AWS Inspector CIS Scan Configuration with Tags¶

Automatically tag EC2 instances to enable targeted CIS benchmark scanning using Amazon Inspector.

Overview¶

AWS Inspector requires EC2 instances to be tagged with specific tags to include them in CIS (Center for Internet Security) benchmark scan configurations. TagOps automatically applies these tags to your instances, ensuring they are consistently included in security scans.

What TagOps Can Do¶

TagOps can automatically tag EC2 instances with the tags required by AWS Inspector for CIS scanning:

• Automatic Tagging: TagOps rules automatically apply tags like SecurityScan: Enabled or CISScan: Required to EC2 instances when they are created or discovered
• Conditional Tagging: Create rules to tag only specific instances (e.g., production instances, instances in certain regions, or instances matching name patterns)
• Consistent Coverage: Ensure all instances that should be scanned have the required tags, preventing gaps in security assessments
• Environment-Based Tagging: Use different tag values for different environments to enable separate scan configurations in AWS Inspector

Example TagOps Rule¶

Create a TagOps rule to automatically tag EC2 instances for CIS scanning:

• Condition: Resource type is ec2:instance
• Action: Add tags SecurityScan: Enabled and CISScan: Required

TagOps will automatically apply these tags to instances, which AWS Inspector can then use to target instances in CIS scan configurations.

Additional Resources¶

• AWS Inspector CIS Scan Configuration