Q: What is Amazon Inspector?
Amazon Inspector is an automated security assessment service that helps you test the security state of your applications running on Amazon EC2.
Q: What can I do with Amazon Inspector?
Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is agent-based, API-driven, and delivered as a service to make it easy to deploy, manage, and automate.
Get Started with Amazon Inspector
Create a Free AccountQ: What is an assessment template?
An assessment template is a configuration that you create in Amazon Inspector to define your assessment run. This assessment template includes a rules packages against which you want Amazon Inspector to evaluate your assessment target, the duration of the assessment run, Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings, and Amazon Inspector-specific attributes (key/value pairs) that you can assign to findings generated by the assessment run.
Q: What is an assessment run?
An assessment run is the process of discovering potential security issues through the analysis of your assessment target's configuration and behavior against specified rule packages. During an assessment run, the agent monitors, collects, and analyzes behavioral data (telemetry) within the specified target, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, the agent analyzes the data and compares it against a set of security rule packages specified in the assessment template used during the assessment run. A completed assessment run produces a list of findings - potential security issues of various severity.
Q: What is an assessment target?
An assessment target represents a collection of AWS resources that work together as a unit to help you accomplish your business goal(s). Amazon Inspector evaluates the security state of the resources that constitute the assessment target. You create an assessment target by using Amazon EC2 tags, and you can then define these tagged resources as an assessment target for an assessment run defined by the assessment template.
Q: What is a finding?
A finding is a potential security issue discovered during the Amazon Inspector assessment run of the specified target. Findings are displayed in the Amazon Inspector console or retrieved through the API, and contain both a detailed description of the security issue and a recommendation on how to fix it.
Q: What is a rules package?
A rules package is a collection of security tests that can be configured as part of an assessment template and assessment run. Amazon Inspector has many rules packages including common vulnerabilities and exposures (CVE), CIS Operating System configuration benchmarks, and security best practices. See the Amazon Inspector documentation for a full list of rules packages available.
Q: What is an assessment report, and what does it include?
An Amazon Inspector assessment report can be generated for an assessment run once it has been successfully completed. An assessment report is a document that details what is tested in the assessment run, and the results of the assessment. The results of your assessment are formatted into a standard report, which can be generated to share results within your team for remediation actions, to enrich compliance audit data, or to store for future reference.
You can select from two types of report for your assessment, a findings report or a full report. The findings report contains an executive summary of the assessment, the instances targeted, the rules packages tested, the rules that generated findings, and detailed information about each of these rules along with the list of instances that failed the check. The full report contains all the information in the findings report, and additionally provides the list of rules that were checked and passed on all instances in the assessment target.
Q: What happens if some of my targets are unavailable when I run an assessment?
Amazon Inspector will gather vulnerability data for all available targets configured for the assessment template and return any appropriate security findings for the available targets. If there are no available targets for the assessment template when the run is started, the system will report that the assessment could not be run and will return the following notification: “The assessment run could not executed at this time as there are no targeted instances available for the selected assessment template.”
Q: How do Targets become unavailable?
Targets in an assessment could be unavailable for a number of reasons, such as: the EC2 instance is down or unresponsive; the Tagged (targeted) instance does not have the AWS Agent installed; the installed AWS Agent is unavailable or cannot return vulnerability data.
Q: What is the pricing for Amazon Inspector?
Inspector pricing is based on the number of assessment runs and the number of agents or systems that were assessed during those runs. We call this “agent-assessments.” An on-demand billing period is one calendar month like all AWS services. For example:
1 assessment run against 1 agent = 1 agent-assessment
1 assessment run against 10 agents = 10 agents-assessments
10 assessment runs against 2 agents each = 20 agent-assessments
30 assessment runs against 10 agents each = 300 agent-assessments
If the above represented the Amazon Inspector assessment runs activity in your account for a given billing period, you would be charged for 331 total agent-assessments.
The price of each individual agent-assessment is based on a tiered pricing model. As you move up the volume of agent-assessments in a given billing period, you pay a lower price per agent-assessment. For example, the first two tiers of agent-assessment pricing are:
First 250 agent-assessments = $0.30 per agent-assessment
Next 750 agent-assessments = $0.25 per agent-assessment
So for our example above of 331 total agent-assessments in a given billing period, you would be charged $0.30 for the first 250 and $0.25 for the next 81, or $95.25 total for the billing period. See the Amazon Inspector pricing page for the full pricing table.
Q: Is there a free trial for Amazon Inspector?
Yes. Amazon Inspector offers the first 250 agent-assessments at no cost for the first 90 days of using the service. All AWS accounts new to the Amazon Inspector service are eligible.
Q: In what regions is Amazon Inspector available?
Amazon Inspector is currently available in the US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Mumbai), and Asia Pacific (Seoul).
Q: What makes up the Amazon Inspector service?
Amazon Inspector consists of an Amazon-developed agent that is installed in the operating system of your Amazon EC2 instances and an IAM service role that is created with a single click during the setup of the Amazon Inspector service. This service role grants permissions to Amazon Inspector to enumerate instances and tags for assessment targeting. Please see the Amazon Inspector documentation for a current list of supported operating systems.
Q: Amazon Inspector sounds great, how do I get started?
Simply sign up for Amazon Inspector from the AWS Management Console. Once signed up, you install the appropriate Amazon Inspector agent on your Amazon EC2 instances, create a new assessment template, select the rules packages you want to use, and schedule an assessment run. Once it completes, the system will generate a findings report on any issues it identified for your environment.
Q: Does Amazon Inspector work with AWS partner solutions?
Yes, Amazon Inspector has public facing APIs that are available for customers and AWS partners to utilize. Several partners have integrated with Amazon Inspector incorporating findings into email, ticketing systems, pager platforms, or broader security dashboards. For detail on supporting partners, please visit the Amazon Inspector Partner page.
Q: I use a Network Address Translation (NAT) for my instances. Will Amazon Inspector work with these instances?
Yes. Instances that use a NAT are supported by Amazon Inspector with no action required from you.
Q: I use a Proxy for my instances. Will Amazon Inspector work with these instances?
Yes. The AWS agent supports proxy environments. For Linux instances, we support HTTPS Proxy, and for Windows instances, we support WinHTTP proxy. See the Amazon Inspector User Guide for instructions to configure Proxy support for the AWS Agent.
Q: Where can I find metrics information on my Amazon Inspector assessments?
Amazon Inspector automatically publishes metrics data on your assessments to Amazon CloudWatch. If you are a CloudWatch user, your Inspector assessment statistics will automatically be populated to CloudWatch. The Inspector metrics that are currently available are: number of assessment runs, agents targeted, and findings generated. For more details, see the Amazon Inspector documentation for details on the assessment metrics published to CloudWatch.
Q: Can Amazon Inspector be integrated with other AWS services for logging and notifications?
Amazon Inspector integrates with SNS to provide notification for various events such as monitoring milestones, failures, or expiration of exceptions and integrates with AWS CloudTrail for logging of calls to Amazon Inspector.
Q: I would like to automate the assessment of my infrastructure on a regular basis. Do you provide an automated way to submit assessments?
Yes. Amazon Inspector provides a full API allowing automatic creation of application environments, creation of assessments, evaluation of policies, creation of policy exceptions, and filters as well as retrieval of the results.
Q: Can I schedule security assessments to run a certain dates and times?
Yes. Amazon Inspector has made an AWS Lambda blueprint available for you to create recurring scheduled events. Once you have created an Assessment Template for the security assessment you want to run, simply go to AWS Lambda from the AWS Management console. In AWS Lambda, click on “Create a Lambda function” and select the “inspector-scheduled-run” blueprint. The blueprint will walk you through creating a recurring schedule to run your assessment.
Q: Can Amazon Inspector run without tagging the resources?
No. Amazon Inspector requires you to use Amazon EC2 instance tags in order to run an assessment.
Q: Is there any performance impact during an Amazon Inspector scan?
Amazon Inspector and the Amazon Inspector agent have been designed for minimal performance impact during the assessment run process.
Q: Can I define my own rules for assessment templates?
No. Only the pre-defined rules will initially be allowed for assessment runs. However, over time we are exploring the inclusion of both premium rules sets from vendors in the AWS Marketplace and self-developed custom rules.
Q: What is the severity of a finding?
Each Amazon Inspector rule has an assigned severity level, which Amazon has classified as High, Medium, Low, or Informational. Severity is intended to help you prioritize your responses to findings.
Q: What is the “CIS Operating System Security Configuration Benchmarks” rules package?
CIS Security Benchmarks are provided by the Center for Internet Security and are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed here. CIS benchmark rules are designed to be pass/fail security checks. For every CIS check that fails, Inspector generates a finding with High severity. Additionally, an Informational finding is generated for each instance that lists all the CIS rules that are checked, and the pass/fail result for each rule.
Q: What is the “Common Vulnerabilities and Exposures” rules package?
The Common Vulnerabilities and Exposures or CVE rules check for exposure to publicly known information security vulnerabilities and exposures. CVE rule details are available publicly at the National Vulnerability Database (NVD). We use the NVD's Common Vulnerability Scoring System (CVSS) as the primary source of severity information. In case a CVE is not scored by NVD but is present in Amazon Linux AMI Security Advisory (ALAS), we use the severity from Amazon Linux advisory. In case neither of these scores is available for a CVE, we do not report that CVE as a finding. We check daily for latest information from NVD and ALAS and update our rules packages accordingly.
Q: How is the severity determined?
Severity of a rule is based on potential impact of the security issue found. Although some rules packages have Severity levels provided as part of the rules they provide, these can often differ by rules set. Amazon Inspector has normalized the severity for findings across all available rules packages by mapping the individual severities to common High, Medium, Low, and Informational classifications. For high, medium, and low severity findings, the higher the severity of the finding, the more security impact the underlying issue has. Findings that are classified as informational are provided to advise you of security issues that have been identified as existing within the operating system or applications available, but might not have an immediate security impact.
- For AWS supported rules packages, the severity is determined by the AWS security team.
- The CIS Benchmarks rules package findings always have severity set to “High”.
- For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels provided:
Amazon Inspector Severity CVSS Base Score ALAS Severity (if CVSS not scored)
High >= 5 Critical or Important
Medium < 5 and >= 2.1 Medium
Low < 2.1 and >= 0.8 Low
Informational < 0.8 N/A
