Amazon Inspector

Amazon Inspector is a fully managed automated vulnerability management service that helps improve the security and compliance of applications deployed on AWS. It continuously scans EC2 instances, container images in Amazon ECR, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. The core problem it solves is the challenge of manually tracking and patching vulnerabilities across a dynamic cloud environment. Without automation, security teams would need to individually assess each resource, check for known vulnerabilities, and review network configurations—a time-consuming and error-prone process. Inspector automates this by performing deep assessments and providing a prioritized list of findings.

Amazon Inspector works through a combination of agentless scanning (for EC2 using AWS Systems Manager) and optional agent-based scanning (for deeper OS-level visibility). The service integrates with AWS Systems Manager to gather inventory data from EC2 instances without requiring an installed agent. For container images, Inspector scans images stored in Amazon ECR by analyzing the image layers and comparing them against known vulnerabilities. For Lambda functions, Inspector scans the function code and dependencies at deployment time.

The scanning process involves: - Software Inventory Collection: Inspector collects information about installed software, including operating system packages, libraries, and application dependencies. - Vulnerability Correlation: The collected inventory is compared against a continuously updated database of Common Vulnerabilities and Exposures (CVEs) and AWS security bulletins. - Network Reachability Analysis: Inspector analyzes network configurations (security groups, network ACLs, VPCs) to determine if resources are exposed to the internet or to other networks in a way that could be exploited. - Finding Generation: Each vulnerability or network exposure is recorded as a finding with a severity rating (Critical, High, Medium, Low) and remediation guidance.

Amazon Inspector offers two main tiers: Inspector Classic (legacy) and Inspector v2 (the current version). The CLF-C02 exam focuses on Inspector v2, which is the default and recommended version. Key features of Inspector v2 include: - Continuous Scanning: Unlike Classic which was scheduled, v2 scans continuously as new vulnerabilities are discovered. - Agentless Scanning: For EC2 instances, you can enable scanning without installing an agent by using AWS Systems Manager (SSM). This is the default and recommended approach. - Container Image Scanning: Automatically scans images pushed to Amazon ECR at the time of push and on a regular schedule. - Lambda Function Scanning: Scans function code and layers at deployment. - Findings Consolidation: Findings are sent to AWS Security Hub and Amazon EventBridge for centralized management. - Risk Scoring: Inspector uses the Common Vulnerability Scoring System (CVSS) and AWS-specific severity to prioritize findings.

Pricing for Inspector v2 is based on the number of EC2 instances, container images, and Lambda functions scanned. There is a free trial for 30 days. After that, you pay per instance-hour for EC2, per image scan for containers, and per function-month for Lambda. There are no upfront commitments.

In an on-premises environment, vulnerability scanning typically requires dedicated hardware or virtual appliances, manual scheduling, and extensive configuration. Updates to vulnerability databases are often periodic. With Amazon Inspector, scanning is fully managed, continuous, and integrated with the AWS ecosystem. Inspector automatically discovers new resources as they are launched and begins scanning immediately. It also integrates with AWS Organizations, allowing you to enable scanning across multiple accounts with a single action.

Competing cloud-native services include third-party tools like Qualys or Tenable, which can also be deployed on AWS. However, Inspector is purpose-built for AWS and requires no additional licensing or infrastructure. It is also deeply integrated with AWS security services like Security Hub, GuardDuty, and AWS Config.

Use Amazon Inspector when you need automated, continuous vulnerability scanning for EC2, ECR, and Lambda within your AWS environment. It is ideal for organizations that want a low-maintenance, AWS-native solution. If you need compliance reporting for standards like PCI DSS or HIPAA, Inspector can help, but you may also need AWS Config rules and Security Hub for a complete compliance picture. For threat detection (e.g., finding malicious activity), use Amazon GuardDuty. For configuration compliance, use AWS Config. Inspector is specifically for vulnerabilities and network exposure.

Enabling Inspector v2 is straightforward: 1. Open the Amazon Inspector console. 2. Click "Get started" or enable scanning for the desired resource types. 3. For EC2, ensure instances have the SSM Agent installed and proper IAM permissions (AmazonSSMManagedInstanceCore policy). 4. For ECR, enable scanning on the repository level (scan on push or continuous scan). 5. For Lambda, Inspector automatically scans functions when you enable Lambda scanning. 6. Findings appear in the Inspector console and can be exported to Security Hub.

The CLF-C02 exam tests your understanding of what Inspector does and when to use it. Key points:

Below is a step-by-step walkthrough for enabling Inspector v2 across an AWS account.

Prerequisites: - AWS account with appropriate permissions (AmazonInspector2FullAccess). - EC2 instances must have SSM Agent installed and be managed by Systems Manager. - For ECR, repositories must be created. - For Lambda, functions must exist.

Step 1: Enable Inspector v2 1. Go to the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home. 2. Click "Get started" or "Enable Inspector". 3. Choose which resource types to scan: EC2, ECR, Lambda. You can enable all. 4. Click "Enable". AWS will automatically start scanning existing resources.

Step 2: Verify Scanning is Active 1. In the Inspector console, navigate to "Dashboard" to see an overview of findings. 2. Check that the number of scanned resources matches your expectations. 3. If EC2 instances are not being scanned, verify SSM Agent status and IAM role.

Step 3: Review Findings 1. Click "Findings" in the left navigation. 2. View the list of vulnerabilities and network exposures. 3. Filter by severity (Critical, High, etc.) or resource type. 4. Click on a finding to see details, including CVE ID, affected package, and remediation steps.

Step 4: Integrate with Security Hub 1. In the Security Hub console, enable the Inspector integration (usually automatic). 2. Findings from Inspector will appear in Security Hub alongside other security findings. 3. You can create automated response workflows using EventBridge rules.

Step 5: Set Up Notifications 1. In the Inspector console, go to "Settings" > "Notifications". 2. Create an SNS topic to receive alerts when new findings are generated. 3. Optionally, use EventBridge to trigger Lambda functions for automated remediation.

Step 6: Schedule Recurring Scans (Optional) Inspector v2 scans continuously; no scheduling needed. However, you can configure scan schedules for container images using ECR scan frequency settings (scan on push or continuous scan).

An e-commerce company processes credit card transactions and must comply with PCI DSS. They use Amazon Inspector to continuously scan their EC2 instances and ECR container images for vulnerabilities. Inspector helps them meet the requirement for regular vulnerability scans (PCI DSS 11.2). The security team sets up Inspector to scan all resources and integrates findings with Security Hub. They configure EventBridge to send critical findings to a Slack channel via Lambda. When a critical CVE is found, the team patches the affected instances within the required timeframe. Cost: For 100 EC2 instances and 500 container images per month, the cost is approximately $200-300/month. Misconfiguration: If they forget to enable scanning on new instances (e.g., auto-scaling groups), they may miss vulnerabilities. To avoid this, they use AWS Config rules to ensure all instances have Inspector enabled.

A startup uses AWS Lambda heavily and wants to ensure their function dependencies are free of known vulnerabilities. They enable Lambda scanning in Inspector. Inspector automatically scans each function when it is deployed and continuously thereafter. The developers receive notifications when a new vulnerability is found in a package they use. They can quickly update the function code and redeploy. Cost: Lambda scanning is priced per function-month, which is very low for a startup with 50 functions. Misconfiguration: If the startup uses custom runtimes not supported by Inspector (e.g., Rust), those functions are not scanned. They need to use third-party tools for those runtimes.

A large enterprise uses AWS Organizations with hundreds of accounts. They enable Inspector at the organization level using the delegated administrator feature. This allows them to centrally manage scanning across all accounts and view findings from a single account. The security team uses the Inspector console in the delegated admin account to see aggregated findings. They use Security Hub cross-account aggregation to get a unified view. Cost: They negotiate a volume discount with AWS. Misconfiguration: If the delegated admin account is compromised, an attacker could disable Inspector across all accounts. To mitigate, they use least-privilege permissions and enable AWS CloudTrail to monitor changes to Inspector settings.