End of support notice: On May 20, 2026, AWS will end support for Amazon Inspector Classic. After May 20, 2026, you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. Amazon Inspector Classic no longer available to new accounts and accounts that have not completed an assessment in the last 6 months. For all other accounts, access will remain valid until May 20, 2026, after which you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. For more information, see [Amazon Inspector Classic end of support](https://docs.aws.amazon.com/inspector/v1/userguide/inspector-migration.html). # Amazon Inspector Classic agents The Amazon Inspector Classic agent is an entity that collects installed package information and software configuration for an Amazon EC2 instance. Though not required in all cases, you should install the Amazon Inspector Classic agent on each of your target Amazon EC2 instances in order to fully assess their security. For more information about how to install, uninstall, and reinstall the agent, how to verify whether the installed agent is running, and how to configure proxy support for the agent, see [Working with Amazon Inspector Classic agents on Linux-based operating systems](inspector_agents-on-linux.md) and [Working with Amazon Inspector Classic agents on Windows-based operating systems](inspector_agents-on-win.md). **Note** An Amazon Inspector Classic agent is not required to run the [Network Reachability](inspector_network-reachability.md) rules package. **Important** The Amazon Inspector Classic agent relies on Amazon EC2 instance metadata to function correctly. It accesses instance metadata using version 1 or version 2 of the Instance Metadata Service (IMDSv1 or IMDSv2). See [Instance Metadata and User Data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) to learn more about EC2 instance metadata and access methods. **Topics** + [ ## Amazon Inspector Classic agent privileges ](#agent-privileges) + [ ## Network and Amazon Inspector Classic agent security ](#agent-security) + [ ## Amazon Inspector Classic agent updates ](#agent-updates) + [ ## Telemetry data lifecycle ](#telemetry-data-lifecycle) + [ ## Access control from Amazon Inspector Classic into AWS accounts ](#access-control) + [ ## Amazon Inspector Classic agent limits ](#agent-limits) + [ # Installing Amazon Inspector Classic agents ](inspector_installing-uninstalling-agents.md) + [ # Working with Amazon Inspector Classic agents on Linux-based operating systems ](inspector_agents-on-linux.md) + [ # Working with Amazon Inspector Classic agents on Windows-based operating systems ](inspector_agents-on-win.md) + [ # (Optional) Verify the signature of the Amazon Inspector Classic agent installation script on Linux-based operating systems ](inspector_verify-sig-agent-download-linux.md) + [ # (Optional) Verify the signature of the Amazon Inspector Classic agent installation script on Windows-based operating systems ](inspector_verify-sig-agent-download-win.md) ## Amazon Inspector Classic agent privileges You must have administrative or root permissions to install the Amazon Inspector Classic agent. On supported Linux-based operating systems, the agent consists of a user mode executable that runs with root access. On supported Windows-based operating systems, the agent consists of an updater service and an agent service, each running in user mode with `LocalSystem` privileges. ## Network and Amazon Inspector Classic agent security The Amazon Inspector Classic agent initiates all communication with the Amazon Inspector Classic service. This means that the agent must have an outbound network path to public endpoints so that it can send telemetry data. For example, the agent might connect to `arsenal..amazonaws.com`, or the endpoint might be an Amazon S3 bucket at `s3.dualstack..amazonaws.com`. Make sure to replace `` with the actual AWS Region where you are running Amazon Inspector Classic. For more information, see [AWS IP Address Ranges](http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html). Because all connections from the agent are established outbound, it is not necessary to open ports in your security groups to allow inbound communications to the agent from Amazon Inspector Classic. The agent periodically communicates with Amazon Inspector Classic over a TLS-protected channel, which is authenticated using either the AWS identity associated with the role of the EC2 instance, or, if no role is assigned, with the instance's metadata document. When authenticated, the agent sends heartbeat messages to the service and receives instructions from the service in response. If an assessment has been scheduled, the agent receives the instructions for that assessment. These instructions are structured JSON files, and they tell the agent to enable or disable specific preconfigured sensors in the agent. Each instruction action is predefined within the agent. Arbitrary instructions can't be executed. During an assessment, the agent gathers telemetry data from the system to send back to Amazon Inspector Classic over a TLS-protected channel. The agent doesn't make changes to the system that it collects data from. After the agent collects the telemetry data, it sends the data back to Amazon Inspector Classic for processing. Beyond the telemetry data that it generates, the agent is not capable of collecting or transmitting any other data about the system or assessment targets. Currently, there is no method exposed for intercepting and examining telemetry data at the agent. ## Amazon Inspector Classic agent updates As updates for the Amazon Inspector Classic agent become available, they are automatically downloaded from Amazon S3 and applied. This also updates any required dependencies. The auto-update feature eliminates the need for you to track and manually maintain the versioning of the agents that you have installed on your EC2 instances. All updates are subject to audited Amazon change control processes to ensure compliance with applicable security standards. To further ensure the security of the agent, all communication between the agent and the auto-update release site (S3) is performed over a TLS connection, and the server is authenticated. All binaries involved in the auto-update process are digitally signed, and the signatures are verified by the updater before installation. The auto-update process is executed only during non-assessment periods. If any errors are detected, the update process can rollback and retry the update. Finally, the agent update process serves to upgrade only the agent capabilities. None of your specific information is ever sent from the agent to Amazon Inspector Classic as part of the update workflow. The only information that is communicated as part of the update process is the basic installation success or fail telemetry and, if applicable, any update failure diagnostic information. ## Telemetry data lifecycle The telemetry data that is generated by the Amazon Inspector Classic agent during assessment runs is formatted in JSON files. The files are delivered in near-real-time over TLS to Amazon Inspector Classic, where they are encrypted with a per-assessment-run, ephemeral KMS-derived key. The files are securely stored in an Amazon S3 bucket this is dedicated for Amazon Inspector Classic. The rules engine of Amazon Inspector Classic accesses the encrypted telemetry data in the S3 bucket, decrypts it in memory, and processes the data against the configured assessment rules to generate findings. The telemetry data that is stored in S3 is retained only to allow for assistance with support requests. It isn't used or aggregated by Amazon for any other purpose. After 30 days, telemetry data is permanently deleted according to a standard S3 bucket lifecycle policy for Amazon Inspector Classic data. Currently, Amazon Inspector Classic does not provide an API or an S3 bucket access mechanism to collected telemetry. ## Access control from Amazon Inspector Classic into AWS accounts As a security service, Amazon Inspector Classic accesses your AWS accounts and resources only when it needs to find EC2 instances to assess by querying for tags. It does this through standard IAM access through the role created during the initial setup of the Amazon Inspector Classic service. During an assessment, all communications with your environment are initiated by the Amazon Inspector Classic agent that is installed locally on EC2 instances. The Amazon Inspector Classic service objects that are created, such as assessment targets, assessment templates, and findings generated by the service, are stored in a database managed by and accessible only to Amazon Inspector Classic. ## Amazon Inspector Classic agent limits For information about Amazon Inspector Classic agent limits, see [Amazon Inspector Classic service limits](inspector_limits.md). # Installing Amazon Inspector Classic agents You can install the Amazon Inspector Classic agent using the [Systems Manager Run Command](http://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html) on multiple instances (including both Linux-based and Windows-based instances). Alternatively, you can install the agent individually by signing in to each EC2 instance. The procedures in this chapter provide instructions for both methods. As another option, you can quickly install the agent on all Amazon EC2 instances included in an assessment target by selecting the **Install Agents** check box on the **Define an Assessment target** page on the console. **Topics** + [ ## Installing the agent on multiple EC2 instances using the Systems Manager Run Command ](#install-run-command) + [ ## Installing the agent on a Linux-based EC2 instance ](#install-linux) + [ ## Installing the agent on a Windows-based EC2 instance ](#install-windows) **Note** The procedures in this chapter apply to all AWS Regions that are supported by Amazon Inspector Classic. ## Installing the agent on multiple EC2 instances using the Systems Manager Run Command You can install the Amazon Inspector Classic agent on your EC2 instances using the [Systems Manager Run Command](http://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html). This enables you to install the agent remotely and on multiple instances (both Linux-based and Windows-based instances with the same command) at once. **Important** Agent installation using the Systems Manager Run Command is not currently supported for the Debian operating system. **Important** To use this option, make sure that your EC2 instance has the SSM Agent installed and has an IAM role that allows Run Command. The SSM Agent is installed, by default, on Amazon EC2 Windows instances and Amazon Linux instances. Amazon EC2 Systems Manager requires an IAM role for EC2 instances that processes commands and a separate role for users executing commands. For more information, see [Installing and configuring SSM Agent](http://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) and [Configuring security roles for SSM](http://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-access.html). **To install the agent on multiple EC2 instances using the Systems Manager Run Command** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane under **Node Tools**, choose **Run Command**. 1. Choose **Run a command**. 1. For **Command document**, choose the document named **AmazonInspector-ManageAWSAgent** that is owned by **Amazon**. This document contains the script for installing the Amazon Inspector Classic agent on EC2 instances. 1. For **Targets**, you can select EC2 instances using different methods. To install the agent on all of the instances in the assessment target, you can specify the tags that were used to create the assessment target. 1. Provide your choices for the rest of the available options using the instructions in [Running commands from the console](https://docs.aws.amazon.com/systems-manager/latest/userguide/rc-console.html), and then choose **Run**. **Note** You can also install the agent on multiple EC2 instances (both Linux-based and Windows-based) when you create an assessment target, or you can use the **Install Agents with Run Command** button for an existing target. For more information, see [Creating an assessment target](inspector_applications.md#create_application_via_console). ## Installing the agent on a Linux-based EC2 instance Perform the following procedure to install the Amazon Inspector Classic agent on a Linux-based EC2 instance. **To install the agent on a Linux-based EC2 instance** 1. Sign in to your EC2 instance running a Linux-based operating system where you want to install the Amazon Inspector Classic agent. **Note** For information about the operating systems that Amazon Inspector Classic supports, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). 1. Download the agent installation script by running one of the following commands: + **wget https://inspector-agent.amazonaws.com/linux/latest/install** + **curl -O https://inspector-agent.amazonaws.com/linux/latest/install** 1. (Optional) Verify that the agent installation script is not altered or corrupted. For more information, see [(Optional) Verify the signature of the Amazon Inspector Classic agent installation script on Linux-based operating systems](inspector_verify-sig-agent-download-linux.md). 1. To install the agent, run **sudo bash install**. **Note** If you are installing the agent in a SELinux environment the Amazon Inspector Classic may be detected as an unconfined daemon. You can avoid this by changing the domain of the agent process from the default `initrc_t` to `bin_t`. Use the following commands to assign the `bin_t` context to the Amazon Inspector Classic run scripts before installing the agent for SELinux: **sudo semanage fcontext -a -t bin\$1t /etc/rc\$1.d/init\$1.d/awsagent** **sudo semanage fcontext -a -t bin\$1t /etc/init\$1.d/awsagent** **Note** As updates for the agent become available, they are automatically downloaded from Amazon S3 and applied. For more information, see [Amazon Inspector Classic agent updates](inspector_agents.md#agent-updates). If you want to skip this auto-update process, run the following command when you install the agent: **sudo bash install -u false** **Note** (Optional) To remove the agent installation script, run **rm install**. 1. Verify that the following files required for the agent to be successfully installed and functioning properly are installed: + `libcurl4` (required to install the agent on Ubuntu 18.04) + `libcurl3` + `libgcc1` + `libc6` + `libstdc++6` + `libssl1.0.1` + `libssl1.0.2` (required to install the agent on Debian 9) + `libssl1.1` (required to install the agent on Ubuntu 20.04 LTS) + `libpcap0.8` ## Installing the agent on a Windows-based EC2 instance Perform the following procedure to install the Amazon Inspector Classic agent on a Windows-based EC2 instance. **To install the agent on a Windows-based EC2 instance** 1. Sign in to your EC2 instance running a Windows-based operating system where you want to install the agent. **Note** For more information about the operating systems that Amazon Inspector Classic supports, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). 1. Download the following .exe file: `https://inspector-agent.amazonaws.com/windows/installer/latest/AWSAgentInstall.exe` 1. Open a command prompt window (with administrative permissions), navigate to the location where you saved the downloaded `AWSAgentInstall.exe`, and run the .exe file to install the agent. **Note** As updates for the agent become available, they are automatically downloaded from Amazon S3 and applied. For more information, see [Amazon Inspector Classic agent updates](inspector_agents.md#agent-updates). If you want to skip this auto-update process, run the following command when you install the agent: **AWSAgentInstall.exe AUTOUPDATE=No** # Working with Amazon Inspector Classic agents on Linux-based operating systems You can install, remove, verify, and modify the behavior of Amazon Inspector Classic agents. Sign in to your Amazon EC2 instance running a Linux-based operating system, and run any of the following procedures. For more information about the operating systems that are supported for Amazon Inspector Classic, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). **Important** The Amazon Inspector Classic agent relies on Amazon EC2 instance metadata to function correctly. It accesses instance metadata using version 1 or version 2 of the Instance Metadata Service (IMDSv1 or IMDSv2). See [Instance Metadata and User Data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) to learn more about EC2 instance metadata and access methods. **Note** The commands in this section function in all AWS Regions that are supported by Amazon Inspector Classic. **Topics** + [ ## Verifying that the Amazon Inspector Classic agent is running ](#verify-linux) + [ ## Stopping the Amazon Inspector Classic agent ](#stop-linux) + [ ## Starting the Amazon Inspector Classic agent ](#start-linux) + [ ## Modifying Amazon Inspector Classic agents settings ](#inspector-agent-modify-settings-linux) + [ ## Configuring proxy support for an Amazon Inspector Classic agent ](#inspector-agent-proxy-linux) + [ ## Uninstalling the Amazon Inspector Classic agent ](#uninstall-linux) ## Verifying that the Amazon Inspector Classic agent is running + To verify that the agent is installed and running, sign in to your EC2 instance and run the following command: **sudo /opt/aws/awsagent/bin/awsagent status** This command returns the status of the currently running agent, or an error stating that the agent cannot be contacted. ## Stopping the Amazon Inspector Classic agent + To stop the agent, run the following command: **sudo /etc/init.d/awsagent stop** ## Starting the Amazon Inspector Classic agent + To start the agent, run the following command: **sudo /etc/init.d/awsagent start** ## Modifying Amazon Inspector Classic agents settings After the Amazon Inspector Classic agent is installed and running on your EC2 instance, you can modify the settings in the `agent.cfg` file to alter the agent's behavior. On Linux-based operating systems, the `agent.cfg` file is located in the `/opt/aws/awsagent/etc` directory. After you modify and save the `agent.cfg` file, you must stop and start the agent for the changes to take effect. **Important** We highly recommend that you modify the `agent.cfg` file only with the guidance of AWS Support. ## Configuring proxy support for an Amazon Inspector Classic agent To get proxy support for an agent on a Linux-based operating system, use an agent-specific configuration file with specific environment variables. For more information, see [https://wiki.archlinux.org/index.php/proxy\$1settings](https://wiki.archlinux.org/index.php/proxy_settings). Complete one of the following procedures: **To install an agent on an EC2 instance that uses a proxy server** 1. Create a file called `awsagent.env` and save it in the `/etc/init.d/` directory. 1. Edit `awsagent.env` to include these environment variables in the following format: + `export https_proxy=hostname:port` + `export http_proxy=hostname:port` + `export no_proxy=169.254.169.254` **Note** Substitute values in the preceding examples with valid hostname and port number combinations only. Specify the IP address of the instance metadata endpoint (169.254.169.254) for the `no_proxy` variable. 1. Install the Amazon Inspector Classic agent by completing the steps in the [Installing the agent on a Linux-based EC2 instance](inspector_installing-uninstalling-agents.md#install-linux) procedure. **To configure proxy support on an EC2 instance with a running agent** 1. To configure proxy support, the version of the agent that is running on your EC2 instance must be 1.0.800.1 or later. If you enabled the auto-update process for the agent, you can verify that your agent's version is 1.0.800.1 or later by using the [Verifying that the Amazon Inspector Classic agent is running](#verify-linux) procedure. If you didn't enable the auto-update process for the agent, you must install the agent on this EC2 instance again by following the [Installing the agent on a Linux-based EC2 instance](inspector_installing-uninstalling-agents.md#install-linux) procedure. 1. Create a file called `awsagent.env`, and save it in the `/etc/init.d/` directory. 1. Edit `awsagent.env` to include these environment variables in the following format: + `export https_proxy=hostname:port` + `export http_proxy=hostname:port` + `export no_proxy=169.254.169.254` **Note** Substitute values in the preceding examples with valid hostname and port number combinations only. Specify the IP address of the instance metadata endpoint (169.254.169.254) for the `no_proxy` variable. 1. Restart the agent by first stopping it using the following command: `sudo /etc/init.d/awsagent restart` Proxy settings are picked up and used by both the agent and the auto-update process. ## Uninstalling the Amazon Inspector Classic agent **To uninstall the agent** 1. Sign in to your EC2 instance running a Linux-based operating system where you want to uninstall the agent. **Note** For more information about the operating systems that are supported for Amazon Inspector Classic, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). 1. To uninstall the agent, use one of the following commands: + On Amazon Linux, CentOS, and Red Hat, run the following command: **sudo yum remove 'AwsAgent\$1'** + On Ubuntu Server, run the following command: **sudo apt-get purge 'awsagent\$1'** # Working with Amazon Inspector Classic agents on Windows-based operating systems You can start, stop, and modify the behavior of Amazon Inspector Classic agents. Sign in to your EC2 instance running a Windows-based operating system and perform any of the procedures in this chapter. For more information about the operating systems that are supported for Amazon Inspector Classic, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). **Important** The Amazon Inspector Classic agent relies on Amazon EC2 instance metadata to function correctly. It accesses instance metadata using version 1 or version 2 of the Instance Metadata Service (IMDSv1or IMDSv2). See [Instance Metadata and User Data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) to learn more about EC2 instance metadata and access methods. **Note** The commands in this chapter function in all AWS Regions that are supported by Amazon Inspector Classic. **Topics** + [ ## Starting or stopping an Amazon Inspector Classic agent or verifying that the agent is running ](#stop-start-windows) + [ ## Modifying Amazon Inspector Classic agent settings ](#inspector-agent-modify-settings) + [ ## Configuring proxy support for an Amazon Inspector Classic agent ](#inspector-agent-proxy) + [ ## Uninstalling the Amazon Inspector Classic agent ](#uninstall-windows) ## Starting or stopping an Amazon Inspector Classic agent or verifying that the agent is running **To start, stop, or verify an agent** 1. On your EC2 instance, choose **Start**, **Run**, and then enter **services.msc**. 1. If the agent is successfully running, two services are listed with their status set to **Started** or **Running** in the **Services** window: **AWS Agent Service** and **AWS Agent Updater Service**. 1. To start the agent, right-click **AWS Agent Service**, and then choose **Start**. If the service successfully starts, the status is updated to **Started** or **Running**. 1. To stop the agent, right-click **AWS Agent Service**, and then choose **Stop**. If the service successfully stops, the status is cleared (appears as blank). We don't recommend stopping the **AWS Agent Updater Service** because it disables the installation of all future enhancements and fixes to the agent. 1. To verify that the agent is installed and running, sign in to your EC2 instance, and open a command prompt using administrative permissions. Navigate to ` C:\Program Files\Amazon Web Services\AWS Agent`, and then run the following command: **AWSAgentStatus.exe** This command returns the status of the currently running agent, or an error stating that the agent can't be contacted. ## Modifying Amazon Inspector Classic agent settings After the Amazon Inspector Classic agent is installed and running on your EC2 instance, you can modify the settings in the `agent.cfg` file to alter the agent's behavior. On Windows-based operating systems, the file is located in the `C:\ProgramData\Amazon Web Services\AWS Agent` directory. After you modify and save the `agent.cfg` file, you must stop and start the agent for the changes to take effect. **Important** We highly recommend that you modify the `agent.cfg` file only with the guidance of AWS Support. ## Configuring proxy support for an Amazon Inspector Classic agent To get proxy support for an agent on a Windows-based operating system, use the `WinHTTP` proxy. To set up the `WinHTTP` proxy using the `netsh` utility, see [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731131(v=ws.10)). **Important** Only HTTPS proxies are supported for Windows-based instances. Complete one of the following procedures: **To install an agent on an EC2 instance that uses a proxy server** 1. Download the following .exe file: `https://d1wk0tztpsntt1.cloudfront.net/windows/installer/latest/AWSAgentInstall.exe` 1. Open a command prompt window or PowerShell window (using administrative permissions). Navigate to the location where you saved the downloaded `AWSAgentInstall.exe`, and then run the following command: `.\AWSAgentInstall.exe /install USEPROXY=1` **To configure proxy support on an EC2 instance with a running agent** 1. To configure proxy support, the version of the Amazon Inspector Classic agent that is running on your EC2 instance must be 1.0.0.59 or later. If you enabled the auto-update process for the agent, you can verify that your agent's version is 1.0.0.59 or later by using the [Starting or stopping an Amazon Inspector Classic agent or verifying that the agent is running](#stop-start-windows) procedure. If you didn't enable the auto-update process for the agent, you must install the agent on this EC2 instance again by following the [Installing the agent on a Windows-based EC2 instance](inspector_installing-uninstalling-agents.md#install-windows) procedure. 1. Open the registry editor (`regedit.exe`). 1. Navigate to the following registry key: `"HKEY_LOCAL_MACHINE/SOFTWARE/Amazon Web Services/AWS Agent Updater"`. 1. Inside this registry key, create a registry `DWORD(32bit)` value called `"UseProxy"`. 1. Double-click on the value, and set the value to 1. 1. Enter **services.msc**, locate the **AWS Agent Service** and the **AWS Agent Updater Service** in the **Services** window, and restart each process. After both processes have successfully restarted, run the `AWSAgentStatus.exe` file (see step 5 in [Starting or stopping an Amazon Inspector Classic agent or verifying that the agent is running](#stop-start-windows)). View the status of your agent and verify that it is using the configured proxy. ## Uninstalling the Amazon Inspector Classic agent **To uninstall the agent** 1. Sign in to your EC2 instance running a Windows-based operating system where you want to uninstall the Amazon Inspector Classic agent. **Note** For more information about the operating systems that are supported for Amazon Inspector Classic, see [Amazon Inspector Classic supported operating systems and Regions](inspector_supported_os_regions.md). 1. On your EC2 instance, navigate to **Control Panel**, **Add/Remove Programs**. 1. In the list of installed programs, choose **AWS Agent**, and then choose **Uninstall**. # (Optional) Verify the signature of the Amazon Inspector Classic agent installation script on Linux-based operating systems This topic describes the recommended process of verifying the validity of the Amazon Inspector Classic agent's installations script for Linux-based operating systems. Whenever you download an application from the internet, we recommend that you authenticate the identity of the software publisher and check that the application is not altered or corrupted since it was published. This protects you from installing a version of the application that contains a virus or other malicious code. If after running the steps in this topic, you determine that the software for the Amazon Inspector Classic agent is altered or corrupted, do NOT run the installation file. Instead, contact AWS Support. Amazon Inspector Classic agent files for Linux-based operating systems are signed using `GnuPG`, an open source implementation of the Pretty Good Privacy (OpenPGP) standard for secure digital signatures. `GnuPG` (also known as `GPG`) provides authentication and integrity checking through a digital signature. Amazon EC2 publishes a public key and signatures that you can use to verify the downloaded Amazon EC2 CLI tools. For more information about `PGP` and `GnuPG` (`GPG`), see [http://www.gnupg.org](http://www.gnupg.org). The first step is to establish trust with the software publisher. Download the public key of the software publisher, check that the owner of the public key is who they claim to be, and then add the public key to your *keyring*. Your keyring is a collection of known public keys. After you establish the authenticity of the public key, you can use it to verify the signature of the application. **Topics** + [ ## Installing the GPG tools ](#inspector_verify-signature-of-agent-download-install-tools) + [ ## Authenticating and importing the public key ](#inspector_verify-signature-of-agent-download-authenticate-import-public-key) + [ ## Verify the signature of the package ](#inspector_verify-signature-of-agent-package) ## Installing the GPG tools If your operating system is Linux or Unix, the GPG tools are likely already installed. To test whether the tools are installed on your system, type **gpg** at a command prompt. If the GPG tools are installed, you see a GPG command prompt. If the GPG tools are not installed, you see an error stating that the command cannot be found. You can install the GnuPG package from a repository. **To install GPG tools on Debian-based Linux** + From a terminal, run the following command: **apt-get install gnupg**. **To install GPG tools on Red Hat–based Linux** + From a terminal, run the following command: **yum install gnupg**. ## Authenticating and importing the public key The next step in the process is to authenticate the Amazon Inspector Classic public key and add it as a trusted key in your `GPG` keyring. **To authenticate and import the Amazon Inspector Classic public key** 1. Obtain a copy of our public `GPG` build key by doing one of the following: + Download from [https://d1wk0tztpsntt1.cloudfront.net/linux/latest/inspector.gpg](https://d1wk0tztpsntt1.cloudfront.net/linux/latest/inspector.gpg). + Copy the key from the following text and paste it into a file called `inspector.gpg`. Make sure to include everything that follows: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.18 (GNU/Linux) mQINBFYDlfEBEADFpfNt/mdCtsmfDoga+PfHY9bdXAD68yhp2m9NyH3BOzle/MXI 8siNfoRgzDwuWnIaezHwwLWkDw2paRxp1NMQ9qRe8Phq0ewheLrQu95dwDgMcw90 gf9m1iKVHjdVQ9qNHlB2OFknPDxMDRHcrmlJYDKYCX3+MODEHnlK25tIH2KWezXP FPSU+TkwjLRzSMYH1L8IwjFUIIi78jQS9a31R/cOl4zuC5fOVghYlSomLI8irfoD JSa3csVRujSmOAf9o3beiMR/kNDMpgDOxgiQTu/Kh39cl6o8AKe+QKK48kqO7hra h1dpzLbfeZEVU6dWMZtlUksG/zKxuzD6d8vXYH7Z+x09POPFALQCQQMC3WisIKgj zJEFhXMCCQ3NLC3CeyMq3vP7MbVRBYE7t3d2uDREkZBgIf+mbUYfYPhrzy0qT9Tr PgwcnUvDZuazxuuPzucZGOJ5kbptat3DcUpstjdkMGAId3JawBbps77qRZdA+swr o9o3jbowgmf0y5ZS6KwvZnC6XyTAkXy2io7mSrAIRECrANrzYzfp5v7uD7w8Dk0X 1OrfOm1VufMzAyTu0YQGBWaQKzSB8tCkvFw54PrRuUTcV826XU7SIJNzmNQo58uL bKyLVBSCVabfs0lkECIesq8PT9xMYfQJ421uATHyYUnFTU2TYrCQEab7oQARAQAB tCdBbWF6b24gSW5zcGVjdG9yIDxpbnNwZWN0b3JAYW1hem9uLmNvbT6JAjgEEwEC ACIFAlYDlfECGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECR0CWBYNgQY 8yUP/2GpIl40f3mKBUiSTe0XQLvwiBCHmY+V9fOuKqDTinxssjEMCnz0vsKeCZF/ L35pwNa/oW0OJa8D7sCkKG+8LuyMpcPDyqptLrYPprUWtz2+qLCHgpWsrku7ateF x4hWS0jUVeHPaBzI9V1NTHsCx9+nbpWQ5Fk+7VJI8hbMDY7NQx6fcse8WTlP/0r/ HIkKzzqQQaaOf5t9zc5DKwi+dFmJbRUyaq22xs8C81UODjHunhjHdZ21cnsgk91S fviuaum9aR4/uVIYOTVWnjC5J3+VlczyUt5FaYrrQ5ov0dM+biTUXwve3X8Q85Nu DPnO/+zxb7Jz3QCHXnuTbxZTjvvl60Oi8//uRTnPXjz4wZLwQfibgHmk1++hzND7 wOYA02Js6v5FZQlLQAod7q2wuA1pq4MroLXzziDfy/9ea8B+tzyxlmNVRpVZY4Ll DOHyqGQhpkyV3drjjNZlEofwbfu7m6ODwsgMl5ynzhKklJzwPJFfB3mMc7qLi+qX MJtEX8KJ/iVUQStHHAG7daL1bxpWSI3BRuaHsWbBGQ/mcHBgUUOQJyEp5LAdg9Fs VP55gWtF7pIqifiqlcfgG0Ov+A3NmVbmiGKSZvfrc5KsF/k43rCGqDx1RV6gZvyI LfO9+3sEIlNrsMib0KRLDeBt3EuDsaBZgOkqjDhgJUesqiCy =iEhB -----END PGP PUBLIC KEY BLOCK----- ``` 1. At a command prompt in the directory where you saved **inspector.gpg**, use the following command to import the Amazon Inspector Classic public key into your keyring: ``` gpg --import inspector.gpg ``` The command returns results that are similar to the following: ``` gpg: key 58360418: public key "Amazon Inspector " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` Make a note of the key value; you need it in the next step. In the preceding example, the key value is `58360418`. 1. Verify the fingerprint by running the following command, replacing *key-value* with the value from the preceding step: ``` gpg --fingerprint key-value ``` This command returns results similar to the following: ``` pub 4096R/58360418 2015-09-24 Key fingerprint = DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418 uid Amazon Inspector ``` Additionally, the fingerprint string should be identical to `DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418`, as shown in the preceding example. Compare the key fingerprint that is returned to the one published on this page. They should match. If they don't match, don't install the Amazon Inspector Classic agent installation script, and contact AWS Support. ## Verify the signature of the package After you install the `GPG` tools, authenticate and import the Amazon Inspector Classic public key, and verify that the public key is trusted, you are ready to verify the signature of the installation script. **To verify the installation script signature** 1. At a command prompt, run the following command to download the signature file for the installation script: ``` curl -O https://inspector-agent.amazonaws.com/linux/latest/install.sig ``` 1. Verify the signature by running the following command at a command prompt in the directory where you saved `install.sig` and the Amazon Inspector Classic installation file. Both files must be present. ``` gpg --verify ./install.sig ``` The output should look something like the following: ``` gpg: Signature made Thu 24 Sep 2015 03:19:09 PM UTC using RSA key ID 58360418 gpg: Good signature from "Amazon Inspector " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DDA0 D4C5 10AE 3C20 6F46 6DC0 2474 0960 5836 0418 ``` If the output contains the phrase `Good signature from "Amazon Inspector "`, it means that the signature has successfully been verified, and you can proceed to run the Amazon Inspector Classic installation script. If the output includes the phrase `BAD signature`, check whether you performed the procedure correctly. If you continue to get this response, don't run the installation file that you downloaded previously, and contact AWS Support. The following are details about the warnings you might see: + **WARNING: This key is not certified with a trusted signature\$1 There is no indication that the signature belongs to the owner.** This refers to your personal level of trust in your belief that you possess an authentic public key for Amazon Inspector Classic. In an ideal world, you would visit an AWS office and receive the key in person. However, more often you download it from a website. In this case, the website is an AWS website. + **gpg: no ultimately trusted keys found.** This means that the specific key is not "ultimately trusted" by you (or by other people whom you trust). For more information, see [http://www.gnupg.org](http://www.gnupg.org). # (Optional) Verify the signature of the Amazon Inspector Classic agent installation script on Windows-based operating systems This topic describes the recommended process of verifying the validity of the Amazon Inspector Classic agent's installations script for Windows-based operating systems. Whenever you download an application from the internet, we recommend that you authenticate the identity of the software publisher and check that the application is not altered or corrupted since it was published. This protects you from installing a version of the application that contains a virus or other malicious code. If after running the steps in this topic, you determine that the software for the Amazon Inspector Classic agent is altered or corrupted, do NOT run the installation file. Instead, contact AWS Support. To verify the validity of the downloaded agent installation script on Windows-based operating systems, make sure that the thumbprint of its Amazon Services LLC signer certificate is equal to this value: **E8 83 C5 3A F7 8C BA 7C F5 A2 47 E9 B8 86 FC E9 68 EE 0B 36** To verify this value, perform the following procedure: 1. Right-click the downloaded `AWSAgentInstall.exe`, and open the **Properties** window. 1. Choose the **Digital Signatures** tab. 1. From the **Signature List**, choose **Amazon Web Services, Inc.**, and then choose **Details**. 1. Choose the **General** tab, if not already selected, and then choose **View Certificate**. 1. Choose the **Details** tab, and then choose **All** in the **Show** dropdown list, if not already selected. 1. Scroll down until you see the **Thumbprint** field and then choose **Thumbprint**. This displays the entire thumbprint value in the lower window. + If the thumbprint value in the lower window is identical to the following value: **E8 83 C5 3A F7 8C BA 7C F5 A2 47 E9 B8 86 FC E9 68 EE 0B 36 ** then your downloaded agent installation script is authentic and can be safely installed. + If the thumbprint value in the lower details window is not identical to the value above, do not run `AWSAgentInstall.exe`.