We can create an assessment target as follows:
- Go to the Inspector service in the console.
If you are logging in for the first time and see a Get started page, refer to the Setting up and using Amazon Inspector recipe.
- Click Assessment targets from the left sidebar.
- In the Amazon Inspector - Assessment Targets page, click Create.
- For All Instances, uncheck Include all EC2 instances in this AWS account and region.
- For Use Tags, click on Add a new key and select the Key and Value we created for our EC2 instance in the Getting ready section. Our assessment target creation screen should look like the following screenshot:
- Click on Preview.
- In the Resources for assessment target screen, verify the instances and click OK.
- Click on Save.
We can create an assessment template as follows:
- From the Inspector service console, click on Assessment templates from the left sidebar.
- Click Create.
- Provide a Name.
- For Target name, select the target we created in the previous section:
- Under Rules packages, select the following rules: Network Reachability-1.1, Security Best Practices-1.0, Common Vulnerabilities and Exposures-1.1, and CIS Operating System Security Configuration Benchmarks-1.0.
- Leave the Duration as 1 Hour, which is the default:
- For SNS Topics, select the SNS topic we created in the Getting ready section. Leave the following auto-populated events as is: Run started, Run finished, Run state changed, and Finding reported:
- For Tags, select the Key and Value we gave for the EC2 instance that we created in the Getting ready section.
- Leave the value for Attributes added to findings empty.
- Set Assessment Schedule to Set up recurring assessment runs once every 7 days.
- Click on Create.
- We can either wait for the template to run as per its schedule or we can manually trigger a run as follows:
- Go to the Assessment templates page.
- Select our template.
- Click on Run.
In our case, we should see a response similar to the previous recipe if we have only the one EC2 instance we used for the recipe:
In real-world use cases, we will mostly run the assessment for targeted systems, such as production systems. If cost is not a constraint, then doing an assessment for all instances can make our account more secure.