Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. With a few clicks in the AWS Management Console, you can use Amazon Inspector across all accounts in your organization. Once started, it automatically discovers running Amazon Elastic Compute Cloud (EC2) instances, container images residing in Amazon Elastic Container Registry (ECR), and AWS Lambda functions, at scale, and immediately starts assessing them for known vulnerabilities.
Amazon Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to improve remediation response efficiency. All findings are aggregated in a newly designed Amazon Inspector console and pushed to AWS Security Hub and Amazon EventBridge to automate workflows. Vulnerabilities found in container images are also sent to Amazon ECR for resource owners to view and remediate. With Amazon Inspector, even small security teams and developers can ensure infrastructure workload security and compliance across their AWS workloads.
Vulnerability management for compute workloads
Amazon Inspector is a comprehensive vulnerability management tool that functions across multiple resources, including Amazon EC2, Lambda functions, and container workloads. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure, that can be used to compromise workloads, repurpose resources for malicious use, or exfiltrate data.
Simplified one-click onboarding and integration with AWS Organizations
Start Amazon Inspector across multiple accounts with one click in the Amazon Inspector console or a single API call. Amazon Inspector allows you to assign an Inspector Delegated Administrator (DA) account for your organization, which can start and configure all member accounts as well as consolidate all findings.
Automated discovery and continual vulnerability scanning
Once started, Amazon Inspector automatically discovers all Amazon EC2 instances, Lambda functions, and container images residing in Amazon ECR that are identified for scanning, and then immediately starts scanning them for software vulnerabilities and unintended network exposure. All workloads are continually rescanned when a new CVE is published or when there are changes in the workloads, such as installation of new software in an EC2 instance.
AWS Systems Manager Agent
Amazon Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent) to collect the software inventory and configurations from your Amazon EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.
Inspector risk score for findings
Amazon Inspector generates a highly contextualized Inspector risk score for each finding by correlating CVE information with environmental factors such as network reachability results and exploitability data. This helps prioritize the findings and highlights the most critical findings and vulnerable resources. The Inspector score calculation (and which factors influenced the score) can be viewed in the Inspector Score tab within the Findings Details side panel.
Suppression of findings
Amazon Inspector supports suppression of findings based on criteria you define. You can create these suppression rules to suppress findings that your organization deems an acceptable risk.
Automatic closure of remediated findings
Amazon Inspector automatically detects if a vulnerability has been patched or remediated. Once detected, it automatically changes the state of the finding to “Closed” without manual intervention.
Detailed coverage monitoring
Amazon Inspector offers an aggregated, near real-time view of the environment coverage across an organization so you can avoid gaps in coverage. It provides metrics and detailed information on accounts using Amazon Inspector, as well as Amazon EC2 instances, Amazon ECR repositories, and container images that are actively being scanned by Amazon Inspector. Additionally, it highlights the resources not being actively monitored and provides guidance on how to include them.
Integration with Security Hub and EventBridge
All findings are aggregated in the Amazon Inspector console, routed to AWS Security Hub, and pushed through Amazon EventBridge to automate workflows such as ticketing.
Vulnerability mapping to layers in Lambda functions
Vulnerabilities detected in software dependencies used in AWS Lambda functions are automatically mapped to the underlying Lambda layers, making remediation efforts easier. You can address the vulnerabilities in layers once, which can help improve security of all downstream Lambda functions.
Learn about Amazon Inspector customers