Inspector.1: EC2 is not being scanned for vulnerabilities

What does AWS Security Hub Inspector.1 check?

Inspector.1 fails when Amazon Inspector EC2 scanning is not enabled in the account and region. The check confirms the EC2 scan scope is active so instances are continuously assessed for software vulnerabilities.

Why does Inspector.1 matter?

Unscanned instances are a blind spot: a critical CVE in an installed package can sit exploitable for months with no one aware. Inspector continuously inventories installed software via the SSM agent and matches it against vulnerability databases, surfacing exposures into Security Hub. Without it, you are relying on ad-hoc patching and luck rather than knowing your actual exposure.

How do I fix Inspector.1?

1. Enable the EC2 scan scope with aws inspector2 enable --resource-types EC2, ideally delegated from the Organization admin so all accounts are covered.
2. Ensure target instances run the SSM agent and have an instance profile, since Inspector relies on SSM inventory.
3. Verify scanning is active with aws inspector2 batch-get-account-status and confirm findings flow into Security Hub.
4. Enable auto-enable for new accounts and regions so coverage does not drift.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES