Installing Amazon Inspector Service

Question

I'm about to install and use Amazon Inspector. We have many EC2 instances behind ELB. Plus some EC2 instances are opened via Auto-Scale.

My question: Is the Amazon Inspector doing its work locally or globally, meaning is the monitoring being made on the instance that it is installed on or it can be configured to include all the instances of the infrastructure?

If Inspector should be applied on every EC2 instance, can the Auto-Scale be configured to open the new instances with Inspector already installed on them and if yes, how can i do that?

Answer 1

I asked a similar question on the Amazon forum but got no response.

In the end I used the following feature to customise the EC2 instances that my application gets deployed to:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html

Basically off the root of your .war file you need a folder named '.ebextensions' and in there a .config file containing some commands to install the Inspector client.

So my file 'inspector-agent.config' looks like this:

# Errors get logged to /var/log/cfn-init.log. See Also /var/log/eb-tools.log

commands:
# Download the agent installation script
  "01-agent-repository":
    command: sudo wget https://inspector-agent.amazonaws.com/linux/latest/install

# Run the installation script
  "02-run-installation-script":
    command: sudo bash install

Answer 2

I've found the answer and the solution, You have to install Amazon Inspector on each EC2 in order to inspect them all using Amazon Inspector.

About the Auto-Scale, I've applied Amazon Inspector on the main EC2 servers and took an image from them (after inspecting all the EC2s and fix all the issues). Then I've configured the Auto-Scale to lunch to lunch from the new AMIs (The Inspected AMIs).