Amazon Inspector: A Guide to AWS Vulnerability Management

Introduction

Vulnerability management is the process of identifying, assessing, and mitigating security vulnerabilities in your IT infrastructure to reduce the risk of cyberattacks. In today’s rapidly evolving threat landscape, proactive vulnerability management is critical to safeguard your systems, protect sensitive data, and ensure compliance with industry regulations.

To help streamline this process, Amazon offers Amazon Inspector, a native vulnerability management service that integrates with AWS environments. In this blog, we’ll explore how Amazon Inspector works, its key features, and how it can enhance your organization’s security posture.

What is Amazon Inspector ?

Amazon Inspector is an automated vulnerability management service designed to keep your AWS workloads secure. It automatically discovers resources like Amazon EC2 instances, container images in Amazon ECR, and Lambda functions, then continuously scans them for software vulnerabilities and unintended network exposure.

When a potential issue is detected, Amazon Inspector generates a detailed finding—a report outlining the vulnerability or exposure. These findings can be easily managed through the Amazon Inspector console or API, giving you the tools to address security risks efficiently and proactively.

Features of Amazon Inspector:

Continuous Scanning for Vulnerabilities and Network Exposure

Amazon Inspector simplifies security by continuously scanning your AWS environment for vulnerabilities and network exposure—without requiring you to manually schedule or configure scans. As soon as eligible resources are discovered, Amazon Inspector begins assessing them automatically.

The service doesn’t stop there—it keeps monitoring your environment throughout the lifecycle of your resources. It automatically rescan resources whenever changes occur that might introduce vulnerabilities, such as:

• Installing a new package on an EC2 instance.
• Applying a patch.
• The publication of a new Common Vulnerabilities and Exposures (CVE) that affects your resources.

Unlike traditional scanning tools, Amazon Inspector is designed to have minimal impact on the performance of your systems.

When an issue is detected, Amazon Inspector generates a detailed finding that includes:

• Information about the vulnerability.
• Details about the affected resource.
• Recommendations for remediation.

Once you address the issue, Amazon Inspector automatically verifies the remediation and closes the finding.

Accurate Vulnerability Assessment with Amazon Inspector Risk Scores

Amazon Inspector enhances vulnerability assessments by providing tailored severity scores specific to your environment. These scores are based on the Common Vulnerability Scoring System (CVSS) but are adjusted to reflect the unique context of your AWS resources.

Here’s how it works:

• Environment-Aware Scoring: Amazon Inspector starts with the base score from the National Vulnerability Database (NVD) and adjusts it according to factors in your compute environment.
• Context-Sensitive Adjustments: For instance, if a vulnerability is technically exploitable over the network but the affected EC2 instance has no open network path to the internet, Amazon Inspector may assign a lower score.

The final score, still presented in the CVSS format, gives you a more accurate understanding of the actual risk to your environment, helping you prioritize and address vulnerabilities effectively.

Centralized Management

Managing security across multiple AWS accounts can be challenging, but Amazon Inspector simplifies this process by allowing you to centrally manage your environment using AWS Organizations. With this feature, you can designate a specific account as the delegated administrator account for Amazon Inspector.

Here’s how it works:

• One-Click Activation: You can activate Amazon Inspector for your entire organization with a single click, ensuring that all accounts are covered.
• Automated Onboarding: New accounts added to your AWS organization are automatically included in Amazon Inspector’s scans, saving you time and effort.
• Centralized Control: The delegated administrator account can:
  • View aggregated findings across all member accounts.
  • Activate or deactivate scans for specific accounts.
  • Review details about scanned resources within the organization.

This centralized management makes it easier to maintain consistent vulnerability scanning and response across your AWS environment, ensuring all your resources stay protected.

Comprehensive Insights with the Amazon Inspector Dashboard

The Amazon Inspector dashboard provides a clear, high-level overview of vulnerabilities and risks across your AWS environment.

Key features of the dashboard include:

• Comprehensive Overview: See streamlined information about scan coverage, critical findings, and which resources have the most vulnerabilities.
• Detailed Findings: Drill down into specific findings to view in-depth details and suggested remediation steps.
• Risk-Based Insights: The risk-based remediation panel highlights vulnerabilities affecting the largest number of instances and container images. This feature makes it easier to focus on the findings with the greatest potential impact on your environment.

Seamless Integration with Other AWS Services

Amazon Inspector makes it easy to share and process findings by integrating with other AWS services:

• Real-Time Monitoring: Findings are published to Amazon EventBridge, a serverless event bus that routes data to services like AWS Lambda or Amazon SNS. This allows you to monitor and act on findings in near real time within your existing security workflows.
• Centralized Security View: If you use AWS Security Hub, Amazon Inspector findings are automatically sent there. Security Hub provides a unified view of your security posture across AWS, helping you align with industry standards and best practices.

Getting Started: How to Enable Amazon Inspector

Before you activate Amazon Inspector, here are a few key considerations and steps to get started.

Things to Know Before Activating Amazon Inspector

• Amazon Inspector is a Regional Service
  • Your data is stored in the AWS Region where you activate the service. If you plan to use Amazon Inspector in multiple Regions, repeat the activation steps for each one.
• Service-Linked Roles
  • Amazon Inspector automatically creates two service-linked roles in IAM AWSServiceRoleForAmazonInspector2 and AWSServiceRoleForAmazonInspector2Agentless‍
  • These roles allow Amazon Inspector to perform security assessments.

• Administrator Permissions Required
  • Only IAM identities with administrator permissions can enable Amazon Inspector. Use dedicated IAM users or AWS IAM Identity Center to ensure secure access, and consider applying the AmazonInspectorFullAccess managed policy.
• Hybrid Scanning is Enabled by Default
  • Both agent-based and agentless scanning methods are automatically applied to all eligible Amazon EC2 instances.
• ECR and Lambda Scanning
  • Scanning for Amazon ECR and Lambda functions doesn’t require the SSM agent, but agent-based scanning for EC2 instances does. Most AMIs already include the SSM agent, but you may need to activate it manually in some cases.

Steps to Enable Amazon Inspector

Depending on your setup, follow these instructions for either a standalone account or a multi-account environment.

For a Standalone Account

Sign In: Access the Amazon Inspector console with your credentials.

Get Started: Select Get Started in the console.

Activate: Click Activate Amazon Inspector to start scanning.

By default, all scan types are enabled for standalone accounts.

For a Multi-Account Environment

If you’re managing multiple AWS accounts through AWS Organizations:

1. Sign In to AWS Organizations: Use the Amazon Inspector console from the management account.
2. Delegate an Administrator:
   • Enter the 12-digit account ID of the account to designate as the delegated administrator.
   • Click Delegate, and confirm the action.
3. Activate: Once the delegated administrator is set up, activate Amazon Inspector for the organization.

Note: Ensure you have the necessary permissions and are in the same organization as the accounts to be managed.

Amazon Inspector Vulnerability Scanning

Amazon Inspector leverages a specialized scanning engine to continuously monitor your AWS resources for software vulnerabilities and unintended network exposure. When an issue is identified, it generates a finding, which includes detailed information about the detected vulnerability or exposure.

Automatic Enrollment in Scanning

When you activate Amazon Inspector for the first time, your account is automatically enrolled in all available scan types. These scan types include:

• Amazon EC2 Scanning: Detects vulnerabilities in your EC2 instances.
• Amazon ECR Scanning: Monitors container images stored in Amazon Elastic Container Registry.
• Lambda Standard Scanning: Identifies vulnerabilities in AWS Lambda functions.

Overview of Amazon Inspector Scan Types

Amazon Inspector provides various scan types tailored to specific AWS resources. Here's a breakdown of the available scan types:

Amazon EC2 Scanning

When you enable EC2 scanning, Amazon Inspector evaluates your EC2 instances for:

• Common Vulnerabilities and Exposures (CVEs)
• Package Vulnerabilities: Operating system and programming language dependencies.
• Network Issues: Reachability and exposure problems.

Scanning is performed using either the SSM agent installed on instances or Amazon EBS snapshots. By default, Amazon EC2 scanning activates hybrid scanning mode, which combines agent-based and agentless approaches for maximum coverage.

Amazon ECR Scanning

With ECR scanning enabled, Amazon Inspector automatically upgrades all repositories in your private registry from Basic Scanning to Enhanced Scanning with continual monitoring. Key details include:

• Scan Options: Configure to scan on image push, monitor specific repositories using inclusion rules, or both.
• Coverage Window: Images pushed within the last 30 days or pulled in the past 90 days are scanned initially. Continuous monitoring of images lasts 90 days by default, adjustable as needed.

Lambda Standard Scanning

Lambda standard scanning identifies vulnerabilities in your deployed Lambda functions and their layers. It operates by:

• Automatically discovering and scanning new functions and layers upon deployment.
• Rescanning whenever functions are updated or when new CVEs are published.

Lambda Standard Scanning + Lambda Code Scanning

This option combines standard Lambda scanning with code scanning for a more in-depth analysis. While standard scanning detects vulnerabilities in your function layers and dependencies, Lambda code scanning focuses on your custom application code, scanning for vulnerabilities within the code itself. Both scan types must be activated together for this feature.

CIS Benchmark Scanning in Amazon Inspector

Amazon Inspector includes CIS Benchmark Scans, which evaluate the configuration of your Amazon EC2 instances against industry best practices established by the Center for Internet Security (CIS). These benchmarks provide standardized guidelines to ensure your systems are securely configured.

How CIS Scans Work:

• CIS scans are available after enabling EC2 scanning in Amazon Inspector.
• Scans target EC2 instances based on tags and a defined scanning schedule.
• Amazon Inspector performs a series of checks for each instance to determine if its configuration meets specific CIS recommendations.

Each check is tied to a CIS check ID and title that corresponds to a benchmark recommendation. When a scan is completed, the results highlight which checks were passed, skipped, or failed, allowing you to pinpoint areas for improvement in your system configuration.

CIS scans provide a reliable way to validate that your EC2 instances meet recognized security standards.

SBOM Support in Amazon Inspector

A Software Bill of Materials (SBOM) is a detailed inventory of the software components in your workloads. Amazon Inspector allows you to export SBOMs for supported resources, excluding Windows EC2 instances, directly to Amazon S3. These exports use industry-standard formats like CycloneDx and SPDX, making it easier to manage and track software components across your organization.

Understanding the Differences Between Amazon Inspector and Other AWS Security Services

AWS offers a variety of security services, each designed to address specific needs. This can sometimes lead to confusion about which service to use for what purpose. Below, we’ll break down the differences between Amazon Inspector and other AWS security services to help you better understand their roles.

Amazon Inspector vs. Amazon GuardDuty

• Amazon Inspector: Focuses on vulnerability management by scanning resources like EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure. It provides detailed findings along with remediation steps.
• Amazon GuardDuty: Focuses on threat detection by analyzing AWS logs (CloudTrail, VPC Flow Logs, DNS logs) to identify malicious activity, such as unauthorized access, compromised credentials, or data exfiltration attempts.

Amazon Inspector vs. AWS Trusted Advisor

• Amazon Inspector: Specifically scans for vulnerabilities and exposure risks in your AWS resources, providing actionable findings for remediation.
• AWS Trusted Advisor: Acts as a best practices advisor, offering recommendations to optimize security, performance, cost, and fault tolerance. For example, it highlights S3 buckets without encryption or IAM roles with overly permissive policies.

Amazon Inspector vs. Amazon Detective

• Amazon Inspector: Focuses on proactive vulnerability detection, helping you identify weaknesses in your AWS resources before they are exploited.
• Amazon Detective: Works reactively, analyzing logs and events to help investigate and respond to security incidents. It connects the dots between AWS resources and events to provide context for ongoing or past attacks.

Amazon Inspector vs. Amazon Macie

• Amazon Inspector: Ensures the security of your AWS resources by identifying software vulnerabilities and network exposure risks.
• Amazon Macie: Specializes in data security, focusing on identifying sensitive data (e.g., PII, financial information) in S3 buckets and monitoring for potential data leaks or unauthorized access.

This comparison simplifies the distinctions between these AWS security services, helping you confidently select the one that best suits your needs—whether for vulnerability scanning, threat detection, data security, or incident investigation.

Amazon Inspector Pricing

Free Trial

Amazon Inspector offers a 15-day free trial for new accounts, allowing you to evaluate the service and estimate its costs before committing to paid usage. During the trial period, the following features are included at no cost:

• Continual Scanning: Eligible Amazon EC2 instances, AWS Lambda functions, and container images in Amazon ECR are scanned continuously.
• On-Demand Container Image Scanning: For CI/CD workflows, the trial includes a one-time free allowance of 25 image assessments per account.

Note: CIS Benchmark assessments are not covered under the free trial.

Additionally, the Amazon Inspector console provides insights into your estimated spending, including organization-wide aggregated costs in the central administrator account. This feature allows you to understand the financial impact of using Amazon Inspector for automated and continuous vulnerability scans across EC2 instances, ECR repositories, and Lambda functions before transitioning to paid usage.

Billing Components Breakdown

Amazon Inspector's pricing is based on the type of scans performed and the resources scanned. Here's an overview of the costs associated with the service:

Note: All pricing examples provided here reflect the rates billed in the US East (N. Virginia) (us-east-1) Region. Pricing may vary by region.

EC2 Scanning

Amazon Inspector scans EC2 instances for vulnerabilities and network exposure using both agent-based and agentless methods:

• SSM Agent-Based Scanning: $1.2528 per instance per month.
• Agentless Scanning: $1.7496 per instance per month.

CIS Benchmark Assessments

For operating systems in EC2 instances, CIS Benchmark assessments cost:

• $0.03 per assessment per instance.

ECR Container Image Scanning

Scanning container images in Amazon ECR includes:

• Initial On-Push Scanning: $0.09 per image.
• Automated Rescans: $0.01 per rescan for images configured for continuous scanning.

On-Demand Container Image Scanning

For CI/CD workflows or other one-time scans:

• $0.03 per container image.

Lambda Function Scanning

Amazon Inspector supports two types of Lambda function scans:

1. Lambda Standard Scanning:
   • $0.30 per Lambda function per month.
2. Lambda Standard and Code Scanning Combined:
   • $0.30 + $0.60 = $0.90 per Lambda function per month.

For more information please visit the Amazon Inspector Pricing Page.

Conclusion

Amazon Inspector is a key AWS service for vulnerability management, designed to identify and address security risks in EC2 instances, ECR container images, and Lambda functions. Its features, such as continuous scanning, CIS Benchmark evaluations, and SBOM generation, provide essential tools to improve your cloud security.

By integrating with other AWS services and offering flexible pricing, Amazon Inspector helps organizations strengthen their security posture without adding complexity. Whether scanning for vulnerabilities or ensuring secure configurations, it is a reliable solution for maintaining a secure AWS environment.