Amazon Inspector

How Amazon Inspector Works

Amazon Inspector has been re-architected to be more automated and integrated with your AWS environment.

Automated Asset Discovery: Once enabled, Inspector automatically discovers all eligible resources (EC2 instances, ECR container repositories, and Lambda functions) across your accounts.
Continuous Scanning: It immediately begins scanning the discovered resources for vulnerabilities and network exposures.
- For EC2 Instances: Inspector uses the AWS Systems Manager (SSM) Agent, which is installed by default on most Amazon Machine Images (AMIs). It does not require a separate, dedicated Inspector agent. It scans for both OS-level and application package vulnerabilities.
- For Container Images: It integrates directly with Amazon Elastic Container Registry (ECR). It can scan images when they are pushed to a repository and continuously re-scan them as new vulnerabilities are published.
- For Lambda Functions: It scans your Lambda functions and their associated layers for vulnerabilities in application package dependencies.
Generates Actionable Findings: When a vulnerability or network exposure is identified, Inspector creates a detailed finding. These findings are aggregated in the console and sent to AWS Security Hub and Amazon EventBridge.

Vulnerability Scanning: Identifies known software vulnerabilities (CVEs) in:
- Operating system packages on EC2 instances (e.g., for Amazon Linux, Ubuntu, Windows Server).
- Application programming language packages (e.g., Python, Node.js, Java) in both EC2 and container images.
- Dependencies within Lambda function code.
Network Reachability Analysis: For EC2 instances, it analyzes your VPC configurations (Security Groups, ACLs, IGWs, etc.) to determine if your instances have open network paths to the internet, helping you identify and fix unintended network exposure.

Automated & Continuous: Eliminates the need for manual scheduling of scans. It's always on, continuously monitoring your environment as it changes.
Centralized Management: Fully integrates with AWS Organizations. You can delegate an administrator account to manage Inspector, enable scans, and view findings for all member accounts from a single place.
Contextual Risk Scoring: Inspector provides a highly contextualized Inspector Risk Score (from 1 to 10) for each finding. This score is not just the CVE base score; it's correlated with network accessibility and exploitability information to help you understand the true risk.
Broad AWS Integration:
- AWS Security Hub: Natively integrates to provide a single pane of glass for all security findings.
- Amazon EventBridge: Sends all findings to EventBridge, allowing you to build automated remediation workflows (e.g., using AWS Lambda or Systems Manager).

Detailed Findings: Each finding contains comprehensive details, including the affected resource, the specific CVE identified, the Inspector Risk Score, and remediation guidance.
Lifecycle Management: Findings are managed automatically. A finding is created when a vulnerability is detected and is automatically closed when Inspector verifies that the vulnerability has been patched.
Suppression Rules: You can create suppression rules to automatically hide findings that you have determined are acceptable for your environment, reducing noise.

Pay-per-Use Model: Pricing is based on the average number of resources scanned per month. There are no upfront fees or commitments.
- Priced per EC2 instance scanned.
- Priced per container image scanned.
- Priced per Lambda function scanned.
Free Trial: All new Amazon Inspector accounts receive a 15-day free trial to evaluate the service and estimate costs.