Skip to main content
Sumo Logic

Collect Data for the Amazon Inspector App

This page provides instructions for configuring data collection for the Amazon Inspector App.

Step 1: Configure Collection in Sumo Logic

To collect data for the Amazon Inspector App, do the following:

  1. Configure a Hosted Collector.
  2. Configure an HTTP Source.

Step 2: Configure Amazon Inspector

On Amazon Inspector, perform these tasks under the same AWS region:

  1. Create an Amazon SNS topic to receive assessment template events.
  2. Configure the Amazon Inspector to send findings to the SNS topic.
  3. Create an appropriate role to execute a Lambda function and read Inspector data.
  4. Set up a Lambda function to fetch data and send to the Sumo Logic HTTP Source endpoint.

Details are provided in the following sections. 

Step 3: Create an Amazon SNS Topic

  1. Login to the Amazon Console.
  2. Go to Application Integration > Simple Notification Service (SNS).
  3. On the SNS Dashboard, select Create topic.
  4. Enter a Topic name and a Display name, and click Create topic.
  5. To assign the following policy to this topic, select the topic, then under Advanced view, click Actions/Edit topic policy.
  6. Replace the existing text with the following:

 "Version": "2008-10-17",
 "Id": "inspector-sns-publish-policy",
 "Statement": [
     "Sid": "inspector-sns-publish-statement",
     "Effect": "Allow",
     "Principal": {
       "Service": ""
     "Action": "SNS:Publish",
     "Resource": "arn:aws:sns:*"
  1. Click Update policy.

Step 4: Configure Amazon Inspector

  1. In the Amazon Console, go to Security, Identity & Compliance > Inspector.
  2. Select each assessment template you want to monitor.
  3. Expand each row and find the section called SNS topics.
  4. Click the Edit icon and select the SNS topic you created in the previous section.
  5. Click Save.

Step 5: Create a Role

  1. In the Amazon Console, go to Security, Identity & Compliance > IAM.
  2. Create a new role called Lambda-Inspector.

Step 6: Create a Lambda Function

  1. In the Amazon Console, go to Compute > Lambda.
  2. Create a new function.
  3. On the Select blueprint page, select a Blank function.
  4. Select the SNS topic you created in Create an Amazon SNS Topic as trigger.
  5. Click Next.
  6. On the Configure function page, enter a name for the function.
  7. Go to and copy and paste the sumologic-aws-lambda code into the field. 
  8. Edit the code to enter the URL of the Sumo Logic endpoint that will receive data from the HTTP Source.
  9. Scroll down and configure the rest of the settings as follows:
    1. Memory (MB). 128.
    2. Timeout. 5 min.
    3. VPC. No VCP.
  10. Click Next.
  11. On the Review page, you should see something like this:
  12. Click Create function.

Sample Log

Amazon Inspector CreateResourceGroup action:

    "eventVersion": "1.03",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AIDACKCEVSQ6C2EXAMPLE",
        "arn": "arn:aws:iam::444455556666:user/Alice",
        "accountId": "444455556666",
        "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2016-04-14T17:05:54Z"
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AIDACKCEVSQ6C2EXAMPLE",
                "arn": "arn:aws:iam::444455556666:user/Alice",
                "accountId": "444455556666",
                "userName": "Alice"
    "eventTime": "2016-04-14T17:12:34Z",
    "eventSource": "",
    "eventName": "CreateResourceGroup",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "",
    "userAgent": "",
    "requestParameters": {
        "resourceGroupTags": [
                "key": "Name",
                "value": "ExampleEC2Instance"
    "responseElements": {
        "resourceGroupArn": "arn:aws:inspector:us-west-2:444455556666:resourcegroup/0-oclRMp8B"
    "requestID": "148256d2-0264-11e6-a9b5-b98a7d3b840f",
    "eventID": "e5ea533e-eede-46cc-94f6-0d08e6306ff0",
    "eventType": "AwsApiCall",
    "apiVersion": "v20160216",
    "recipientAccountId": "444455556666"