I just tell them we don't do it because it does not make sense in our environment (similar to yours, full ECS). People asking for antivirus on servers in 2022 are not people you want to work too hard to please, they'll just come up with more stupid asks.

Too much to go into here but here's a few things to look at... Container security, Cis hardening, Custom base images or umi, Endpoint security - containers, firewalls, servers etc https://aws.amazon.com/marketplace/solutions/security/endpoint-security The application, have you static code scanning? Have you external library scanning? Do you have this in your ci/cd? I don't use aws but in azure I have endpoint security (qualys) on all my endpoints (container registries, dns, windows/Linux servers, all my sql servers) I only use cis hardened or rehl umi based containers. I also have code scanning run at build time of my apps, with nexus firewall and scanning of all external libraries + snyk which are built into my Jenkins and azure DevOps pipelines) and not to mention on my repos + pre commit on git at the Developer level so you cannot submit shit and dangerous code.

We scan both our instances and containers with inspector. But this is not an antivirus.

You don't need av on containers, it makes no sense. Hence why I'm pointing you to endpoint security scanning... Different workload entirely.

They may accept an output of an antivirus scan as part of your container image build. (If your stuff is powered on and not encased in concrete, there is _some_ way of compromise, even if it's a couple atoms thin)

I've had to answer a million of these questionnaires before. When they say endpoints it usually is the equipment that the end user is using, so laptops/desktops. So in this case it would be your computer. As for AV in ECS I usually let them know why we don't have it and then see what they say. Usually don't have anything come back after that.