Deactivating a scan type in Amazon Inspector - Amazon Inspector
Deactivating scans

Deactivating a scan type in Amazon Inspector

This section describes how to deactivate a scan type. When you deactivate a scan type, you lose access to any findings the scan type produced. If you reactivate the scan type, Amazon Inspector scans all eligible resources to generate new findings.

Tip

If you want to keep a record of your findings, you can export them to an Amazon Simple Storage Service (Amazon S3) bucket as a findings report. For more information, see Exporting Amazon Inspector findings reports.

When you deactivate a scan type, you might encounter the following changes in the AWS account where you deactivated the scan type:

Amazon EC2 scanning

When you deactivate Amazon Inspector Amazon EC2 scanning for an account, the following SSM associations are deleted:

  • InspectorDistributor-do-not-delete

  • InspectorInventoryCollection-do-not-delete

  • InspectorLinuxDistributor-do-not-delete

  • InvokeInspectorLinuxSsmPlugin-do-not-delete

  • InvokeInspectorSsmPlugin-do-not-delete.

Additionally, the Amazon Inspector SSM plugin installed through this association is removed from all of your Windows hosts. For more information, see Scanning Windows EC2 instance.

Amazon ECR scanning

When you deactivate Amazon ECR scanning for an account, the Amazon ECR scan type account changes from Enhanced scanning with Amazon Inspector to Basic scanning with Amazon ECR.

Lambda standard scanning

When you deactivate Lambda standard scanning for an account, you deactivate Lambda code scanning if the scan type was actived. You also delete the CloudTrail service-linked channel that Amazon Inspector created when you activated Lambda standard scanning.

Deactivating scans

Deactivating all scan types for an account deactivates Amazon Inspector for that account in that AWS Region. For more information, see Deactivating Amazon Inspector.

To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator.

Console
To deactivate scans

  1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.

  3. In the navigation pane, choose Account management.

  4. Choose the Accounts tab to show the scanning status of an account.

  5. Select the check box of each account for which you want to deactivate scans.

  6. Choose Actions, and, from the Deactivate options, select the scan type you wish to deactivate.

  7. (Recommended) Repeat these steps in each AWS Region for which you want to deactivate that scan type.

API

Run the Disable API operation. In the request, provide the account IDs you are deactivating scans for, and for resourceTypes provide one or more of EC2, ECR, LAMBDA, or LAMBDA_CODE to deactivate scans.