Discover Amazon Inspector, an AWS security monitoring service that provides automated security scans for EC2 instances, AWS Lambda, and ECR container images.

Traditional security and vulnerability management tools are not well suited for analyzing the security posture of cloud resources. With the mass migration of workloads into the cloud in the past few years, organizations need the right tools for this sort of analysis. Amazon Inspector is designed to provide automated vulnerability assessments of your AWS resources.

AWS Inspector is an automated security assessment service. Its goal is to enhance the security and compliance of applications running on AWS cloud infrastructure, specifically targeting EC2 instances and other AWS services across resources and multiple AWS accounts, including Amazon Lambda functions, ECR images, etc.

The analysis includes scans for vulnerabilities, including critical vulnerabilities, to help protect against unintended network exposure. It also provides APIs for integration and detailed reporting.

Amazon Inspectors automated security scanning

Amazon Inspectors automated security scanning

Amazon Inspector features

Amazon Inspector offers the following features:

  1. Automated vulnerability management: Amazon Inspector scans resources such as Amazon EC2 instances, Lambda functions, and container workloads for known software vulnerabilities and unintended network exposure.
  2. Continuous monitoring: Continuously rescans workloads when a new CVE is published or changes are made, ensuring real-time security monitoring.
  3. Risk scoring: Amazon Inspector generates a contextualized risk score for each finding, correlating CVE information with environmental factors, such as network accessibility and exploitability.
  4. Suppression rules: Supports suppression of findings based on criteria defined by your organization, allowing you to manage acceptable risks.
  5. Automated remediation tracking: Once a vulnerability has been patched or remediated, Amazon Inspector automatically changes the state of the finding to "Closed."
  6. Simplified onboarding: Provides easy onboarding across multiple AWS accounts with one step in the Amazon Inspector console or a single API call.
  7. Integration with AWS organizations: Amazon Inspector integrates with AWS organizations.
  8. Lambda function scanning: Scans the custom application code within a Lambda function, checking for code security vulnerabilities, such as injection flaws, data leaks, weak cryptography, or missing encryption.
  9. Actionable security findings: Generates actionable security findings upon detecting vulnerabilities and provides information for remediation.

Amazon Inspector EC2 agent

Inspector utilizes the AWS SSM Agent, which is part of the Amazon AWS System Manager. Amazon has taken the heavy lifting out of the process to deploy agents in EC2 instances, as the SSM Agent is installed by default when you provision a new EC2.

However, it is worth checking the instance to ensure that the service is running. In a Linux EC2 instance, you can do this from the command line. For example, for Ubuntu EC2 16.04 and higher, you can use the following command:

sudo systemctl status

Checking the SSM agent in an Ubuntu EC2 instance

Checking the SSM agent in an Ubuntu EC2 instance

To check the command for your version of Linux running in your EC2 instance, use this link.

Enabling Amazon Inspector

 Getting started with Amazon Inspector is a straightforward process. Begin by setting up your AWS account and ensuring that all your AWS workloads and resources are appropriately configured. You can then delegate an Inspector administrator to manage Inspector for your organization. However, you don't have to delegate an administrator. You can simply click the Activate Inspector button.

Amazon Inspector is a paid service. However, you do have a free 15-day trial when you enable Amazon Inspector in your Amazon account. More info about the pricing of Amazon Inspector can be found here.

Delegating the administrator account and enabling Inspector

Delegating the administrator account and enabling Inspector

As you see below, under Account Management, you can also enable all scanning, or only EC2, ECR, or Lambda. This setting allows you to choose which services you want to scan in a granular fashion if you only want Amazon Inspector to scan EC2, ECR, Lamda, etc.

As you can see below, the status of the AWS account shows Inspector enabled for EC2, ECR, and Lamda.

Selecting which services you want to scan

Selecting which services you want to scan

Analyzing Amazon Inspector results

Once Inspector is enabled for the accounts as shown above, it immediately starts analyzing the environment. Under the Dashboard, you will see an overview of the findings as the scans complete, and it will display the findings for your AWS resources.

If you do not immediately see results in the dashboard, give this a few minutes, as the scans run in the background and results may not show right away.

The Dashboard is the global overview of the Inspector's findings. It displays environment coverage, critical findings, package names, ECR repos, etc., that are found to have known vulnerabilities or exposure in the environment.

Viewing the Amazon Inspector Dashboard which gives a summary of the vulnerability landscape

Viewing the Amazon Inspector Dashboard which gives a summary of the vulnerability landscape

You can click the Findings menu option to have a more detailed view of the findings for your AWS environment. The Findings menu breaks the vulnerability findings into different views, including the following:

  • All findings: All of the security findings in the environment
  • By vulnerability: Focuses on a list of vulnerabilities and the CVE number
  • By instance: Focuses on the specific AWS instances and the numbers of vulnerabilities associated with each
  • By container image: Container image vulnerabilities
  • By container repository: Container repository vulnerabilities view
Viewing findings in Amazon Inspector

Viewing findings in Amazon Inspector

You can also filter the display of findings if you are interested in specific resources or CVE numbers.

Filtering displayed results on the Inspector Findings screen

Filtering displayed results on the Inspector Findings screen

Amazon Inspector provides detailed CVSS information for the findings. When you click a finding on the dashboard, it pops out a blade that provides more detailed information for the vulnerability. Notable information includes:

  • Inspector score: How critical the vulnerability is deemed by inspector
  • CVSS base score: The CVSS score based on the catalogued vulnerability
  • Related vulnerabilities: Shows whether there are other vulnerabilities related to this particular finding
  • Type of resource affected: Which AWS resource is affected
All findings with detailed information for a specific finding

All findings with detailed information for a specific finding

In addition, you can drill further into the CVSS and Inspector score and see more detail on the vulnerability, including the attack vector, attack complexity, privileges required, scope, etc. These types of metrics are useful when considering the prioritization of remediation efforts. If a vulnerability has a low attack complexity and can be carried out easily, it will probably be a high priority for patching.

Viewing specific CVSS score metrics for a finding

Viewing specific CVSS score metrics for a finding

Another handy feature of Amazon Inspector is the ability to export your findings from Inspector to a flat file, including JSON or CSV. You can also choose to store the files in an S3 bucket. The export process allows you to filter the findings so that only findings that meet certain criteria are exported.

A use case for this is to feed the data into other systems, such as SIEMs or other IT management solutions for reporting purposes, tickets, etc.

Export Amazon Inspector findings to CSV JSON or S3

Export Amazon Inspector findings to CSV JSON or S3

A new feature with Amazon Inspector is related to software Bills of Materials. Amazon Inspector now enables exporting a software Bill of Materials (SBOM) for Inspector-monitored resources. Using this feature, you can help secure your software supply chains.

Once you have your SBOM exported, you can use Amazon Athena, Amazon's interactive query service, or QuickSight, Amazon's unified business intelligence service, to analyze the software supply chains used in the environment. With supply chain attacks and other security concerns ramping up, SBOM exports will help organizations maintain better visibility and control over their software supply chains.

Subscribe to 4sysops newsletter!

Exporting a software Bill of Materials SBOM using Amazon Inspector

Exporting a software Bill of Materials SBOM using Amazon Inspector

Wrapping up

Amazon Inspector offers businesses automated AWS security monitoring. Using the native AWS service, companies can strengthen their security posture against common vulnerabilities, mitigate unintended network exposure, and ensure continuous compliance with native AWS security best practices. For those already invested in the AWS ecosystem, the Inspector service will help improve security posture across the board and provide visibility into unseen threats.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account