How do I exclude specific AWS resources from Amazon Inspector scans?

3 minute read
0

I don’t want Amazon Inspector to scan specific AWS resources.

Resolution

You can configure Amazon Inspector to exclude scans for specific AWS resources. For example, you can exclude scans from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda functions, or Amazon Elastic Container Registry (Amazon ECR) repositories.

Exclude specific EC2 instance from scans

To exclude an EC2 instance from Amazon Inspector scan, follow these steps to tag the instance with the tag key InspectorEc2Exclusion.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose Instances, and then choose your Instance ID.
  3. Choose the Tags tab, choose Manage tags, and then choose Add new tag,
  4. In the Key Name field, enter a name for your key.
  5. In the Enter Key field, enter InspectorEc2Exclusion, and then choose Save.

Exclude specific Lambda functions from scans

To exclude Lambda functions from Amazon Inspector scans, follow these steps to tag the function with the key tag InspectorExclusion and the value LambdaStandardScanning or LambdaCodeScanning.

Exclude functions from Lambda standard scans

  1. Open the Lambda console.
  2. In the navigation pane, choose Functions, and then choose your Function name.
  3. Choose the Configuration tab, and then in General configuration, choose Tags.
  4. Choose Manage tags, and then choose Add new tag.
  5. In the Key field, enter InspectorExclusion, in the Value field, enter LambdaStandardScanning, and then choose Save.

Exclude functions from Lambda code scans

  1. Open the Lambda console.
  2. In the navigation pane, choose Functions, and then choose your Function name.
  3. Choose the Configuration tab, and then in General configuration, choose Tags.
  4. Choose Manage tags, and then choose Add new tag.
  5. In the Key field, enter InspectorExclusion, in the Value field, enter LambdaCodeScanning, and then choose Save.

Exclude specific Amazon ECR repositories from scans

To exclude the ECR repository from Amazon Inspector scans, follow these steps to use enhanced scanning.

  1. Open the Amazon ECR console.
  2. In the navigation pane, expand Private registry, and then choose Settings.
  3. In Scanning, choose Edit, and then choose Enhanced scanning.
  4. In Continuous scanning filter, clear the Continuously scan all repositories check box.
  5. In Continuous scanning filters or Scan on push filters, enter the name of your repository, and then choose Add filter.
  6. Select the I understand enhanced scanning has additional cost agreement check box, and then choose Save.

Note: Amazon Inspector performs ECR scans at the repository level. For image scans, it's a best practice to separate images into multiple repositories. For more information, see Scanning Amazon ECR container images with Amazon Inspector.

Related information

How do I set up Amazon Inspector Classic to run security assessments on my Amazon EC2 instances?

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago