Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can we exclude a particular folder from being CIS-scanned by Inspector ?

0

Hi.

We have recently migrated from AWS Inspector Classic to AWS Inspector V2 which provides CIS scans for our EC2 fleet. We successfully configured everything and have scans running on several AL2-based machines.

But, we observed a behavior we'd like to have light on and also know if we can avoid it. One of our EC2 has a NFS mount that points to another EC2 which is basically a NAS server.

When Inspector scans the EC2, it apparently also scan/collect data from the NAS server since there's a folder on the EC2 "/mnt" which points to it.

Since we have quite a lot of data there, it triggers spike of CPU and network activity on the NAS, even when the scan is complete.

So my questions is : can Inspector not do that ? Can we exclude this particular folder from the scan ?

I hope this is clear.

Thank you for your consideration.

Dylan.

Topics
ComputeSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon EC2Amazon InspectorEC2 FleetSecurity
Language
English
asked 4 days ago65 views
3 Answers
1

Hello.

As far as I know, you can prevent scanning of specific EC2 instances, but there is no way to exclude specific directories or files within the EC2 instance from being scanned.
In other words, as of February 2026, the only options available will be to either scan EC2 or not.
https://repost.aws/knowledge-center/exclude-inspector-scans

With agentless scanning, Amazon Inspector takes a snapshot of the EBS and performs the scan from that snapshot, so it may be possible to perform the scan without putting a load on the NAS.
However, there are some EC2 OS and file systems that cannot be used with agentless scanning, so it may not be possible to use it depending on the environment you have created.
https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html

EXPERT
answered 4 days ago
AWS
EXPERT
reviewed 3 days ago
  • Laura N
    4 days ago

    Thank you for your prompt answer. The spikes we've seen were observed while doing CIS scans and as far as we understood it for a CIS scan the instance needs to be SSM Managed. While the spike is understandable while the scan is running, we don't understand why the load on CPU and network activity continues even when the scan is complete. Do you have maybe an idea about why would that be?

    Thanks in advance, Laura.

0

Hello, thank you for you quick response, but as highlighted in the answer of your own comment, we're talking here about the on-demand CIS scans, not the live EC2 ones. As far as we know, we cannot perform those CIS scans on EBS snapshots, we have to do them on running SSM managed EC2s.

Is there a chance that excluding folders/paths could be part of an upcoming Inspector version ?

Dylan.

answered 2 days ago
0

Update: Seems to be only happening when doing CIS scan for LEVEL_2. We don't see this behavior when doing LEVEL_1 scans.

answered a day ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content