Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDuty
Learn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.
The Importance of Vulnerability Assessment in Cloud Security
Maintaining cloud security requires early detection of vulnerabilities and continuous threat monitoring. New software vulnerabilities are discovered daily, with over 20,000 registered in the CVE (Common Vulnerabilities and Exposures) database each year. In on-premises environments, you need to deploy vulnerability scanners like Nessus or Qualys and manually manage scan schedules, analyze results, and prioritize patch application. AWS provides two managed security services - Amazon Inspector and Amazon GuardDuty - that automate vulnerability assessment and threat detection. Inspector continuously scans workloads for vulnerabilities, while GuardDuty detects threats across your entire AWS environment in real time. By combining both services, you can build a comprehensive security posture covering both preventive security (eliminating vulnerabilities) and detective security (discovering threats).
Continuous Vulnerability Scanning with Amazon Inspector
Amazon Inspector is a service that automatically and continuously scans EC2 instances, Lambda functions, and ECR container images for vulnerabilities. Unlike traditional periodic scans, Inspector automatically re-evaluates whenever a new CVE is published, immediately identifying affected resources. For EC2 instances, it scans both OS packages and programming language packages, providing CVE-based vulnerability scores (CVSS) and AWS-proprietary risk scores. The AWS risk score offers practical prioritization by considering not just severity but also network reachability and exploit availability. For ECR container images, scans run automatically when images are pushed, enabling pre-deployment vulnerability checks when integrated into CI/CD pipelines. Here is an example of checking Inspector findings using the AWS CLI. ```bash # Retrieve Inspector findings sorted by severity aws inspector2 list-findings \ --filter-criteria '{"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}' \ --sort-criteria '{"field": "SEVERITY", "sortOrder": "DESC"}' \ --region ap-northeast-1 ``` Microsoft Defender for Cloud's vulnerability scanning is Qualys agent-based, requiring agent installation and management. Inspector uses SSM Agent for agentless scanning, allowing you to start vulnerability assessments without installing additional software.
Threat Detection and Incident Response with Amazon GuardDuty
Amazon GuardDuty is a service that uses machine learning and threat intelligence to detect malicious activity and unauthorized behavior in your AWS environment. It automatically analyzes VPC Flow Logs, CloudTrail event logs, and DNS query logs to detect threats such as cryptocurrency mining, unauthorized API calls, data exfiltration, and malware communication. GuardDuty starts working simply by enabling it - no log collection or analysis infrastructure setup is required. Findings are classified by severity (High, Medium, Low), and integration with Security Hub enables centralized management. GuardDuty Malware Protection provides malware scanning for EC2 instances and EBS volumes, automatically triggering scans when suspicious activity is detected. GuardDuty EKS Protection analyzes Kubernetes audit logs to detect container-specific threats. Integration with EventBridge allows you to implement automated remediation actions (such as modifying security groups or disabling IAM policies) via Lambda functions. For a systematic understanding of cloud vulnerability management, related books (Amazon) can be a useful reference.
Integrated Operations with Inspector and GuardDuty
By combining Inspector and GuardDuty, you can achieve integrated security operations that unify vulnerability management and threat detection. Vulnerability information from Inspector and threat information from GuardDuty are aggregated in AWS Security Hub. Security Hub standardizes this information using the AWS Security Finding Format (ASFF), providing prioritization and dashboard views. A practical operational flow involves using Systems Manager Patch Manager for automatic patching when Inspector detects high-risk vulnerabilities, and executing automatic isolation via Lambda functions through EventBridge when GuardDuty detects threats. Below is an example EventBridge rule that sends SNS notifications for Inspector CRITICAL findings. ```json { "source": ["aws.inspector2"], "detail-type": ["Inspector2 Finding"], "detail": { "severity": ["CRITICAL"] } } ``` Integration with Organizations enables centralized security management even in multi-account environments. From a delegated administrator account, you can aggregate and manage Inspector scan results and GuardDuty findings across all member accounts. While Microsoft Defender for Cloud also offers integrated management, AWS achieves flexible security operations through Security Hub's ASFF standardization, including integration with third-party tools.
Inspector and GuardDuty Pricing
Inspector's EC2 scanning costs approximately $1.258 per instance per month, ECR container scanning costs approximately $0.09 per image for the initial scan plus approximately $0.01 for re-scans. Lambda function scanning costs approximately $0.30 per function per month. GuardDuty charges approximately $4.00 per million events for CloudTrail management event analysis and approximately $1.00 per GB for VPC Flow Logs. Both services offer a 30-day free trial.
Summary - Building Continuous Security Monitoring
Inspector's continuous vulnerability scanning and AWS-proprietary risk scores enable you to address vulnerabilities with practical prioritization. GuardDuty's machine learning-based threat detection captures advanced threats that are difficult to discover with traditional rule-based detection. By combining Security Hub for integrated management and EventBridge for automated remediation, you can significantly reduce the time from detection to response. Compared to Microsoft Defender for Cloud, Inspector has advantages in automatic re-evaluation upon CVE publication and agentless scanning, while GuardDuty excels in machine learning-based detection that requires no rule definitions.