How long does it take for AWS Amazon Inspector to complete a full EC2 Scan?

Question

I enabled AWS Amazon Inspector (2) for a single EC2 instance that I have. It's an ubuntu with php and apache, nothing special, and the status shows Scanning for the last 3 hours.

I look at the htop of this machine, and I see that the /snap/amazon-ssm-agent/####/amazon-ssm-agent is running and that several /snap/amazon-ssm-agent/####/ssm-agent-worker are running. Still.... 3 hours passed, and I have no results.

Is it working? isn't it working? is there a more verbose status? Also, if someone have experience with this, can you share the avarage time you waited for results?

Answer 1

I've been in a similar situation - do inspector scans on EC2 as well as ECR. ECR was pretty quick for scans but for EC2 - it took about 4.5hrs to get to INITIAL_SCAN_COMPLETE state. Very concerning it takes this amount of time but noticed it was doing about 470 vulnerability checks.

Answer 2

here's are the document contains the status information. https://docs.aws.amazon.com/inspector/latest/user/assessing-coverage.html

Scanning – Amazon Inspector is continuously monitoring and scanning the instance.

It won't just scan and leave it but instead continuously monitor the instance for future vulnerabilities too. Hence the status shows Scanning.

You need to get into findings tab to look into what's going on with the vulnerabilities. Findings -> By instance -> Select your instance to see findings related to your instance. Hope that helps.