Amazon Inspector

Continuously asses security and best practices for:

  • EC2 Instances

    • Uses the SSM Agent

    • Against Unintended Network Accessibility: Amazon Inspector only generates network reachability findings for Amazon EC2 instances and performs scans for network reachability findings every 24 hours.

    • Against OS vulnerabilities

  • ECR Images

    • As they’re pushed

  • Lambda Functions

    • Code vulnerabilities

    • Dependencies

    • During the deployment phase

Findings can be reported into the AWS Security Hub or sent to EventBridge. Also they come with a Risk Score for prioritization.

Finding Types

  • Package Vulnerabilitieshttps://www.cve.org/

  • Code Vulnerabilities (Lambda)

  • Network Reachability for:

    • Amazon EC2 instances

    • AWS Lambda functions

    • Application Load Balancers

    • Direct Connect

    • Elastic Load Balancers

    • Elastic Network Interfaces

    • Internet Gateways

    • Network Access Control Lists

    • Route Tables

    • Security Groups

    • Subnets

    • Virtual Private Clouds

    • Virtual Private Gateways

    • VPC endpoints

    • VPC gateway endpoints

    • VPC peering connections

    • VPN connections