Amazon Inspector EC2 scanning should be enabled
Description
This control checks whether Amazon Inspector EC2 scanning is enabled. For a standalone account, the control fails if Amazon Inspector EC2 scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have EC2 scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the EC2 scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector EC2 scanning enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector.
Remediation
To remediate Amazon Inspector EC2 scanning, you need to enable EC2 scanning in Amazon Inspector.
Steps
- Navigate to the Amazon Inspector console
- Go to 'Settings' in the left navigation
- Select 'EC2' under 'Scanning'
- Enable 'EC2 scanning'
- Configure scanning settings as needed
- Save the configuration
- Verify EC2 scanning is active
- For multi-account environments, ensure all member accounts have EC2 scanning enabled
- Disassociate any suspended accounts if needed
- Set up monitoring and alerting for scan results