Amazon Inspector features
Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. With a few steps in the AWS Management Console, you can use Amazon Inspector across all accounts in your organization. Once started, it automatically discovers Amazon Elastic Compute Cloud (EC2) instances, container images residing in Amazon Elastic Container Registry (ECR) and within continuous integration and continuous delivery (CI/CD) tools, and AWS Lambda functions, at scale, and immediately starts assessing them for known vulnerabilities.
Amazon Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to improve remediation response efficiency. All findings are aggregated in the Amazon Inspector console and pushed to AWS Security Hub and Amazon EventBridge to automate workflows. Vulnerabilities found in container images are also sent to Amazon ECR for resource owners to view and remediate. Amazon Inspector empowers security teams and developers of any size to achieve comprehensive infrastructure workload security and compliance across their AWS environments.
Automated vulnerability management for compute workloads
Simplified one-click onboarding and integration with AWS Organizations
Automated discovery and continual vulnerability scanning
Integration with AWS Systems Manager Agent
Agentless vulnerability assessments for Amazon EC2 (in preview)
Amazon Inspector offers continuous monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software. Amazon Inspector takes a snapshot of the EBS volume to extract data about the system and configuration of the instances to perform vulnerability assessments. With this capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless scanning for EC2 instances (preview) that do not have SSM Agents installed or configured.
Amazon Inspector risk score for findings
Suppression of findings
Automatic closure of remediated findings
Detailed coverage monitoring
Integration with AWS Security Hub and Amazon EventBridge
Integrating vulnerability mapping and generative AI powered remediation to layers in Lambda functions
Amazon Inspector scans the custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices. Upon detecting code vulnerabilities within the Lambda function or layer, Amazon Inspector generates actionable security findings that provide several details, such as security detector name, impacted code snippets, and remediation suggestions to address vulnerabilities. Using generative AI and automated reasoning, Amazon Inspector provides in-context code patches for multiples classes of vulnerabilities, reducing the effort required to fix code vulnerabilities. By addressing vulnerabilities at the foundational layers, you can help improve security of all downstream Lambda functions.
Manage software bill of materials (SBOM) exports
Integration with developer tools
Amazon Inspector integrates with developer tools like Jenkins and TeamCity for container image assessments. It allows developers to assess their container images within these CI/CD tools, pushing security earlier in the software development lifecycle. The findings are available in the CI/CD tool’s dashboard, allowing you to take immediate automated actions in response to critical security issues, such as blocking builds or image pushes to container registries. Your CI/CD tools can be hosted anywhere, in AWS, on-premises, or hybrid clouds, providing consistency for developers to use a single solution across all your development pipelines.