This chapter covers Amazon Inspector v2, AWS's automated vulnerability management service that continuously scans EC2 instances and container images for software vulnerabilities and unintended network exposure. For the SAA-C03 exam, you need to understand Inspector v2's scanning capabilities, how it integrates with other AWS services, and how to interpret its findings. While this topic appears in roughly 5-8% of exam questions, it is a high-weight area because it directly addresses the Secure Architectures domain's requirement for automated security assessments.
Jump to a section
Imagine a high-security warehouse that stores sensitive documents. Instead of relying on manual patrols or periodic security sweeps, the facility deploys an automated security system with X-ray vision cameras that continuously scan every corner, shelf, and package in real time. Each camera is calibrated to detect specific threats: open locks, outdated alarm batteries, or suspicious packages that match known threat signatures. When a camera spots an issue, it instantly sends an alert to the central security console, which logs the finding and prioritizes it based on severity. The system also integrates with the warehouse's automated repair bots, which can immediately fix certain issues (like replacing a dead battery) without human intervention. In AWS, Amazon Inspector v2 works similarly: it continuously scans your compute resources (EC2 instances and container images) for software vulnerabilities and network exposures, using up-to-date threat intelligence. It doesn't just run a scan once; it monitors for changes and rescan automatically. When a vulnerability is found, it generates a finding with severity, CVE details, and remediation guidance. If integrated with AWS Systems Manager, it can even trigger automated patching. The key difference from a manual security audit is that Inspector v2 never sleeps—it provides continuous, near-real-time visibility into your security posture, just like an always-on X-ray security guard.
What is Amazon Inspector v2?
Amazon Inspector v2 is a fully managed vulnerability assessment service that automatically discovers and scans your AWS compute resources for software vulnerabilities and network exposure. It replaces the original Amazon Inspector (now referred to as Inspector v1) with a more comprehensive, continuous scanning approach. Inspector v2 is designed to help you meet compliance requirements (e.g., PCI DSS, HIPAA) by providing visibility into security weaknesses.
How It Works Internally
Inspector v2 operates by deploying a lightweight agent on EC2 instances (or using SSM Agent) and by scanning container images stored in Amazon ECR. The service uses a combination of:
CVE (Common Vulnerabilities and Exposures) databases: Inspector v2 leverages multiple threat intelligence feeds, including the National Vulnerability Database (NVD), to identify known vulnerabilities.
Network reachability analysis: It analyzes the network configuration of your EC2 instances to determine if a vulnerability is exploitable from the internet or within the VPC.
Continuous monitoring: After the initial scan, Inspector v2 monitors for changes (e.g., new software installations, updated packages) and rescans automatically. The default rescan interval for EC2 instances is every 24 hours, but it can also trigger scans on change events.
For container images, Inspector v2 scans the image at the time it is pushed to ECR and then rescans periodically (every 24 hours or when the image is accessed).
Key Components, Values, Defaults, and Timers
Scanning frequency: EC2 instances are scanned every 24 hours by default. Container images are scanned on push and then every 24 hours.
Findings: Each finding includes:
- CVE ID - Severity (Critical, High, Medium, Low) - CVSS score - Affected package and version - Remediation recommendation - Network reachability status (for EC2) - Agent: Inspector v2 can use the SSM Agent (pre-installed on many AMIs) or a dedicated Inspector agent. The SSM Agent is preferred and is automatically activated when you enable Inspector v2. - Supported operating systems: Amazon Linux, Ubuntu, Debian, Red Hat Enterprise Linux, CentOS, SUSE Linux Enterprise Server, and Windows Server. - Container support: Amazon ECR (both public and private repositories), including images in ECR cross-account registries. - Integration: Findings can be sent to AWS Security Hub, Amazon EventBridge, and AWS Systems Manager (for automated patching).
Configuration and Verification
To enable Inspector v2, you can use the AWS Management Console, CLI, or SDK. The service is account-wide; you do not need to configure individual scans.
CLI command to enable Inspector v2:
aws inspector2 enable --resource-types EC2 ECRTo verify that Inspector v2 is active:
aws inspector2 list-members(Note: This command is for delegated administrator accounts in multi-account setups.)
To view findings:
aws inspector2 list-findings --filter-riteria '{"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}'Interaction with Related AWS Services
AWS Security Hub: Inspector v2 findings are automatically ingested into Security Hub, providing a centralized view of security alerts.
Amazon EventBridge: You can create rules to trigger automated responses (e.g., send a notification via SNS, invoke a Lambda function) when new findings are generated.
AWS Systems Manager: Inspector v2 can trigger SSM Automation documents to remediate vulnerabilities (e.g., patch installation).
AWS Organizations: You can designate a delegated administrator account to manage Inspector v2 across all accounts in the organization.
Common Use Cases
Continuous vulnerability scanning: Automatically detect known vulnerabilities in EC2 instances and container images without manual intervention.
Compliance monitoring: Use Inspector v2 findings to demonstrate compliance with frameworks like PCI DSS, which require regular vulnerability scans.
Shift-left security: Scan container images at build time (via ECR) to catch vulnerabilities before deployment.
Exam Tips
Inspector v2 is not a replacement for a web application firewall (WAF) or intrusion detection system (IDS). It focuses on software vulnerabilities and network exposure, not active threats.
Inspector v2 does not support on-premises servers. It is strictly for AWS compute resources.
The service is regional; you must enable it in each Region where you have resources.
For EC2 instances, Inspector v2 requires outbound internet access (or VPC endpoints) to communicate with the Inspector service for updates and findings.
Limitations
Inspector v2 does not scan custom AMIs or instances that are not managed by SSM (unless you install the Inspector agent).
It does not perform network penetration testing; network reachability analysis is limited to checking if ports are open to the internet.
Container image scanning only works for images stored in Amazon ECR, not third-party registries.
Pricing
Inspector v2 has a pay-per-scan model for EC2 instances (per instance per month) and per-GB scanned for container images. There is no upfront cost. The exact pricing varies by Region; consult the AWS Pricing page.
Enable Amazon Inspector v2
You enable Inspector v2 at the account level using the AWS Management Console, CLI, or API. The command `aws inspector2 enable --resource-types EC2 ECR` activates scanning for both EC2 instances and container images. Once enabled, Inspector v2 automatically discovers all eligible resources in the account and Region. If you use AWS Organizations, you can designate a delegated administrator account to manage scanning across multiple accounts.
Agent Deployment and Discovery
Inspector v2 uses the AWS Systems Manager (SSM) Agent on EC2 instances to collect software inventory. If the SSM Agent is not installed, you can install the Inspector agent manually. The agent communicates with the Inspector service to send package lists and configuration data. For container images, no agent is needed; Inspector v2 scans the image layers stored in Amazon ECR.
Initial Scan and Vulnerability Detection
After enabling Inspector v2, an initial scan is performed on all eligible resources. For EC2 instances, the scan collects installed software packages and compares them against CVE databases. For container images, the scan examines each layer for known vulnerabilities. The scan also performs network reachability analysis for EC2 instances by checking security group rules and network ACLs to determine if any open ports are accessible from the internet.
Finding Generation and Severity Assignment
When a vulnerability is identified, Inspector v2 generates a finding with details: CVE ID, severity (Critical, High, Medium, Low), CVSS score, affected package, and remediation steps. Severity is based on the CVSS score and the context (e.g., network reachability). For example, a critical CVE on an internet-facing instance is more severe than the same CVE on an internal instance. Findings are stored for 90 days.
Continuous Monitoring and Rescanning
Inspector v2 continuously monitors for changes. For EC2 instances, it rescans every 24 hours or when a change event (e.g., new software installation) is detected. For container images, rescans occur every 24 hours or when the image is pulled. This ensures that new vulnerabilities are discovered promptly. You can also trigger an on-demand scan using the `aws inspector2 start-scan` command.
Enterprise Scenario 1: Compliance-Driven Vulnerability Management
A financial services company must comply with PCI DSS Requirement 11.2, which mandates quarterly vulnerability scans and continuous monitoring. They have hundreds of EC2 instances across multiple AWS accounts and Regions. Before Inspector v2, they used a third-party scanner that required manual setup and credentials. With Inspector v2, they enable it across all accounts via AWS Organizations delegated administrator. The service automatically discovers all instances and container images, performs continuous scans, and sends findings to Security Hub. The security team uses EventBridge rules to trigger Lambda functions that create Jira tickets for critical vulnerabilities. The automated rescan every 24 hours ensures they meet the 'continuous monitoring' requirement. A common misconfiguration is not enabling Inspector v2 in all Regions where resources exist, leading to gaps in coverage.
Enterprise Scenario 2: Container Security in CI/CD
A SaaS startup uses Amazon ECR to store container images for their microservices. They want to catch vulnerabilities before deploying to production. They enable Inspector v2 on their ECR repositories. Now, every time a developer pushes an image, Inspector v2 scans it automatically. If a critical vulnerability is found, an EventBridge rule triggers a Lambda function that blocks the image from being deployed (by tagging it with a 'blocked' tag). The scanning takes a few seconds to minutes depending on image size. They also use Inspector v2's integration with AWS CodePipeline to fail the pipeline if the scan finds high-severity vulnerabilities. A common pitfall is assuming Inspector v2 scans images in third-party registries (e.g., Docker Hub) — it only scans images stored in ECR.
Performance and Scale Considerations
Inspector v2 is designed to scale to thousands of instances and millions of container images. There are no resource limits imposed by the service, but you should be aware of the following:
For EC2 instances, outbound internet access (or VPC endpoints) is required for the agent to communicate with Inspector. If you have a large number of instances in private subnets, you must configure VPC endpoints for SSM and Inspector.
The initial scan can take up to 30 minutes per instance, depending on the number of packages.
Findings are stored for 90 days; after that, they are automatically deleted. You should export findings to a long-term storage like S3 if needed.
If you have a multi-account setup, ensure the delegated administrator account has the necessary permissions to view findings from member accounts.
What SAA-C03 Tests on Amazon Inspector v2
The exam focuses on the following objective codes under Domain 1 (Secure Architectures): - 1.4: Design and implement automated security assessments (e.g., Amazon Inspector). - 1.5: Design and implement a secure network infrastructure (network reachability analysis).
Common Wrong Answers and Why Candidates Choose Them
"Amazon Inspector is a web application firewall" – Candidates confuse Inspector with AWS WAF. Inspector is a vulnerability scanner, not a firewall. The exam may offer WAF as a distractor.
"Inspector v2 requires manual installation of agents on every EC2 instance" – While you can install an agent, Inspector v2 primarily uses the SSM Agent, which is pre-installed on many AMIs. The exam tests that you know the default method.
"Inspector v2 can scan on-premises servers" – Inspector v2 is limited to AWS compute resources. The exam may present a scenario with hybrid infrastructure to test this.
"Inspector v2 scans for network intrusions in real time" – Inspector v2 does not perform real-time intrusion detection; it is a periodic vulnerability scanner. Amazon GuardDuty is the IDS service.
Specific Numbers and Values to Memorize
Default rescan interval: 24 hours.
Findings retention: 90 days.
Supported resource types: EC2 and ECR (container images).
Severity levels: Critical, High, Medium, Low.
Integration with Security Hub, EventBridge, Systems Manager.
Edge Cases and Exceptions
If an EC2 instance is terminated, its findings are deleted after a short period (usually within minutes).
Inspector v2 does not scan instances that are in a stopped state. It will scan them when they start.
For container images, Inspector v2 scans all layers, including base layers. However, it does not scan images that are older than 90 days unless they are pulled.
If you disable Inspector v2, all findings are deleted after 30 days.
How to Eliminate Wrong Answers
If the question mentions "continuous vulnerability scanning" or "automated security assessment," the answer is likely Inspector v2.
If the question mentions "network penetration testing" or "real-time threat detection," it is not Inspector v2.
If the scenario involves on-premises servers, eliminate Inspector v2 (use AWS Systems Manager or third-party tools instead).
If the question mentions "scanning a container image before deployment," Inspector v2 is the correct service, but only if the image is in ECR.
Amazon Inspector v2 is a fully managed vulnerability assessment service for EC2 instances and ECR container images.
Inspector v2 uses the SSM Agent by default; no separate agent installation is needed on most AMIs.
Scans occur every 24 hours by default, plus on change events.
Findings include CVE ID, severity (Critical/High/Medium/Low), CVSS score, and remediation guidance.
Findings are retained for 90 days.
Inspector v2 does not support on-premises servers or third-party container registries.
Network reachability analysis checks if vulnerabilities are exploitable from the internet.
You can enable Inspector v2 across multiple accounts using AWS Organizations delegated administrator.
Inspector v2 integrates with Security Hub, EventBridge, and AWS Systems Manager.
Inspector v2 is a regional service; enable it in each Region where you have resources.
These come up on the exam all the time. Here's how to tell them apart.
Amazon Inspector v2
Scans for software vulnerabilities (CVEs) and network exposure.
Performs periodic scans (every 24 hours) and on change events.
Uses agent-based (SSM Agent) and agentless (ECR) scanning.
Integrates with Security Hub and Systems Manager for remediation.
Ideal for compliance vulnerability scanning.
Amazon GuardDuty
Detects malicious activity and unauthorized behavior in real time.
Continuously analyzes VPC Flow Logs, DNS logs, and CloudTrail events.
Agentless; uses machine learning and threat intelligence.
Integrates with Security Hub and EventBridge for alerts.
Ideal for threat detection and incident response.
Mistake
Amazon Inspector v2 scans for malware and ransomware in real time.
Correct
Inspector v2 is a vulnerability scanner that checks for known CVEs and network exposure. It does not perform real-time malware detection; that is the role of Amazon GuardDuty or third-party endpoint protection.
Mistake
Inspector v2 automatically patches vulnerabilities it finds.
Correct
Inspector v2 only identifies vulnerabilities and provides remediation guidance. It can integrate with AWS Systems Manager to trigger automated patching, but it does not patch anything on its own.
Mistake
Inspector v2 requires a separate agent installation on every EC2 instance.
Correct
Inspector v2 primarily uses the SSM Agent, which is pre-installed on many AMIs (e.g., Amazon Linux 2, Windows Server 2019). You only need to install the Inspector agent if the SSM Agent is not present.
Mistake
Inspector v2 can scan any container registry, including Docker Hub.
Correct
Inspector v2 only scans container images stored in Amazon ECR (both public and private repositories). It does not integrate with third-party registries.
Mistake
Inspector v2 findings are stored indefinitely.
Correct
Findings are retained for 90 days. After that, they are automatically deleted. You must export findings to S3 or another service for long-term retention.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Inspector v1 was a network-based assessment service that required an agent and had limited scanning capabilities. Inspector v2 is a complete rewrite that provides continuous vulnerability scanning for both EC2 instances and container images, uses the SSM Agent, and offers network reachability analysis. v2 also has a pay-per-scan pricing model, whereas v1 had a per-assessment fee. AWS recommends using Inspector v2 for all new deployments.
Yes, Inspector v2 supports Windows Server 2012 R2, 2016, 2019, and 2022. The SSM Agent is required and is pre-installed on official AWS Windows AMIs. The scan covers Windows updates and third-party software vulnerabilities.
You can view findings in the AWS Management Console under Inspector > Findings. Alternatively, use the CLI: `aws inspector2 list-findings`. Findings are also automatically sent to AWS Security Hub if enabled. You can export findings to S3 using the `batch-get-finding-details` API or via EventBridge.
No, Inspector v2 does not scan AWS Lambda functions. For Lambda, you can use third-party tools or AWS Lambda's own security features (e.g., runtime deprecation warnings). Inspector v2 is limited to EC2 instances and ECR container images.
Inspector v2 requires outbound internet access (or VPC endpoints) for the SSM Agent to communicate with the Inspector service. If the instance is in a private subnet, you must configure VPC endpoints for Systems Manager (ssm, ssmmessages, ec2messages) and Inspector (inspector2). Without connectivity, the scan will fail.
Inspector v2 only scans container images stored in Amazon ECR. Images in other registries (e.g., Docker Hub, self-managed registries) are not scanned. You must push the image to ECR for scanning.
Inspector v2 charges per EC2 instance per month (prorated hourly) and per GB of container image scanned. There is no upfront cost. For EC2, the cost is approximately $0.0018 per instance hour (varies by Region). For ECR, it's about $0.10 per GB scanned. Cross-account scanning may incur additional charges.
You've just covered Amazon Inspector v2 — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?