Amazon Inspector
A security assessment service that automatically and continuously scans EC2 instances, Lambda functions, and container images for vulnerabilities
Overview
Amazon Inspector is a security service that automatically detects software vulnerabilities and network exposure in AWS workloads. It continuously scans CVEs (Common Vulnerabilities and Exposures) in EC2 instance OS packages, Lambda function dependency libraries, and ECR container image packages. When new CVEs are published, it automatically rescans existing resources and immediately identifies affected ones. Findings are classified by severity (Critical, High, Medium, Low) and can be aggregated in Security Hub for centralized management.
Three Scan Targets - EC2, Lambda, and ECR - and How Detection Works
Inspector scanning covers three distinct targets, each with its own detection mechanism. EC2 scanning collects OS package information via the SSM Agent and cross-references it against the CVE database to identify known vulnerabilities. Agentless scanning is also available, analyzing EBS snapshots to scan instances without the SSM Agent installed. Lambda scanning detects vulnerabilities in dependency libraries (Python pip, Node.js npm, etc.) included in function deployment packages - a capability that sets Inspector apart, as most competing vulnerability scanners lack serverless function coverage. ECR scanning runs automatically on image push and when new CVEs are published, ensuring container images remain assessed against the latest threat data. Inspector automatically discovers target resources and begins scanning upon activation, requiring no individual scan configuration.
CI/CD Pipeline Integration and Finding Triage
The most effective use of Inspector is integrating it into CI/CD pipelines to catch vulnerabilities before deployment. The recommended approach is to have Inspector automatically scan images when pushed to ECR, and halt the pipeline via EventBridge when Critical or High vulnerabilities are detected. This shift-left strategy prevents vulnerable code from reaching production. For finding triage, configuring suppression rules lets you filter out known false positives and findings that do not require action (such as EOL but isolated instances), preventing alert fatigue for operations teams. For further reading, vulnerability management books (Amazon) are a helpful resource. Prioritize remediation by combining Inspector's severity rating with the CVSS score and whether the vulnerability has a known exploit in the wild.
Security Hub Integration and Organization-Wide Vulnerability Management
Inspector findings can be aggregated in Security Hub for centralized management alongside findings from GuardDuty, Macie, and other security services. This unified view lets security teams correlate vulnerabilities with active threats - for example, identifying an EC2 instance that has both a Critical CVE and suspicious network activity flagged by GuardDuty. Organizations integration enables centralized management of Inspector across all accounts from a delegated administrator account, with scanning automatically enabled for new accounts as they join the organization. Microsoft Defender for Cloud offers broader scan coverage across VMs, Azure SQL, and Kubernetes clusters, but Inspector's per-resource pricing (approximately $1.25 per EC2 instance and $0.30 per Lambda function per month) and automatic resource discovery make it straightforward to deploy at scale. A common operational setup routes Inspector findings through Security Hub to AWS Chatbot for Slack notifications, ensuring the right team is alerted based on the affected resource type and severity.