End of support notice: On May 20, 2026, AWS will end support for Amazon Inspector Classic. After May 20, 2026, you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. Amazon Inspector Classic no longer available to new accounts and accounts that have not completed an assessment in the last 6 months. For all other accounts, access will remain valid until May 20, 2026, after which you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. For more information, see [Amazon Inspector Classic end of support](https://docs.aws.amazon.com/inspector/v1/userguide/inspector-migration.html). # Amazon Inspector Classic assessment templates and assessment runs Amazon Inspector Classic helps you discover potential security issues by using security rules to analyze your AWS resources. Amazon Inspector Classic monitors and collects behavioral data (telemetry) about your resources. The data includes information about the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, Amazon Inspector Classic analyzes and compares the data against a set of security rules packages. Finally, Amazon Inspector Classic produces a list of *findings* that identify potential security issues of various levels of severity. To get started, you create an *assessment target* (a collection of the AWS resources that you want Amazon Inspector Classic to analyze). Next, you create an *assessment template* (a blueprint that you use to configure your assessment). You use the template to start an *assessment run*, which is the monitoring and analysis process that results in a set of findings. **Topics** + [ ## Amazon Inspector Classic assessment templates ](#inspector-assessment-templates) + [ ## Amazon Inspector Classic assessment templates limits ](#inspector-assessment-limits) + [ ## Creating an assessment template ](#create_assessment_via_console) + [ ## Deleting an assessment template ](#delete_assessment_via_console) + [ ## Assessment runs ](#assessment_runs) + [ ## Amazon Inspector Classic assessment runs limits ](#assessment_runs-limits) + [ ## Setting up automatic assessment runs through a Lambda function ](#assessment_runs-schedule) + [ ## Setting up an SNS topic for Amazon Inspector Classic notifications ](#sns-topic) ## Amazon Inspector Classic assessment templates An assessment template allows you to specify a configuration for your assessment runs, including the following: + Rules packages that Amazon Inspector Classic uses to evaluate your assessment target + Duration of the assessment run – You can set the duration of an assessment run anywhere between 3 minutes to 24 hours. We recommend setting the duration of assessment runs to 1 hour. + Amazon SNS topics that Amazon Inspector Classic sends notifications to about your assessment run states and findings + Amazon Inspector Classic attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template After Amazon Inspector Classic creates the assessment template, you can tag it like any other AWS resource. For more information, see [Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html). Tagging assessment templates enables you to organize them and get better oversight of your security strategy. For example, Amazon Inspector Classic offers a large number of rules that you can assess your assessment targets against. You might want to include various subsets of the available rules in your assessment templates to target specific areas of concern or to uncover specific security issues. Tagging assessment templates allows you to locate and run them quickly at any time in accordance with your security strategy and goals. **Important** After you create an assessment template, you can't modify it. ## Amazon Inspector Classic assessment templates limits You can create up to 500 assessment templates for each AWS account. For more information, see [Amazon Inspector Classic service limits](inspector_limits.md). ## Creating an assessment template **To create an assessment template** 1. Sign in to the AWS Management Console and open the Amazon Inspector Classic console at [https://console.aws.amazon.com/inspector/](https://console.aws.amazon.com/inspector/). 1. In the navigation pane, choose **Assessment Templates**, and then choose **Create**. 1. For **Name**, enter a name for your assessment template. 1. For **Target name**, choose an assessment target to analyze. **Note** When you create an assessment template, you can use the **Preview Target** button on the **Assessment Templates** page to review all EC2 instances included in the assessment target. For each EC2 instance, you can review the hostname, instance ID, IP address, and, if applicable, the status of the agent. The agent status can have the following values: **HEALTHY**, **UNHEALTHY**, and **UNKNOWN**. Amazon Inspector Classic displays an **UNKNOWN** status when it can't determine whether there is an agent running on the EC2 instance. You can also use the **Preview Target** button on the **Assessment Templates** page to review EC2 instances that make up assessment targets included in your previously created templates. 1. For **Rules packages**, choose one or more rules packages to include in your assessment template. 1. For **Duration**, specify the duration for your assessment template. 1. (Optional) For **SNS topics**, specify an SNS topic that you want Amazon Inspector Classic to send notifications to about assessment run states and findings. Amazon Inspector Classic can send SNS notifications about the following events: + An assessment run has started + An assessment run has ended + An assessment run's status has changed + A finding was generated For more information about setting up an SNS topic, see [Setting up an SNS topic for Amazon Inspector Classic notifications](#sns-topic). 1. (Optional) For **Tag**, enter values for **Key** and **Value**. You can add multiple tags to the assessment template. 1. (Optional) For **Attributes added to findings**, enter values for **Key** and **Value**. Amazon Inspector Classic applies the attributes to all findings that are generated by the assessment template. You can add multiple attributes to the assessment template. For more information about findings and tagging findings, see [Amazon Inspector Classic findings](inspector_findings.md). 1. (Optional) To set up a schedule for your assessment runs using this template, select the **Set up recurring assessment runs once every , starting now** check box and specify the recurrence pattern (number of days) using the up and down arrows. **Note** When you use this check box, Amazon Inspector Classic automatically creates an Amazon CloudWatch Events rule for the assessment runs schedule that you are setting up. Amazon Inspector Classic then also automatically creates an IAM role named `AWS_InspectorEvents_Invoke_Assessment_Template`. This role enables CloudWatch Events to make API calls against the Amazon Inspector Classic resources. For more information, see [What is Amazon CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) and [Using Resource-Based Policies for CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/resource-based-policies-cwe.html). **Note** You can also set up automatic assessment runs through an AWS Lambda function. For more information, see [Setting up automatic assessment runs through a Lambda function](#assessment_runs-schedule). 1. Choose **Create and run** or **Create**. ## Deleting an assessment template To delete an assessment template, perform the following procedure. **To delete an assessment template** + On the **Assessment Templates** page, choose the template that you want to delete, and then choose **Delete**. When prompted for confirmation, choose **Yes**. **Important** When you delete an assessment template, all assessment runs, findings, and versions of the reports associated with this template are also deleted. You can also delete an assessment template by using the [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTemplate.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentTemplate.html) API. ## Assessment runs After you create an assessment template, you can use it to start assessment runs. You can start multiple runs using the same template as long as you stay within the runs limit for each AWS account. For more information, see [Amazon Inspector Classic assessment runs limits](#assessment_runs-limits). If you use the Amazon Inspector Classic console, you must start the first run of your new assessment template from the **Assessment templates** page. After you start the run, you can use the **Assessment runs** page to monitor the run's progress. Use the **Run**, **Cancel**, and **Delete** buttons to start, cancel, or delete a run. You can also view the run's details, including the ARN of the run, the rules packages selected for the run, the tags and attributes that you applied to the run, and more. For subsequent runs of the assessment template, you can use the **Run**, **Cancel**, and **Delete** buttons on either the **Assessment templates** page or the **Assessment runs** page. ### Deleting an assessment run To delete an assessment run, perform the following procedure. **To delete a run** + On the **Assessment runs** page, choose the run that you want to delete, and then choose **Delete**. When prompted for confirmation, choose **Yes**. **Important** When you delete a run, all findings and all versions of the report from that run are also deleted. You can also delete a run by using the [https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentRun.html](https://docs.aws.amazon.com/inspector/latest/APIReference/API_DeleteAssessmentRun.html) API. ## Amazon Inspector Classic assessment runs limits You can create up to 50,000 assessment runs for each AWS account. You can have multiple runs occurring at the same time as long as the targets used for the runs don't contain overlapping EC2 instances. For more information, see [Amazon Inspector Classic service limits](inspector_limits.md). ## Setting up automatic assessment runs through a Lambda function If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a Lambda function using the AWS Lambda console. For more information, see [Lambda Functions](http://docs.aws.amazon.com/lambda/latest/dg/lambda-introduction-function.html). To set up automatic assessment runs using the AWS Lambda console, perform the following procedure. **To set up automatic runs through a Lambda function** 1. Sign in to the AWS Management Console, and open the [AWS Lambda console](https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2#/home). 1. In the navigation pane, choose either **Dashboard** or **Functions**, and then choose **Create a Lambda Function**. 1. On the **Create function** page, choose **Browse serverless app repository**, then enter **inspector** in the search field. 1. Choose the **inspector-scheduled-run** blueprint. 1. On the **Review, configure, and deploy** page, set up a recurring schedule for automated runs by specifying a CloudWatch event that triggers your function. To do this, enter a rule name and description, and then choose a schedule expression. The schedule expression determines how often the run occurs, for example, every 15 minutes or once a day. For more information about CloudWatch events and concepts, see [What is Amazon CloudWatch Events?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) If you select the **Enable trigger** check box, the run begins immediately after you finish creating your function. Subsequent automated runs follow the recurrence pattern that you specify in the **Schedule expression** field. If you don’t select the **Enable trigger** check box while creating the function, you can edit the function later to enable this trigger. 1. On the **Configure function** page, specify the following: + For **Name**, enter a name for your function. + (Optional) For **Description**, enter a description that will help you identify your function later. + For **runtime**, keep the default value of **Node.js 8.10**. AWS Lambda supports the **inspector-scheduled-run** blueprint only for the **Node.js 8.10** runtime. + The assessment template that you want to run automatically using this function. You do this by providing the value for the environment variable called **assessmentTemplateArn**. + Keep the handler set to the default value of **index.handler**. + The permissions for your function using the **Role** field. For more information, see [AWS Lambda Permissions Model](https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#lambda-intro-execution-role). To run this function, you need an IAM role that allows AWS Lambda to start the runs and write log messages about the runs, including any errors, to Amazon CloudWatch Logs. AWS Lambda assumes this role for every recurring automated run. For example, you can attach the following sample policy to this IAM role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector:StartAssessmentRun", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] } ``` ------ 1. Review your selections, and then choose **Create function**. ## Setting up an SNS topic for Amazon Inspector Classic notifications Amazon Simple Notification Service (Amazon SNS) is a web service that sends messages to subscribing endpoints or clients. You can use Amazon SNS to set up notifications for Amazon Inspector Classic. **To set up an SNS topic for notifications** 1. Create an SNS topic. See [Tutorial: Creating an Amazon SNS Topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-topic.html). When you create the topic, expand the **Access policy - optional** section. Then do the following to permit the assessment to send messages to the topic: 1. For **Choose method**, choose **Basic**. 1. For **Define who can publish messages to the topic**, choose **Only the specified AWS accounts**, and then enter the ARN for the account in the Region that you're creating the topic in: + `US East (Ohio)` - *arn:aws:iam::646659390643:root* + `US East (N. Virginia)` - *arn:aws:iam::316112463485:root* + `US West (N. California)` - *arn:aws:iam::166987590008:root* + `US West (Oregon)` - *arn:aws:iam::758058086616:root* + `Asia Pacific (Mumbai)` - *arn:aws:iam::162588757376:root* + `Asia Pacific (Seoul)` - *arn:aws:iam::526946625049:root* + `Asia Pacific (Sydney)` - *arn:aws:iam::454640832652:root* + `Asia Pacific (Tokyo)` - *arn:aws:iam::406045910587:root* + `Europe (Frankfurt)` - *arn:aws:iam::537503971621:root* + `Europe (Ireland)` - *arn:aws:iam::357557129151:root* + `Europe (London)` - *arn:aws:iam::146838936955:root* + `Europe (Stockholm)` - *arn:aws:iam::453420244670:root* + `AWS GovCloud (US-East)` - *arn:aws-us-gov:iam::206278770380:root* + `AWS GovCloud (US-West)` - *arn:aws-us-gov:iam::850862329162:root* 1. For **Define who can subscribe to this topic**, choose **Only the specified AWS accounts**, and then enter the ARN for the account in the Region in which you're creating the topic. 1. To protect yourself against Inspector being used as a confused deputy as detailed in [ Confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the *IAM User Guide*, do the following: 1. Choose **Advanced**. This will navigate you to the JSON editor. 1. Add the following condition: ``` "Condition": { "StringEquals": { "aws:SourceAccount": , "aws:SourceArn": "arn:aws:inspector:*:*:*" } } ``` 1. (Optional) For additional information about aws:SourceAccount and aws:SourceArn, see [Global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) in the *IAM User Guide.* 1. Update other settings for the topic as needed, and then choose **Create topic**. 1. (Optional) To create an encrypted SNS topic, see [Encryption at rest](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html) in the *SNS Developer Guide*. 1. To protect yourself against Inspector being used as a confused deputy for your KMS key, follow the additional steps below: 1. Go to your CMK in the KMS console. 1. Choose **Edit**. 1. Add the following condition: ``` "Condition": { "StringEquals": { "aws:SourceAccount": , "aws:SourceArn": "arn:aws:sns:*:*:*" } } ``` 1. Create a subscription to the topic that you created. For more information, see [Tutorial: Subscribing an Endpoint to an Amazon SNS Topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html). 1. To confirm that the subscription is configured correctly, publish a message to the topic. For more information, see [Tutorial: Publishing a Message to an Amazon SNS Topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-publish-message-to-topic.html).