In this recipe, we first created an assessment target. While creating the target, we unchecked Include all EC2 instances in this AWS account and region to not target all instances within our account. We then selected the tag of our EC2 instance. We asked AWS to install the Inspector in all the EC2 machines in this target. To install Inspector agents within an EC2 machine, the EC2 instances should have SSM Agent installed and there should be an IAM role that permits the Run Command. EC2 Windows instances and Amazon Linux instances come with SSM Agent installed.

In addition, we created an assessment template with the assessment target we already selected. We selected all of the rules available, which are Network Reachability-1.1, Security Best Practices-1.0, Common Vulnerabilities and Exposures-1.1, and CIS Operating System Security Configuration Benchmarks-1.0. We set the duration as 1 hour, which is the AWS recommendation. Other available options are 15 minutes, 8 hours, 12 hours, and 24 hours. We selected an SNS topic that we created in the Getting ready section. We then selected the tag we had created for our EC2 instance.