Amazon Inspector Documentation
Amazon Inspector is a vulnerability management service that scans AWS workloads and code repositories for software vulnerabilities and unintended network exposure. Through the AWS Management Console, you can use Amazon Inspector across all accounts in your organization. Once started, Amazon Inspector discovers running Amazon Elastic Compute Cloud (Amazon EC2) instances, container images residing in Amazon Elastic Container Registry (ECR) and within continuous integration and continuous (CI/CD) tools, code repositories,and AWS Lambda functions, at scale, and starts assessing them for known vulnerabilities. Amazon Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. All findings are aggregated in an Amazon Inspector console and pushed to AWS Security Hub and Amazon EventBridge. Vulnerabilities found in container images are also sent to Amazon ECR for resource owners to view and remediate.
Vulnerability management for compute workloads
Amazon Inspector is a comprehensive vulnerability management tool that functions across multiple resources. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure, that can be used to compromise workloads, repurpose resources for malicious use, or exfiltrate data.
Simplified enablement and integration with AWS Organizations
You can start Amazon Inspector across multiple accounts in the Amazon Inspector console, or via API Amazon Inspector allows you to assign an Inspector Delegated Administrator (DA) account for your organization, which can start and configure all member accounts as well as consolidate all findings.
Resource discovery and vulnerability scanning
Once started, Amazon Inspector discovers all EC2 instances, Lambda functions, and container images residing in Amazon ECR and code repositories that are identified for scanning, and then starts scanning them for software vulnerabilities and unintended network exposure. All workloads are rescanned when a new common vulnerabilities and exposures (CVE) is published, or when there are changes in the workloads.
Integration with AWS Systems Manager Agent
Amazon Inspector uses the widely deployed AWS Systems Manager (SSM) Agent to collect the software inventory and configurations from your Amazon EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.
Agentless vulnerability assessments for Amazon EC2 (in preview)
Amazon Inspector offers monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software. Amazon Inspector takes a snapshot of the EBS volume to extract data about the system and configuration of the instances to perform vulnerability assessments. With this capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless scanning for EC2 instances (preview) that do not have SSM Agents installed or configured.
Suppression of findings
Amazon Inspector supports suppression of findings based on criteria you define. You can create these suppression rules to suppress findings that your organization deems an acceptable risk.
Inspector risk score for findings
Amazon Inspector generates a highly contextualized Inspector risk score for each finding by correlating CVE information with environmental factors such as network reachability results and exploitability data. This helps you prioritize the findings and highlights the most critical findings and vulnerable resources. You can view the Inspector score calculation (and which factors influenced the score) in the Inspector Score tab within the Findings Details side panel.
closure of remediated findings
Amazon Inspector detects if a vulnerability has been patched or remediated. Once detected, Amazon Inspector changes the state of the finding to “Closed”.
Detailed coverage monitoring
Amazon Inspector offers an aggregated view of the environment coverage across an organization so you can avoid gaps in coverage. It provides metrics and detailed information on accounts using Amazon Inspector, as well as EC2 instances, ECR repositories, code repositories, and container images that are actively being scanned by Amazon Inspector. Additionally, Amazon Inspector highlights the resources not being actively monitored and provides guidance on how to include them.
Integration with AWS Security Hub and Amazon EventBridge
All findings are aggregated in the Amazon Inspector console, routed to AWS Security Hub, and pushed through Amazon EventBridge to help you automate workflows such as ticketing .
Vulnerability mapping and generative AI powered remediation to layers in Lambda functions
Vulnerabilities detected in software dependencies used in AWS Lambda functions are mapped to the underlying Lambda layers. You can address the vulnerabilities in layers once.
Integration with developer tools
Amazon Inspector integrates with developer tools for container image assessments. It helps developers to assess their container images within these CI/CD tools, pushing security earlier in the software development lifecycle. The findings are available in the CI/CD tools dashboard, helping you to take automated actions in response to critical security issues. Your CI/CD tools can be hosted in AWS, on-premises, or hybrid clouds.
Support for CIS Benchmark assessments
Amazon Inspector supports the Center for Internet Security's CIS Benchmarks. You can run Amazon Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for Amazon EC2 instances across your AWS Organization.
Enhanced container security management
Amazon Inspector maps Amazon Elastic Container Registry (Amazon ECR) images to their deployment footprint across Amazon Elastic Container Service (Amazon ECS) tasks and Amazon Elastic Kubernetes Service (Amazon EKS) pods. For each scanned Amazon ECR image, Amazon Inspector provides insights into its deployment scope. With support for scratch, distroless, and Chainguard images, Amazon Inspector extends its coverage to minimal and security-focused container base images.
Enhanced code security management
Amazon Inspector expands vulnerability management to application source code through native integration with GitHub and GitLab. The service scans for security vulnerabilities and misconfigurations across your application source code, dependencies, and infrastructure as code (IaC) definitions. Amazon Inspector performs Static Application Security Testing (SAST) to analyze application source code, Software Composition Analysis (SCA) to evaluate third-party dependencies, and IaC scanning to validate infrastructure definitions. Findings from these scans are surfaced both in the Amazon Inspector console for an aggregated view across the organization and within the source code management platform as fast feedback for developers.
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.