Security

Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECR

Automatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.

約 4 分で読めます

Overview of Inspector

Amazon Inspector is a security assessment service that automatically scans EC2 instances, ECR container images, and Lambda functions for vulnerabilities. Inspector v2 was significantly redesigned from v1 - simply enabling it automatically discovers target resources and runs continuous scans. It cross-references the CVE (Common Vulnerabilities and Exposures) database and assigns a risk score (Inspector score) to each detected vulnerability. The Inspector score goes beyond the CVSS base score by incorporating network reachability and exploit availability into a contextual score, enabling prioritization based on actual risk. While GuardDuty specializes in runtime threat detection, Inspector focuses on proactive vulnerability discovery.

Scan Targets and Detection Methods

EC2 instance scanning runs through the Systems Manager (SSM) agent. Instances with the SSM agent installed are automatically included as scan targets, detecting OS package vulnerabilities (Amazon Linux, Ubuntu, Windows, etc.). Agentless scanning is also available, enabling EBS snapshot-based scanning without the SSM agent. ECR container image scanning runs on image push and through periodic rescans. It detects vulnerabilities in both base image OS packages and programming language packages (npm, pip, Maven, etc.). Lambda function scanning runs at deployment time and periodically, detecting vulnerabilities in packages that function code depends on.

Managing Findings and Integrations

Detected vulnerabilities are displayed in the Inspector console dashboard, showing risk scores, affected resources, and remediation guidance. Suppression rules let you hide accepted vulnerabilities or false positives so you can focus on findings that need attention. Integration with Security Hub lets you manage Inspector findings alongside findings from other security services (GuardDuty, Macie, Config) in a unified view. EventBridge integration lets you trigger SNS notifications or Lambda functions when Critical or High vulnerabilities are detected, enabling automated remediation workflows. Organizations integration lets a delegated administrator account centrally manage Inspector across all member accounts, providing visibility into the vulnerability posture of the entire organization. For hands-on guidance on security assessment practices, related books on Amazon are also helpful.

Inspector Pricing

Inspector pricing varies by scanned resource type. EC2 instance scanning costs approximately $1.2528 per instance per month. ECR container image initial scanning costs approximately $0.09 per image, and rescanning costs approximately $0.01 per image. Lambda function scanning costs approximately $0.30 per function per month. A free trial provides full access to all features for 15 days after activation. When enabling across all accounts with Organizations, estimate costs in advance based on account count multiplied by resource count.

Summary

Amazon Inspector is a security assessment service that automatically detects vulnerabilities in EC2, ECR, and Lambda and prioritizes them with context-based risk scores. It supports both SSM agent integration and agentless scanning, and automates the workflow from detection to remediation through Security Hub and EventBridge integration.

Related Services

Amazon InspectorA service that automatically scans EC2 instances, container images, and Lambda functions for vulnerabilitiesAmazon ECRA fully managed registry for securely storing, managing, and distributing Docker container imagesAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practices

Related Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Amazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Automated Sensitive Data Discovery with Amazon Macie - PII Scanning and Data Protection for S3 BucketsLearn how Amazon Macie automatically discovers sensitive data (PII, financial information, credentials) in S3 buckets and how to build a data protection strategy based on the findings.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Amazon InspectorA security assessment service that automatically and continuously scans EC2 instances, Lambda functions, and container images for vulnerabilitiesVulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.Amazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.