TIL about scanning Windows EC2 instances with AWS Inspector
Inspector scans on Windows instances will fail if the instance does not have
access to the S3 bucket inspector2-oval-prod-<aws-region>.
The S3 bucket can be accessed via Regional S3 endpoints or a S3 Gateway endpoint in air-gapped VPCs. Additionally, the instance's security group must allow outgoing access on port 443.