Amazon Inspector is a fully managed, serverless automated vulnerability management service that scans EC2 instances, container images in Amazon ECR, AWS Lambda functions, code repositories, and non-AWS resources. It detects software vulnerabilities, misconfigurations, and unintended network exposures using a continuously updated database of known Common Vulnerabilities and Exposures (CVE), providing a risk score to prioritize remediation and reduce Mean Time to Remediate (MTR).
Amazon Inspector automates the process of identifying security vulnerabilities across your AWS workloads, addressing the complexities of manual scanning and compliance.
Automates the time-consuming, error-prone, and impossible task of manually scanning thousands of instances or containers for software vulnerabilities, misconfigurations, and unintended network exposures. Addresses compliance requirements for regular vulnerability scanning.
Automated vulnerability management service that is fully managed and serverless (no installation or management of scanning software required).
Amazon Inspector is designed to scan a variety of resources across your AWS environment and beyond.
Technical Specs: EC2 instances, Container images in Amazon Elastic Container Registry (ECR), AWS Lambda functions, Code repositories (e.g., GitHub), Non-AWS resources
Uses a continuously updated database of known vulnerabilities, referred to as Common Vulnerabilities and Exposures (CVE).
Detects software vulnerabilities and unintended network exposures in real-time across AWS workloads. Provides a risk score for each finding to prioritize remediation and reduce Mean Time to Remediate (MTR).
A 15-day free trial is available for new AWS accounts or users who haven’t enabled Inspector previously.
Technical Specs: 15-day free trial
Amazon Inspector operates by automating the discovery, scanning, and prioritization of security findings.
The service must be activated in the AWS Management Console.
Automatically discovers eligible resources such as EC2 fleets, Lambda functions, and ECR container images.
Performs ongoing scans, rather than just one-time checks, to provide continuous security assessment.
Generates prioritized findings with severity levels including High, Medium, Low, and Informational.
Technical Specs: Severity levels: High, Medium, Low, Informational
Amazon Inspector integrates with other AWS services to enhance security posture and enable automated responses.
Amazon Inspector employs different methodologies for assessing vulnerabilities across various resource types, tailored to their specific characteristics and potential attack vectors.
Inspector's assessment methodology is adapted to the specific characteristics of each scanning target.
Amazon EC2
Inspector assesses EC2 instances by leveraging the AWS Systems Manager (SSM) agent to extract software inventory and detect vulnerabilities.
Prerequisite:
AWS Systems Manager (SSM) agent must be installed.
Data Extraction:
The SSM agent extracts software inventory metadata from the EC2 instance, OS, and installed applications/programming languages.
Vulnerability Detection:
Identifies vulnerabilities in the core operating system packages (Linux, Windows, macOS). Scans applications and programming languages (Java, Python, NodeJS, etc.) on Linux instances. Detects available fixes (newer/patched versions). Checks for open network paths from the internet or other VPCs (via Internet Gateway, VPC peering, VPN). Detects misconfigured Security Groups, Network Access Control Lists (ACLs), and route tables exposing UDP/TCP ports. Benchmarks OS configurations against Center for Internet Security (CIS) benchmarks, identifying deviations.
Amazon ECR (Elastic Container Registry)
For container images, Inspector automatically discovers and scans images in ECR without requiring a separate agent.
Agent Requirement:
No separate agent is needed.
Scanning Process:
Automatically discovers and scans ECR container images.
Vulnerability Detection:
Scans for vulnerabilities in OS packages (Amazon Linux, Ubuntu, Debian, RHEL, etc.) within container images. Scans for programming languages and package dependencies. Generates findings for container images running on unsupported or discontinued operating systems.
Scan Frequency:
Real-time scanning occurs as container images are pushed to ECR.
AWS Lambda
Inspector automatically performs standard scanning on Lambda functions to identify vulnerable software packages in dependencies and layers.
Agent Requirement:
No separate agent is needed.
Scanning Process:
Automatically performs standard scanning to identify vulnerable software packages in function dependencies and layers.
Vulnerability Detection:
Scans programming languages used in Lambda function code. Detects security flaws such as injection flaws (SQL injection), data leaks (accidental exposure of sensitive information like hard-coded credentials), and insecure socket binds.
Scan Frequency:
Real-time scanning occurs as soon as the Lambda function is deployed.
Amazon Inspector offers a robust set of features designed to provide comprehensive vulnerability management and actionable security insights.
Provides prioritized findings based on severity, allowing security teams to focus on critical issues first.
Calculates a score from 0 to 10, directly indicating the criticality/severity of findings, aiding in prioritization.
Technical Specs: Score range: 0 to 10
Visualizes the security posture of your environment, offering a high-level overview of scanned resources and findings.
A new feature that maps ECR container images with running containers across Amazon ECS (Elastic Container Service) or EKS (Elastic Kubernetes Service), providing visibility into deployed container vulnerabilities.
Integrates with CI/CD pipelines for comprehensive software development lifecycle security, enabling early detection of vulnerabilities.
Ability to export Software Bill of Materials (SBOM), which provides a complete, formally structured list of components in a piece of software.
Option for on-demand CIS (Center for Internet Security) scans, allowing for immediate assessment when needed.
Allows searching the underlying vulnerability database for specific CVEs or other vulnerability information.
Provides configuration options for AWS Organizations, enabling centralized scanning across multiple AWS accounts.
Offers configuration for EC2 instance scanning, ECR scanning, and deep inspection settings, allowing customization of scanning behavior.
Amazon Inspector is vital for various security and operational scenarios, enabling organizations to maintain a strong security posture.
Finding vulnerabilities before they are exploited, shifting security left in the development lifecycle.
Provides evidence required for compliance audits by continuously assessing resource configurations against security benchmarks.
Integration with CI/CD pipelines to scan container images before production deployment, ensuring security early in the development process.
Ensures servers are patched and secure against known exploits, contributing to overall operational health and stability.
Identifying which deployed containers are associated with specific ECR images, providing clear visibility into the lineage of vulnerabilities.
The AWS Management Console provides a centralized interface for accessing, activating, and managing Amazon Inspector.
Amazon Inspector can be accessed by searching for “Inspector” in the AWS service search bar.
The console highlights recent features such as deep inspection on EC2, mapping container images to running containers, and code security for CI/CD.
The activation process is a simple “Get Started” workflow. Delegation of administration is an option for AWS Organizations to manage Inspector centrally.
Findings are accessible via the left-hand navigation. Users can explore findings by vulnerability, instance, container image, container repository, or Lambda function.
Provides an overview of environment coverage, scan statistics, and finding summaries, giving a visual representation of security posture.
Settings are available for EC2 instances, ECR scans, deep inspection, custom paths, and general settings to fine-tune Inspector's operations.
Inspector intelligently scans only actively used infrastructure, not dormant resources, optimizing resource consumption and reducing costs.
The service can be deactivated via General Settings to avoid accumulating charges if it is not in use.
To avoid unnecessary AWS charges, it is important to deactivate Amazon Inspector when it is no longer actively used.
If Amazon Inspector is not actively used, it should be deactivated to prevent unnecessary charges.
1
Navigate to General Settings in the Amazon Inspector console.
💡 This is the entry point for managing Inspector's overall status and settings.
2
Select “Deactivate Amazon Inspector.”
💡 This action initiates the deactivation process.
3
Confirm deactivation by typing “deactivate” when prompted.
💡 This confirmation step prevents accidental deactivation.