Modify or disable Vulnerability Assessment for AWS

Modify an existing Vulnerability Assessment for AWS scan

The following section describes how to modify the configuration for a Vulnerability Assessment for AWS scan.

  1. Make sure that you have the permissions and roles defined in Enable and use Vulnerability Assessment for AWS.

  2. Go to the Settings page in Security Command Center:

    Go to Settings

  3. Select the organization in which you need to modify Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

  4. Select Settings.

  5. In the Vulnerability Assessment service card, click Manage Settings. The Vulnerability Assessment page opens.

  6. Select the Amazon Web Services tab.

  7. Under the Scan settings for AWS compute and storage section, click Edit scan settings to modify the scope of resources that are scanned.

    You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don't affect the AWS CloudFormation template. You don't need to redeploy the template. If a tag or instance ID value is not correct (for example, the value is misspelled) and the resource specified does not exist, the value is ignored during the scan.
    OptionDescription
    Scan intervalEnter the number of hours between each scan. Valid values range from 6 to 24. The default value is 6. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges.
    AWS regions

    Choose a subset of regions to include in vulnerability assessment scanning.

    Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan.

    If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS.

    AWS tagsSpecify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources.
    Exclude by Instance ID

    Exclude EC2 instances from each scan by specifying the EC2 instance ID. You can specify a maximum of 50 instance IDs. If invalid values are specified, they will be ignored. If you define multiple instance IDs, they are combined using the AND operator.

    • If you select Exclude instance by ID, enter each instance ID manually by clicking Add AWS EC2 instance, and then typing the value.

    • If you select Copy and paste a list of instance IDs to exclude in JSON format, do one of the following:

      • Enter an array of instance IDs. For example:

        [ "instance-id-1", "instance-id-2" ]

      • Upload a file with the list of instance IDs. The content of the file should be an array of instance IDs, for example:

        [ "instance-id-1", "instance-id-2" ]
    Scan SC1 instanceSelect Scan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances.
    Scan ST1 instanceSelect Scan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances.
    Scan Elastic Container Registry (ECR)Select Scan Elastic Container Registry instance to scan container images stored in ECR and their installed packages. Learn more about Elastic Container Registry.

  8. Click Save.

Disable Vulnerability Assessment for AWS scan

To disable the Vulnerability Assessment for AWS service, you need to disable it in Security Command Center and then delete the stack that contains the CloudFormation template in AWS. If the stack isn't deleted, it will continue to incur costs in AWS.

Complete the following steps to disable Vulnerability Assessment for AWS:

  1. Go to the Settings page in Security Command Center:

    Go to Settings

  2. Select the organization in which you need to disable Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

  3. In the Vulnerability Assessment service card, click Manage Settings.

  4. Select the Amazon Web Services tab.

  5. In the Status field under Service enablement, select Disable.

  6. Go to the AWS CloudFormation Template page in the AWS Management Console.

  7. Delete the stack that contains the CloudFormation template for Vulnerability Assessment for AWS.

    If you don't delete the template, you might incur unnecessary costs.