---
title: "Inspector 2 (EC2 Continuous Scanning)"
slug: "inspector-2-ec2-continuous-scanning"
updated: 2025-06-24T17:17:20Z
published: 2025-06-24T17:17:20Z
canonical: "help.nucleussec.com/inspector-2-ec2-continuous-scanning"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Inspector 2 (EC2 Continuous Scanning)

After setting up [permissions](/v1/docs/aws-setting-permissions) and [instance sync](/v1/docs/aws-instance-sync), configure the AWS connector to pull data from Amazon Inspector 2 (EC2 Continuous Scanning) or Inspector Classic via SecurityHub into your Nucleus project.

## Connector configuration

          Warning

          

You will need to add all AWS accounts that have EC2 instances, even if they are only ingesting from the SecurityHub admin account.

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Integration Hub**, select **Connector Setup**.
3. Select **Amazon Web Services**.  
![aws-connector-icon.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-icon.png)
4. In the **Name** field, enter a name for the connector.
5. In the **Description** field, enter a description for this connector.
6. In the **Authentication** section click the **green plus button** to add a new AWS role to use when connecting to AWS. Note you can only have one role per AWS account. Alternatively, you can [bulk import credentials using a CSV file](/v1/docs/inspector-2-ec2-continuous-scanning#bulk-import-credentials-template).  
![aws-connector-authentication-section.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-authentication-section.png)
7. In the **Label** field, enter a label for the role.
8. In the **Role ARN** field, enter the Amazon Resource Name (ARN) for the role.
9. Click **Verify Credentials**. If the credentials were entered correctly, a message confirming a successful connection will appear.
10. Do not check **Import all AWS Resource Tags as nested [asset groups](/v1/docs/asset-groups)** as this option is now legacy.
11. Optionally check **Synchronise EC2 and ECR Instance states**.
  - To automatically deactivate the asset in Nucleus when an EC2 or ECR instance is terminated, select **When an EC2 or ECR instance is terminated, deactivate the asset in Nucleus**.
  - To automatically remove the asset from Nucleus when an EC2 or ECR instance is terminated, select **When an EC2 or ECR instance is terminated, remove the asset from Nucleus**.
12. Optionally decide if you want to [upload asset and finding data from your Nucleus project to S3 buckets](/v1/docs/s3-data-upload).
13. Click **Save & Finish**.

### Bulk import credentials template

If your organization has many AWS accounts, you can bulk import role ARNs by clicking **Bulk Import Credentials** and uploading a CSV structured in the following way:

```
label,crossaccountrole 
my label,arn:aws:iam:123456798012:role/myRoleName
```

## Vulnerability scan data ingestion

You can ingest Amazon Inspector 2 and Inspector Classic scan results via the SecurityHub admin account (recommended), in a single account or region, or an aggregated region (per account).

To ingest Amazon Inspector 2 and Inspector Classic scan results via Security Hub into a Nucleus project:

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Integration Hub**, select **Import via Connector**.
3. Select your AWS connector.
4. Select **Amazon Security Hub (Beta)**.
5. Select **Amazon Inspector (Classic & 2)**.
6. Select the region(s) from which to import results.
7. Click **Next**.
8. Select the accounts to import.
9. Click **Next**.
10. Select a schedule to import scans into the project.
11. Click **Save & Finish**.

## Next steps

You are now finished setting up the AWS connector. If you use other AWS services, see [our other AWS guides](/v1/docs/aws-getting-started#connector-setup-checklist).

You can optionally set the AWS connector to [upload all asset and finding data from your Nucleus project to S3 buckets](/v1/docs/s3-data-upload).

## Limitations

### Using Amazon Inspector Classic and Inspector 2 (EC2 Continuous Scanning) together

Amazon Inspector Classic and Inspector 2 are separate continuing products, however Amazon has positioned Inspector 2 as the next generation of vulnerability scanning for EC2 instances. Although the source technologies differ, the Inspector 2 connector was built with continuity between the two products in mind and therefore shares the same scan type. These overlapping scan types are intended to bridge the gap as customers migrate entirely from Inspector Classic to Inspector 2 whilst continuing to have consistent trend data.

As the underlying scanning technologies and quality of vulnerability data differs, the connector ingest methods for these two products should not be used concurrently. If you choose to use Inspector 2, you should cease usage of Inspector Classic connector entirely. Usage of both connectors concurrently ongoing will result in mismatched unique finding definitions and properties, as well as conflicting scan mitigation calculations, which will impact vulnerability trends.

### First Ingestion

If a scanned asset has no identified vulnerabilities and has not been ingested into Nucleus before, a new asset will not be created for it. This is because the Inspector 2 connector uses AWS Security Hub to aggregate data from Inspector 2 across multiple AWS accounts and regions, and Inspector 2 will only report discovered findings to Security Hub and not the absense of findings.

It is recommended to use the Amazon EC2 Asset Sync in conjunction with this connector as a work-around.

### Scan History

New scans will appear for an asset only when the data in Security Hub has changed. This means that even if Inspector 2 scans an asset every day, if the vulnerability data has not changed for that asset (no new vulnerabilities, and no remediated vulnerabilities), then a new scan will not appear as imported under the Scan History tab for that asset.

This should have no material affect on the asset's vulnerability and trend data as the vulnerabilities will match what has been seen by Inspector 2.