazon Inspector performs network reachability scans once every 12 hours and package vulnerability scans on a variable cadence that depends on the scan method associated with the EC2 instance.
Package vulnerability scans can be performed using an [agent-based](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agent-based) or [agentless](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless) scan method. Both of these scan methods determine how and when Amazon Inspector collects the software inventory from an EC2 instance for package vulnerability scans. Agent-based scanning collects software inventory using the SSM agent, and agentless scanning collects software inventory using on Amazon EBS snapshots.
Amazon Inspector uses the scan methods that you activate for your account. When you activate Amazon Inspector for the first time, your account is automatically enrolled in hybrid scanning, which uses both scan methods. However, you can [change this setting](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#scan-mode) at any time. For information about how to activate a scan type, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). This section provides information about Amazon EC2 scanning.
**Note**
Amazon EC2 scanning does not scan filesystem directories related to virtual environment even if they are provisioned through deep inspection. For example, the path `/var/lib/docker/` is not scanned because it's commonly used for container run times.
## Agent-based scanning
Agent-based scans are performed continuously using the SSM agent on all eligible instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages in Linux-based instances through [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md).
The following process explains how Amazon Inspector uses SSM to collect inventory and perform agent-based scans:
1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. For some Instance types (Windows, and Linux), these associations install plugins on individual instances to collect inventory.
1. Using SSM, Amazon Inspector extracts package inventory from an instance.
1. Amazon Inspector evaluates the extracted inventory and generates findings for any detected vulnerabilities.
**Note**
For agent-based scanning, the Amazon EC2 instance must be managed by SSM in same AWS account.
### Eligible instances
Amazon Inspector will use the agent-based method to scan an instance if it meets the following conditions:
+ The instance has a supported OS. For a list of supported OS see the **Agent-based scan support** column of [Supported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
+ The instance is not excluded from scans by Amazon Inspector EC2 exclusion tags.
+ The instance is SSM managed. For instructions on verifying and configuring the agent, see [Configuring the SSM Agent](#configure-ssm).
### Agent-based scan behaviors
When using the agent-based scan method, Amazon Inspector initiates new vulnerability scans of EC2 instances in the following situations:
+ When you launch a new EC2 instance.
+ When you install new software on an existing EC2 instance (Linux and Mac).
+ When Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your EC2 instance (Linux and Mac).
Amazon Inspector updates the **Last scanned** field for an EC2 instance when an initial scan is completed. After this, the **Last scanned** field is updated when Amazon Inspector evaluates SSM inventory (every 30 minutes by default), or when an instance is re-scanned because a new CVE impacting that instance was added to the Amazon Inspector database.
You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the **Account management** page or by using the [https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html) command.
### Configuring the SSM Agent
In order for Amazon Inspector to detect software vulnerabilities for an Amazon EC2 instance using the agent-based scan method, the instance must be a [managed instance](https://docs.aws.amazon.com//systems-manager/latest/userguide/managed_instances.html) in Amazon EC2 Systems Manager (SSM). An SSM managed instance has the SSM Agent installed and running, and SSM has permission to manage the instance. If you are already using SSM to manage your instances, no other steps are needed for agent-based scans.
The SSM Agent is installed by default on EC2 instances created from some Amazon Machine Images (AMIs). For more information, see [About SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-ssm-agent.html) in the *AWS Systems Manager User Guide*. However, even if it's installed, you may need to activate the SSM Agent manually, and grant SSM permission to manage your instance.
The following procedure describes how to configure an Amazon EC2 instance as a managed instance using an IAM instance profile. The procedure also provides links to more detailed information in the *AWS Systems Manager User Guide*.
[https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) is the recommended policy to use when you attach an instance profile. This policy has all the permissions needed for Amazon Inspector EC2 scanning.
**Note**
You can also automate SSM management of all your EC2 instances, without the use of IAM instance profiles, by using SSM Default Host Management Configuration. For more information, see [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html). When an IAM instance profile is configured on an instance, Amazon Inspector uses that profile and ignores the Default Host Management Configuration (DHMC) role.
**To configure SSM for an Amazon EC2 instance**
1. If it's not already installed by your operating system vendor, install the SSM Agent. For more information, see [Working with SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html).
1. Use the AWS CLI to verify that the SSM Agent is running. For more information, see [Checking SSM Agent status and starting the agent](https://docs.aws.amazon.com//systems-manager/latest/userguide/ssm-agent-status-and-restart.html).
1. Grant permission for SSM to manage your instance. You can grant permission by creating an IAM instance profile and attaching it to your instance. We recommend using the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) policy, because this policy has the permissions for SSM Distributor, SSM Inventory and SSM State manager, that Amazon Inspector needs for scans. For instructions on creating an instance profile with these permissions and attaching it to an instance, see [Configure instance permissions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-add-permissions).
1. (Optional) Activate automatic updates for the SSM Agent. For more information, see [Automating updates to SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-automatic-updates.html).
1. (Optional) Configure Systems Manager to use an Amazon Virtual Private Cloud (Amazon VPC) endpoint. For more information, see [Create Amazon VPC endpoints](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html).
**Important**
Amazon Inspector requires a Systems Manager State Manager association in your account to collect software application inventory. Amazon Inspector automatically creates an association called `InspectorInventoryCollection-do-not-delete` if one doesn't already exist.
Amazon Inspector also requires a resource data sync and automatically creates one called `InspectorResourceDataSync-do-not-delete` if one doesn't already exist. For more information, see [Configuring resource data sync for Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html) in the *AWS Systems Manager User Guide*. Each account can have a set number of resource data syncs per Region. For more information, see Maximum number of resource data syncs (per AWS account per Region) in [SSM endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm).
#### SSM resources created for scanning
Amazon Inspector requires a number of SSM resources in your account to run Amazon EC2 scans. The following resources are created when you first activate Amazon Inspector EC2 scanning:
**Note**
If any of these SSM resources are deleted while Amazon Inspector Amazon EC2 scanning is activated for your account, Amazon Inspector will attempt to recreate them at the next scan interval.
`InspectorInventoryCollection-do-not-delete`
This is a Systems Manager State Manager (SSM) association that Amazon Inspector uses to collect software application inventory from your Amazon EC2 instances. If your account already has an SSM association for collecting inventory from `InstanceIds*`, Amazon Inspector will use that instead of creating its own.
`InspectorResourceDataSync-do-not-delete`
This is a resource data sync that Amazon Inspector uses to send collected inventory data from your Amazon EC2 instances to an Amazon S3 bucket owned by Amazon Inspector. For more information, see [Configuring resource data sync for Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html) in the *AWS Systems Manager User Guide*.
`InspectorDistributor-do-not-delete`
This is an SSM association Amazon Inspector uses for scanning Windows instances. This association installs the Amazon Inspector SSM plugin on your Windows instances. If the plugin file is inadvertently deleted this association will reinstall it at the next association interval.
`InvokeInspectorSsmPlugin-do-not-delete`
This is an SSM association Amazon Inspector uses for scanning Windows instances. This association allows Amazon Inspector to initiate scans using the plugin, you can also use it to set custom intervals for scans of Windows instances. For more information, see [Setting custom schedules for Windows instance scans](windows-scanning.md#windows-scan-schedule).
`InspectorLinuxDistributor-do-not-delete`
This is an SSM association that Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association installs the Amazon Inspector SSM plugin on your Linux instances.
`InvokeInspectorLinuxSsmPlugin-do-not-delete`
This is an SSM association Amazon Inspector uses for Amazon EC2 Linux deep inspection. This association allows Amazon Inspector to initiate scans using the plugin.
**Note**
When you deactivate Amazon Inspector Amazon EC2 scanning or deep inspection, the SSM resource `InvokeInspectorLinuxSsmPlugin-do-not-delete` is no longer invoked.
## Agentless scanning
Amazon Inspector uses the agentless scanning method on eligible instances when your account is in hybrid scanning mode. Hybrid scanning mode includes agent-based and agentless scans and is automatically enabled when you activate Amazon EC2 scanning.
For agentless scans, Amazon Inspector uses EBS snapshots to collect a software inventory from your instances. Agentless scanning scans instances for operating system and application programming language package vulnerabilities..
**Note**
When scanning Linux instances for application programming language package vulnerabilities, the agentless method scans all available paths, whereas agent-based scanning only scans the default paths and additional paths you specify as part of [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md). This may result in the same instance having different findings depending on whether it is scanned using the agent-based method or agentless method.
The following process explains how Amazon Inspector uses EBS snapshots to collect inventory and perform agentless scans:
1. Amazon Inspector creates an EBS snapshot of all volumes attached to the instance. While Amazon Inspector is using it, the snapshot is stored in your account and tagged with `InspectorScan` as a tag key, and a unique scan ID as the tag value.
1. Amazon Inspector retrieves data from the snapshots using [EBS direct APIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html) and evaluates them for vulnerabilities. Findings are generated for any detected vulnerabilities.
1. Amazon Inspector deletes the EBS snapshots it created in your account.
### Eligible instances
Amazon Inspector will use the agentless method to scan an instance if it meets the following conditions:
+ The instance has a supported OS. For more information, see the >Agent-based scan support column of [Supported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
+ The instance has a status of `Unmanaged EC2 instance`, `Stale inventory`, or `No inventory`.
+ The instance is backed by Amazon EBS and has one of the following file system formats:
+ `ext3`
+ `ext4`
+ `xfs`
+ The instance isn't excluded from scans through Amazon EC2 exclusion tags.
+ The number of volumes attached to the instance is less than 8 and have a combined size that's less than or equal to 1200 GB.
### Agentless scan behaviors
When your account is configured for **Hybrid scanning**, Amazon Inspector performs agentless scans on eligible instances every 24 hours. Amazon Inspector detects and scans newly eligible instances every hour, which includes new instances without SSM agents, or pre-existing instances with statuses that have changed to `SSM_UNMANAGED`.
Amazon Inspector updates the **Last scanned** field for an Amazon EC2 instance whenever it scans extracted snapshots from an instance after an agentless scan.
You can check when an EC2 instance was last scanned for vulnerabilities from the Instances tab on the Account management page or by using the [https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com//inspector/v2/APIReference/API_ListCoverage.html) command.
## Managing scan mode
Your EC2 scan mode determines which scan methods Amazon Inspector will use when performing EC2 scans in your account. You can view the scan mode for your account from the EC2 scanning settings page under **General settings**. Standalone accounts or Amazon Inspector delegated administrators can change the scan mode. When you set the scan mode as the Amazon Inspector delegated administrator that scan mode is set for all member accounts in your organization. Amazon Inspector has the following scan modes:
**Agent-based scanning** – In this scan mode, Amazon Inspector will exclusively use the agent-based scan method when scanning for package vulnerabilities. This scan mode only scans SSM managed instances in your account, but has the benefit of providing continuous scans in response to new CVE’s or changes to the instances. Agent-based scanning also provides Amazon Inspector deep Inspection for eligible instances. This is the default scan mode for newly activated accounts.
**Hybrid scanning** – In this scan mode, Amazon Inspector uses a combination of both agent-based and agentless methods to scan for package vulnerabilities. For eligible EC2 instances that have the SSM agent installed and configured, Amazon Inspector uses the agent-based method. For eligible instances that aren't SSM managed, Amazon Inspector will use the agentless method for eligible EBS-backed instances.
**To change the scan mode**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Using the AWS Region selector in the upper-right corner of the page, select the Region where you want to change your EC2 scan mode.
1. From the side navigation panel, under **General settings**, select **EC2 scanning settings**.
1. Under **Scan Mode**, select **Edit**.
1. Choose a scan mode and then select **Save changes**.
## Excluding instances from Amazon Inspector scans
You can exclude Linux and Windows instances from Amazon Inspector scans by tagging these instances with the `InspectorEc2Exclusion` key. Tag key is case-insensitive. Including a tag value is optional. For information about adding tags, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html).
When you tag an instance for exclusion from Amazon Inspector scans, Amazon Inspector marks the instance as excluded and won't create findings for it. However, the Amazon Inspector SSM plugin will continue to be invoked. To prevent the plugin from being invoked, you must [allow access to tags in instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-tags-in-IMDS.html#allow-access-to-tags-in-IMDS).
**Note**
You're not charged for excluded instances.
Additionally, you can exclude an encrypted EBS volume from agentless scans by tagging the AWS KMS key used to encrypt that volume with the `InspectorEc2Exclusion` tag. For more information, see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys).
## Supported operating systems
Amazon Inspector scans supported Mac, Windows, and Linux instances for vulnerabilities in operating system packages. For Linux instances, Amazon Inspector can produce findings for application programming language packages using [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](deep-inspection.md). For Mac and Windows instances only operating system packages are scanned.
For information about supported operating systems, including which operating systems can be scanned without an SSM agent, see [Amazon EC2 instances status valuesSupported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
# Amazon Inspector deep inspection for Linux-based Amazon EC2 instances
Amazon Inspector expands Amazon EC2 scanning coverage to include deep inspection. With deep inspection, Amazon Inspector detects package vulnerabilities for application programming language packages in your Linux-based Amazon EC2 instances. Amazon Inspector scans default paths for programming language package libraries. However, you can [configure custom paths](https://docs.aws.amazon.com//inspector/latest/user/deep-inspection.html#deep-inspection-paths) in addition to the paths that Amazon Inspector scans by default.
**Note**
Deep inspection requires `ssm:PutInventory` and `ssm:GetParameter` permissions. If an IAM instance profile is configured on the instance, Amazon Inspector uses that profile and ignores the DHMC role. The instance profile must include these permissions. If no instance profile is set, Amazon Inspector uses the configured [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html) role, which must include these permissions.
To perform deep inspection scans for your Linux-based Amazon EC2 instances, Amazon Inspector uses data collected with the Amazon Inspector SSM plugin. To manage the Amazon Inspector SSM plugin and perform deep inspection for Linux, Amazon Inspector automatically creates the SSM association `InvokeInspectorLinuxSsmPlugin-do-not-delete` in your account. Amazon Inspector collects updated application inventory from your Linux-based Amazon EC2 instances every 6 hours.
**Note**
Deep inspection is not supported for Windows or Mac instances.
This section describes how to manage Amazon Inspector deep inspection for Amazon EC2 instances, including how to set custom paths for Amazon Inspector to scan.
**Topics**
+ [Accessing or deactivating deep inspection](#deep-inspection-activate)
+ [Custom paths for Amazon Inspector deep inspection](#deep-inspection-paths)
+ [Custom schedules for Amazon Inspector deep inspection](#deep-inspection-schedules)
+ [Supported programming languages](#supported-deep-inspection)
## Accessing or deactivating deep inspection
**Note**
For accounts that activate Amazon Inspector after April 17, 2023, deep inspection is automatically activated as part of Amazon EC2 scanning.
**To manage deep inspection**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home)
1. From the navigation pane, choose **General settings**, and then choose Amazon EC2 scanning settings.
1. Under **Deep inspection of Amazon EC2 instance**, you can [set custom paths for your organization or for your own account](https://docs.aws.amazon.com/inspector/latest/user/deep-inspection.html#deep-inspection-paths).
You can check the activation status programmatically for a single account with the [GetEc2DeepInspectionConfiguration](https://docs.aws.amazon.com/inspector/v2/APIReference/API_GetEc2DeepInspectionConfiguration.html) API. You can check the activation status programmatically for multiple accounts with the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API.
If you activated Amazon Inspector before April 17, 2023, you can activate deep inspection through the console banner or the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) API. If you're the delegated administrator for an organization in Amazon Inspector, you can use the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API to activate deep inspection for yourself and your member accounts.
You can deactivate deep inspection through the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) API. Member accounts in an organization can't deactivate deep inspection. Instead, the member account must be deactivated by their delegated administrator using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_BatchUpdateMemberEc2DeepInspectionStatus.html) API.
## Custom paths for Amazon Inspector deep inspection
You can set custom paths for Amazon Inspector to scan during deep inspection of your Linux Amazon EC2 instances. When you set a custom path, Amazon Inspector scans packages in that directory and all of the sub-directories in it.
All accounts can define up to 5 custom paths. The delegated administrator for an organization can define 10 custom paths.
Amazon Inspector scans all custom paths in addition to the following default paths, which Amazon Inspector scans for all accounts:
+ `/usr/lib`
+ `/usr/lib64`
+ `/usr/local/lib`
+ `/usr/local/lib64`
**Note**
Custom paths must be local paths. Amazon Inspector doesn't scan mapped network paths, such as Network File System mounts or Amazon S3 file system mounts.
### Formatting custom paths
A custom path cannot be longer than 256 characters. The following is an example of how a custom path might look:
**Example path**
`/home/usr1/project01`
**Note**
The package limit per instance is 5,000. The maximum package inventory collection time is 15 minutes. Amazon Inspector recommends that you choose custom paths to avoid these limits.
### Setting a custom path in the Amazon Inspector console and with the Amazon Inspector API
The following procedures describe how to set a custom path for Amazon Inspector deep inspection in the Amazon Inspector console and with the Amazon Inspector API. After you set a custom path, Amazon Inspector includes the path in the next deep inspection.
------
#### [ Console ]
1. Sign in to the AWS Management Console as the delegated administrator, and open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home)
1. Use the AWS Region selector to choose the Region where you want to activate Lambda standard scanning.
1. From the navigation pane, choose **General settings**, and then choose **EC2 scanning settings**.
1. Under **Custom paths for your own account**, choose **Edit**.
1. In the path text boxes, enter your custom paths.
1. Choose **Save**.
------
#### [ API ]
Run the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateEc2DeepInspectionConfiguration.html) command. For `packagePaths` specify an array of paths to scan.
------
## Custom schedules for Amazon Inspector deep inspection
By default, Amazon Inspector collects an application inventory from Amazon EC2 instances every 6 hours. However, you can run the following commands to control how often Amazon Inspector does this.
**Example command 1: List associations to view association ID and current interval **
The following command shows the association ID for the association `InvokeInspectorLinuxSsmPlugin-do-not-delete`.
```
aws ssm list-associations \
--association-filter-list "key=AssociationName,value=InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--region your-Region
```
**Example command 2: Update association to include new interval**
The following command uses the association ID for the association `InvokeInspectorLinuxSsmPlugin-do-not-delete`. You can set the rate for `schedule-expression` from 6 hours to a new interval, such as 12 hours.
```
aws ssm update-association \
--association-id "your-association-ID" \
--association-name "InvokeInspectorLinuxSsmPlugin-do-not-delete" \
--schedule-expression "rate(6 hours)" \
--region your-Region
```
**Note**
Depending on your use case, if you set the rate for `schedule-expression` from 6 hours to an interval like 30 minutes, you can [exceed the daily ssm inventory limit](https://docs.aws.amazon.com/inspector/latest/user/assessing-coverage.html#viewing-coverage-instances). This causes results to be delayed, and you might encounter Amazon EC2 instances with partial error statuses.
## Supported programming languages
For Linux instances, Amazon Inspector deep inspection can produce findings for application programming language packages and operating system packages.
For Mac and Windows instances, Amazon Inspector deep inspection can produce findings only for operating system packages.
For more information about supported programming languages, see [Supported programming languages: Amazon EC2 deep inspection](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-programming-languages-deep-inspection).
# Scanning Windows EC2 instances with Amazon Inspector
Amazon Inspector automatically discovers all supported Windows instances and includes them in continuous scanning without any extra actions. For information about which instances are supported, see [Operating systems and programming languages supported by Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/supported.html). Amazon Inspector runs Windows scans at regular intervals. Windows instances are scanned at discovery and then every 6 hours. However, you can [adjust the default scan interval](https://docs.aws.amazon.com/inspector/latest/user/windows-scanning.html#windows-scan-schedule) after the first scan.
When Amazon EC2 scanning is activated, Amazon Inspector creates the following SSM associations for your Windows resources: `InspectorDistributor-do-not-delete`, `InspectorInventoryCollection-do-not-delete`, and `InvokeInspectorSsmPlugin-do-not-delete`. To install the Amazon Inspector SSM plugin on your Windows instances, the `InspectorDistributor-do-not-delete` SSM association uses the [`AWS-ConfigureAWSPackage` SSM document](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) and the [`AmazonInspector2-InspectorSsmPlugin` SSM Distributor package](https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html). For more information, see [The Amazon Inspector SSM plugin for Windows](https://docs.aws.amazon.com/inspector/latest/user/deep-inspection.html#inspector/latest/user/deep-inspection.html). To collect instance data and generate Amazon Inspector findings, the `InvokeInspectorSsmPlugin-do-not-delete` SSM association runs the Amazon Inspector SSM plugin at 6-hour intervals. However, you can [customize this setting using a cron or rate expression](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html).
**Note**
Amazon Inspector stages updated Open Vulnerability and Assessment Language (OVAL) definition files to the S3 bucket `inspector2-oval-prod-your-AWS-Region`. The Amazon S3 bucket contains OVAL definitions used in scans. These OVAL definitions shouldn't be modified. Otherwise, Amazon Inspector won't scan for new CVEs when they release.
## Amazon Inspector scan requirements for Windows instances
To scan a Windows instance, Amazon Inspector requires the instance to meet the following criteria:
+ The instance is an SSM managed instance. For instructions about setting up your instance for scanning, see [Configuring the SSM Agent](scanning-ec2.md#configure-ssm).
+ The instance operating system is one of the supported Windows operating systems. For a complete list of supported operating systems, see [Amazon EC2 instances status valuesSupported operating systems: Amazon EC2 scanning](supported.md#supported-os-ec2).
+ The instance has the Amazon Inspector SSM plugin installed. Amazon Inspector automatically installs the Amazon Inspector SSM plugin for managed instances upon discovery. See the next topic for details about the plugin.
**Note**
If your host is running in an Amazon VPC without outgoing internet access, Windows scanning requires your host to be able to access Regional Amazon S3 endpoints. To learn how to configure an Amazon S3 Amazon VPC endpoint, see [Create a gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3) in the *Amazon Virtual Private Cloud User Guide*. If your Amazon VPC endpoint policy is restricting access to external S3 buckets, you must specifically allow access to the bucket maintained by Amazon Inspector in your AWS Region that stores the OVAL definitions used to evaluate your instance. This bucket has the following the format: `inspector2-oval-prod-REGION`.
## Setting custom schedules for Windows instance scans
You can customize the time between your Windows Amazon EC2 instance scans by setting a cron expression or rate expression for the `InvokeInspectorSsmPlugin-do-not-delete` association using SSM. For more information, see [Reference: Cron and rate expressions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html) in the *AWS Systems Manager User Guide* or use the following instructions.
Select from the following code examples to change the scan cadence for Windows instances from the default 6 hours to 12 hours using either a rate expression or a cron expression.
The following examples require you to use the **AssociationId** for the association named `InvokeInspectorSsmPlugin-do-not-delete`. You can retrieve your **AssociationId** by running the following AWS CLI command:
```
$ aws ssm list-associations --association-filter-list "key=AssociationName,value=InvokeInspectorSsmPlugin-do-not-delete" --region us-east-1
```
**Note**
The **AssociationId** is Regional, so you need to first retrieve a unique ID for each AWS Region. You can then run the command to change the scan cadence in each Region where you want to set a custom scan schedule for Windows instances.
------
#### [ Example rate expression ]
```
$ aws ssm update-association \
--association-id "YourAssociationId" \
--association-name "InvokeInspectorSsmPlugin-do-not-delete" \
--schedule-expression "rate(12 hours)"
```
------
#### [ Example cron expression ]
```
$ aws ssm update-association \
--association-id "YourAssociationId" \
--association-name "InvokeInspectorSsmPlugin-do-not-delete" \
--schedule-expression "cron(0 0/12 * * ? *)"
```
------
# Scanning Amazon Elastic Container Registry container images with Amazon Inspector
Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate [package vulnerability findings](https://docs.aws.amazon.com/). When you activate Amazon ECR scanning, you set Amazon Inspector as the preferred scanning service for your private registry.
**Note**
Amazon ECR uses a registry policy to grant permissions to an AWS principal. This principal has the required permissions to call Amazon Inspector APIs for scanning. When setting the scope of your registry policy, you must not add the `ecr:*` action or `PutRegistryScanningConfiguration` in `deny`. This results in errors at the registry level when enabling and disabling scanning for Amazon ECR.
With basic scanning, you can configure your repositories to scan on push or perform manual scans. With enhanced scanning, you scan for operating system and programming language package vulnerabilities at the registry level. For a side-by-side comparison of the differences between basic and enhanced scanning, see the [Amazon Inspector FAQ](https://aws.amazon.com/inspector/faqs/).
**Note**
Basic scanning is provided and billed through Amazon ECR. For more information, see [Amazon Elastic Container Registry pricing](https://aws.amazon.com/ecr/pricing/). Enhanced scanning is provided and billed through Amazon Inspector. For more information, see [Amazon Inspector pricing](https://aws.amazon.com/inspector/pricing/).
For information about how to activate Amazon ECR scanning, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). For information about how to view findings, see [Viewing Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-locating-analyzing.html). For information about how to view findings within Amazon ECR at the image level, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon Elastic Container Registry User Guide*. You can manage findings using AWS services not available for basic scanning, like [AWS Security Hub CSPM and Amazon EventBridge](https://docs.aws.amazon.com/inspector/latest/user/integrations.html).
You can view the scan configuration for each repository in Amazon Inspector through coverage pages and APIs. However, the configuration settings for basic scanning versus continuous scanning can only be modified in Amazon ECR. Amazon Inspector provides visibility into these settings but does not offer direct modification capabilities. For more information, see [Scan images for software vulnerabilities in Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon ECR User Guide*.
This section provides information about Amazon ECR scanning and describes how to configure enhanced scanning for Amazon ECR repositories.
## Scan behaviors for Amazon ECR scanning
When you first activate Amazon ECR scanning, Amazon Inspector detects images pushed within the last 14 days. Amazon Inspector then scans the images and sets the scan statuses to `ACTIVE`. Amazon Inspector will only scan images active in ECR (`imageStatus` field is `ACTIVE`). Images with Archived status in ECR (`imageStatus` field is `ARCHIVED`) are not scanned by Amazon Inspector.
If continuous scanning is enabled, Amazon Inspector monitors images as long as they were pushed within 14 days (by default), the last-in-use date is within 14 days (by default), or the images are scanned within the configured re-scan duration. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html).
For continuous scanning, Amazon Inspector initiates new vulnerability scans of container images in the following situations:
+ Whenever a new container image is pushed.
+ Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to that container image (continuous scanning only).
+ Whenever a container image is transitioned from archived to active in ECR.
If you configure your repository for on push scanning, images are only scanned when you push them.
You can check when a container image was last checked for vulnerabilities from the **Container images** tab on the **Account management** page or by using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html) API. Amazon Inspector updates the **Last scanned at** field of an Amazon ECR image in response to the following events:
+ When Amazon Inspector completes an initial scan of a container image.
+ When Amazon Inspector re-scans a container image because a new common vulnerabilities and exposures (CVE) item that impacts that container image was added to the Amazon Inspector database.
### Archived ECR container images
Amazon Inspector does not scan container images archived in ECR (`imageStatus` is `ARCHIVED`). When an active image in ECR is transitioned to archived, Amazon Inspector automatically closes findings and then deletes the findings after 3 days. If an archived container image is transitioned to active in ECR, Amazon Inspector triggers a new scan.
## Mapping container images to running containers
Amazon Inspector provides comprehensive container security management by mapping container images to running containers across Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS). These mappings provide insights into vulnerabilities for images on running containers.
**Note**
The managed policy `AWSReadOnlyAccess` alone does not provide sufficient permissions to view the mapping between Amazon ECR images and running containers. You need both the `AWSReadOnlyAccess` and `AWSInspector2ReadOnlyAccess` managed policies to view container image mapping information.
You can prioritize remediation efforts based on operational risks and maintain security coverage across the entire container ecosystem. You can view how many container images are currently in use and which container images were last used on an Amazon ECS or Amazon EKS cluster in the past 24 hours. You can also view how many Amazon ECS tasks and Amazon EKS pods are deployed. This information can be found in the Amazon Inspector console on the details screen for container image findings and with the `ecrImageInUseCount` and `ecrImageLastInUseAt` filters for the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html) data type. For new container images or accounts, it can take up to 36 hours for data to be available. Afterwards, this data is updated once every 24 hours. For more information, see [Viewing Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-locating-analyzing.html) and [Viewing details for Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-details.html).
**Note**
This data is automatically sent to Amazon ECR findings when you activate Amazon ECR scanning and configure your repository for continuous scanning. Continuous scanning must be configured at the Amazon ECR repository level. For more information, see [Enhanced scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html) in the *Amazon Elastic Container Registry User Guide*.
You can also [re-scan container images](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html) from clusters based on their last-in-use date.
This feature is also supported on Fargate with Amazon ECS and Amazon EKS.
## Supported operating systems and media types
For information about supported operating systems, see [Supported operating systems: Amazon ECR scanning with Amazon Inspector](supported.md#supported-os-ecr).
Amazon Inspector scans of Amazon ECR repositories cover the following supported media types:
**Image manifest**
+ `"application/vnd.oci.image.manifest.v1+json"`
+ `"application/vnd.docker.distribution.manifest.v2+json"`
**Image configuration**
+ `"application/vnd.docker.container.image.v1+json"`
+ `"application/vnd.oci.image.config.v1+json"`
**Image layers**
+ `"application/vnd.docker.image.rootfs.diff.tar"`
+ `"application/vnd.docker.image.rootfs.diff.tar.gzip"`
+ `"application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"`
+ `"application/vnd.oci.image.layer.v1.tar"`
+ `"application/vnd.oci.image.layer.v1.tar+gzip"`
+ `"application/vnd.oci.image.layer.v1.tar+zstd"`
+ `"application/vnd.oci.image.layer.nondistributable.v1.tar"`
+ `"application/vnd.oci.image.layer.nondistributable.v1.tar+gzip"`
**Note**
Amazon Inspector does not support the `"application/vnd.docker.distribution.manifest.list.v2+json"` media type for the scanning of Amazon ECR repositories.
# Configuring the Amazon ECR re-scan duration
The Amazon ECR re-scan duration setting determines how long Amazon Inspector continuously monitors container images in repositories. You configure the re-scan duration for the image last-in-use date, last pull date, and push date. As a best practice, configure the re-scan duration to best suit your environment.
If you build images often, choose a shorter scan duration. For images used over long periods of time, choose a longer scan duration. The default scan duration for new accounts, including new accounts added to an organization, is 14 days.
Amazon Inspector will continue to monitor and rescan an image as long as it was last in use on a cluster or pushed within 14 days (by default). If an image hasn’t been pushed or last used on a running container within the configured push and last in use dates, Amazon Inspector stops monitoring it. There is an option to change the setting to monitor images by last pull date instead of the last in use date, if required. When Amazon Inspector stops monitoring an image, it sets the image scan status code to inactive and reason code to expired. Amazon Inspector then schedules all associated image findings to be closed.
If you increase the push date duration, Amazon Inspector applies the change to all actively scanned images in repositories configured for continual scanning. However, inactive images remain inactive, even if you push them within the new duration.
When you configure the re-scan duration from a delegated administrator account, Amazon Inspector applies the setting to all member accounts in the organization. If the delegated administrator account does not enable Amazon ECR scanning, it cannot view clusters for an API image.
For multi-architecture images, the last-in-use date tracking is not supported. When using multi-architecture images, we recommend that you configure scanning based on image pull or push events instead of the last-in-use date to ensure proper re-scanning behavior.
**Note**
All re-scan duration settings configured prior to May 16, 2025, will remain unchanged. You can continue using any default settings previously configured.
**Image re-scan duration**
The image re-scan duration determines how long Amazon Inspector will monitor images. The image re-scan duration includes two modes: **Last in use date** (default) or **Last pull date**. Choose **Last in use date** (default) if you want to use the last in use date from your Amazon ECS/Amazon EKS cluster activity. Choose **Last pull date** if you want to use the last pull date from your Amazon ECR images to re-scan images. The following options are available as re-scan durations:
+ 14 days (default)
+ 30 days
+ 60 days
+ 90 days
+ 180 days
**Image push date duration**
The image push date duration determines how long Amazon Inspector will continuously monitor images after being pushed to repositories. The following options are available as re-scan durations:
+ 14 days (default)
+ 30 days
+ 60 days
+ 90 days
+ 180 days
+ Lifetime
**To configure the Amazon ECR re-scan duration**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. Select the AWS Region where you want to configure the Amazon ECR re-scan duration.
1. From the navigation pane, choose **General settings**, and then choose **ECR scanning settings**.
1. Under **ECR re-scan duration**, choose the image re-scan mode, and then choose the corresponding duration.
1. Under **Image push date**, choose the image push date.
1. Choose **Save**.
## Understanding ECR container image states
Inspector only scans `ACTIVE` images in ECR container images. ECR container images in an `ARCHIVED` status are not scanned. To learn more about scanning behaviors, see [Scan behaviors for Amazon ECR scanning](scanning-ecr.md#ecr-scan-behavior).
When an ECR container image's image status in ECR transitions to `ACTIVE`, Inspector uses the `lastActivatedAt` field to monitor rescan duration.
# Scanning AWS Lambda functions with Amazon Inspector
Amazon Inspector support for AWS Lambda functions and layers provides continuous automated security vulnerability assessments. Amazon Inspector offers two types of Lambda function scanning:
**[Amazon Inspector Lambda standard scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_exclude_functions.html)**
This scan type is the default Lambda scan type. It scans application dependencies in Lambda functions and layers for [package vulnerabilities](findings-types.md#findings-types-package).
**[Amazon Inspector Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_code.html)**
This scan type scans custom application code in your Lambda functions and layers for [code vulnerabilities](findings-types.md#findings-types-code). You can activate Lambda standard scanning or Lambda standard scanning with Lambda code scanning.
If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html).
When you activate Lambda function scanning, Amazon Inspector creates the following service-linked channels in your account: `cloudtrail:CreateServiceLinkedChannel` and `cloudtrail:DeleteServiceLinkedChannel`. Amazon Inspector manages these channels and uses them to monitor CloudTrail events for scans. The channels allow you to view CloudTrail events in your account as if you had a trail in CloudTrail. We recommend creating your own trail in CloudTrail to manage events in your account. For information about how to view these channels, see [Viewing service-linked channels](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-service-linked-channels.html) in the *AWS CloudTrail User Guide*.
**Note**
Amazon Inspector does not support scanning [Lambda functions encrypted with customer managed keys](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html). This applies to Lambda standard scanning and Lambda code scanning.
## Scan behaviors for Lambda function scanning
Upon activation, Amazon Inspector scans all Lambda functions invoked or updated in the last 90 days in your account. Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations:
+ As soon as Amazon Inspector discovers an existing Lambda function.
+ When you deploy a new Lambda function to the Lambda service.
+ When you deploy an update to the application code or dependencies of an existing Lambda function or its layers.
+ Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.
Amazon Inspector monitors each Lambda function throughout its lifetime until it's either deleted or excluded from scanning.
You can check when a Lambda function was last checked for vulnerabilities from the **Lambda functions** tab on the **Account management** page or by using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html) API. Amazon Inspector updates the **Last scanned at** field for a Lambda function in response to the following events:
+ When Amazon Inspector completes an initial scan of a Lambda function.
+ When a Lambda function is updated.
+ When Amazon Inspector re-scans a Lambda function because a new CVE item impacting that function was added to the Amazon Inspector database.
## Supported runtimes and eligible functions
Amazon Inspector supports different runtimes for Lambda standard scanning and Lambda code scanning. For a list of supported runtimes for each scan type, see [Supported runtimes: Amazon Inspector Lambda standard scanning](supported.md#supported-programming-languages-lambda-standard) and [Supported runtimes: Amazon Inspector Lambda code scanning](supported.md#supported-programming-languages-lambda-code).
In addition to having a supported runtime, a Lambda function needs to meet the following criteria to be eligible for Amazon Inspector scans:
+ The function has been invoked or updated in the last 90 days.
+ The function is marked `$LATEST`.
+ The function isn't excluded from scans by tags.
**Note**
Lambda functions that haven't been invoked or modified in the last 90 days are automatically excluded from scans. Amazon Inspector will resume scanning an automatically excluded function if it is invoked again or if changes are made to the Lambda function code.
# Amazon Inspector Lambda standard scanning
Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to your Lambda function code and layers. For example, if your Lambda function uses a version of the `python-jwt` package with a known vulnerability, Lambda standard scanning will generate a finding for that function.
If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed **Package Vulnerability** type finding.
For instructions on activating a scan type see [Activating a scan type](activate-scans.md).
**Note**
Lambda standard scanning doesn't scan the AWS SDK dependency installed by default in the Lambda runtime environment. Amazon Inspector only scans dependencies uploaded with the function code or inherited from a layer.
**Note**
Deactivating Amazon Inspector Lambda standard scanning will also deactivate Amazon Inspector Lambda code scanning.
# Excluding functions from Lambda standard scanning
You can add tags to Lambda functions, so you can exclude them from Amazon Inspector Lambda standard scans. Excluding functions from scans can prevent unactionable alerts. When you tag a function for exclusion, the tag must have the following key-value pair.
+ Key:`InspectorExclusion`
+ Value:`LambdaStandardScanning`
This topic describes how to tag a function for exclusion from scans. For more information about adding tags in Lambda, see [Using tags on Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html).
**To exclude a function from scans**
1. Sign in using your credentials, and then open the Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).
1. From the navigation pane, choose **Functions**.
1. Choose the name of the function you would want to exclude from Amazon Inspector Lambda standard scans.
1. Choose **Configuration**, and then choose **Tags**.
1. Choose **Manage tags**, and then **Add new tag**.
1. For **Key**, enter `InspectorExclusion`.
1. For **Value**, enter `LambdaStandardScanning`
1. Choose **Save**.
# Amazon Inspector Lambda code scanning
**Important**
This feature captures snippets of Lambda functions to highlight detected vulnerabilities. These snippets can show hardcoded credentials and other sensitive materials.
With this feature, Amazon Inspector scans application code in a Lambda function for code vulnerabilities based on AWS security best practices to detect data leaks, injection flaws, missing encryption, and weak cryptography. Amazon Inspector uses automated reasoning and machine learning to evaluate your Lambda function application code. It also uses internal detectors that are developed in collaboration with Amazon Q to identify policy violations and vulnerabilities.
Amazon Inspector generates a [code vulnerability](https://docs.aws.amazon.com/inspector/latest/user/findings-types.html#findings-types-code) when it detects a vulnerability in your Lambda function application code. This finding type includes a code snippet showing the issue and where you can find the issue in your code. It also suggests how to remediate the issue. The suggestion includes plug-and-play code blocks that you can use to replace vulnerable lines of code. These code fixes are provided in addition to general code remediation guidance for this finding type.
Code remediation suggestions is powered by automated reasoning. Some code remediation suggestions might not work as intended. You are responsible for the code remediation suggestions you adopt. Always review code remediation suggestions before adopting them. You might need to edit them to make sure your code performs as intended. For more information, see the [Responsible AI Policy](https://aws.amazon.com/machine-learning/responsible-ai/policy/).
If you want to activate Lambda code scanning, you must activate Lambda standard scanning first. For more information, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). For information about which AWS Regions support this feature, see [Region-specific feature availability](inspector_regions.md#ins-regional-feature-availability).
## Encrypting your code in code vulnerability findings
Amazon Q stores code snippets that are detected to be in connection with a code vulnerability finding using Lambda code scanning. By default, Amazon Q controls [the AWS owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) used to encrypt your code. However, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information, see [Encryption at rest for code in your findings](encryption-rest.md#encryption-code-snippets).
# Excluding functions from Lambda code scanning
You can add tags to Lambda functions, so you can exclude them from Amazon Inspector Lambda code scans. Excluding functions from scans can prevent unactionable alerts. When you tag a function for exclusion, the tag must have the following key-value pair.
+ Key – `InspectorCodeExclusion`
+ Value – `LambdaCodeScanning`
This topic describes how to tag a function for exclusion from code scans. For more information about adding tags in Lambda, see [Using tags on Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html).
**To exclude a function from code scans**
1. Sign in using your credentials, and then open the Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).
1. From the navigation pane, choose **Functions**.
1. Choose the name of the function you would want to exclude from Amazon Inspector Lambda code scans.
1. Choose **Configuration**, and then choose **Tags**.
1. Choose **Manage tags**, and then **Add new tag**.
1. For **Key**, enter `InspectorCodeExclusion`.
1. For **Value**, enter `LambdaCodeScanning`
1. Choose **Save**.
# Deactivating a scan type in Amazon Inspector
When you deactivate a scan type, you lose access to any findings the scan type produced. If you [reactivate the scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html), Amazon Inspector scans all eligible resources to generate new findings. If you want to keep a record of your findings, you can export them to an Amazon Simple Storage Service (Amazon S3) bucket as a findings report. For more information, see [Exporting Amazon Inspector findings reports](findings-managing-exporting-reports.md). When you deactivate a scan type, you might encounter the following changes in the AWS account where you deactivated the scan type:
**[Amazon EC2 scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html)**
When you deactivate Amazon Inspector Amazon EC2 scanning for an account, the following SSM associations are deleted:
+ `InspectorDistributor-do-not-delete`
+ `InspectorInventoryCollection-do-not-delete`
+ `InspectorLinuxDistributor-do-not-delete`
+ `InvokeInspectorLinuxSsmPlugin-do-not-delete`
+ `InvokeInspectorSsmPlugin-do-not-delete`.
Additionally, the Amazon Inspector SSM plugin is removed from all Windows hosts. For more information, see [Scanning Windows EC2 instance](windows-scanning.md).
**[Amazon ECR scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html)**
When you deactivate Amazon ECR scanning for an account, the Amazon ECR scan type account changes from **Enhanced scanning** with Amazon Inspector to **Basic scanning** with Amazon ECR.
**[Lambda standard scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-standard-scans)**
When you deactivate Lambda standard scanning for an account, you deactivate Lambda code scanning if the scan type was actived. You also delete the CloudTrail service-linked channel that Amazon Inspector create when you activate Lambda standard scanning.
**[Amazon Inspector Code Security](https://docs.aws.amazon.com/inspector/latest/user/scanning-lambda.html#lambda-standard-scans)**
When you deactivate Code Security for your account, you delete all integrations, projects, and scan configurations associated with it. If your account is the delegated administrator for an organization, you only deactivate Code Security for your account, and memeber accounts become standalone accounts.
## Deactivating scans
Deactivating all scan types for an account deactivates Amazon Inspector for that account in that AWS Region. For more information, see [Deactivating Amazon Inspector](deactivating-best-practices.md).
To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator.
------
#### [ Console ]
**To deactivate scans**
1. Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home).
1. By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.
1. In the navigation pane, choose **Account management**.
1. Choose the **Accounts** tab to show the scanning status of an account.
1. Select the check box of each account for which you want to deactivate scans.
1. Choose **Actions**, and, from the **Deactivate** options, select the scan type you wish to deactivate.
1. (Recommended) Repeat these steps in each AWS Region for which you want to deactivate that scan type.
------
#### [ API ]
Run the [Disable](https://docs.aws.amazon.com/inspector/v2/APIReference/API_Disable.html) API operation. In the request, provide the account IDs you are deactivating scans for, and for `resourceTypes` provide one or more of `EC2`, `ECR`, `LAMBDA`, or `LAMBDA_CODE` to deactivate scans.
------