Amazon Inspector Documentation

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Through the AWS Management Console, you can use Amazon Inspector across all accounts in your organization. Once started, Amazon Inspector automatically discovers running Amazon Elastic Compute Cloud (Amazon EC2) instances, container images residing in Amazon Elastic Container Registry (ECR) and within continuous integration and continuous (CI/CD) tools and AWS Lambda functions, at scale, and immediately starts assessing them for known vulnerabilities.

Amazon Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. You can use this score to prioritize the most critical vulnerabilities to help you improve your remediation response efficiency. All findings are aggregated in a newly designed Amazon Inspector console and pushed to AWS Security Hub and Amazon EventBridge to help you automate workflows. Vulnerabilities found in container images are also sent to Amazon ECR for resource owners to view and remediate. With Amazon Inspector, even small security teams and developers can help ensure infrastructure workload security and compliance across their AWS workloads.

Amazon Inspector is a comprehensive vulnerability management tool that functions across multiple resources, including Amazon EC2 and container workloads, and Lambda functions. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure, that can be used to compromise workloads, repurpose resources for malicious use, or exfiltrate data.

You can start Amazon Inspector across multiple accounts with a few clicks in the Amazon Inspector console, or with a single API call. Amazon Inspector allows you to assign an Inspector Delegated Administrator (DA) account for your organization, which can start and configure all member accounts as well as consolidate all findings.

Once started, Amazon Inspector automatically discovers all EC2 instances, Lambda functions, and container images residing in Amazon ECR that are identified for scanning, and then immediately starts scanning them for software vulnerabilities and unintended network exposure. All workloads are continually rescanned when a new common vulnerabilities and exposures (CVE) is published, or when there are changes in the workloads, such as installation of new software in an EC2 instance.

Amazon Inspector uses the widely deployed AWS Systems Manager (SSM) Agent to collect the software inventory and configurations from your Amazon EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.

Amazon Inspector offers continuous monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software. Amazon Inspector takes a snapshot of the EBS volume to extract data about the system and configuration of the instances to perform vulnerability assessments. With this capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless scanning for EC2 instances (preview) that do not have SSM Agents installed or configured.

Amazon Inspector supports suppression of findings based on criteria you define. You can create these suppression rules to suppress findings that your organization deems an acceptable risk. 

Amazon Inspector generates a highly contextualized Inspector risk score for each finding by correlating CVE information with environmental factors such as network reachability results and exploitability data. This helps you prioritize the findings and highlights the most critical findings and vulnerable resources. You can view the Inspector score calculation (and which factors influenced the score) in the Inspector Score tab within the Findings Details side panel.

Amazon Inspector automatically detects if a vulnerability has been patched or remediated. Once detected, Amazon Inspector automatically changes the state of the finding to “Closed” without manual intervention.

Amazon Inspector offers an aggregated, near real-time view of the environment coverage across an organization so you can avoid gaps in coverage. It provides metrics and detailed information on accounts using Amazon Inspector, as well as EC2 instances, ECR repositories, and container images that are actively being scanned by Amazon Inspector. Additionally, Amazon Inspector highlights the resources not being actively monitored and provides guidance on how to include them.

All findings are aggregated in the Amazon Inspector console, routed to AWS Security Hub, and pushed through Amazon EventBridge to help you automate workflows such as ticketing .

Vulnerabilities detected in software dependencies used in AWS Lambda functions are automatically mapped to the underlying Lambda layers, making your remediation efforts easier. You can address the vulnerabilities in layers once, which can help you improve the security of downstream Lambda functions.

Amazon Inspector integrates with developer tools like Jenkins and TeamCity for container image assessments. It allows developers to assess their container images within these CI/CD tools, pushing security earlier in the software development lifecycle. The findings are available in the CI/CD tools dashboard, allowing you to take automated actions in response to critical security issues, such as blocking builds or image pushes to container registries. Your CI/CD tools can be hosted anywhere, in AWS, on-premises, or hybrid clouds, providing consistency for developers to use a single solution across all your development pipelines.

Amazon Inspector supports the Center for Internet Security's CIS Benchmarks. You can run Amazon Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for Amazon EC2 instances across your AWS Organization. Amazon Inspector CIS assessments support both level 1 and 2 configuration benchmark checks across operating systems, including Amazon Linux 2, Windows 2019, and Windows 2022.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.