Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Features
Amazon Inspector performs security scans on EC2 instances, container images, and Lambda functions.
- Use up-to-date common vulnerabilities and exposures (CVE) information.
- Inspector produces a detailed list of security vulnerabilities prioritized by level of severity.
- Detailed assessment reports are available via the Amazon Inspector console or API.
- Integration
- reporting with AWS Security Hub
- sending findings as events via Event Bridge
There are two types of Assessment:
- Network Assessment
- Network configuration analysis
- Check ports reachable from outside of the VPC
- An agent is not required.
- Host Assessment
- Check common vulnerabilities and exposures (CVE), host hardening (Center for Internet Security – CIS – Benchmarks), and security best practices
- An agent is required.
How it works
- Create assessment target
- Install agents (optional)
- Crete assessment template
- Perform assessment
- Review the reports
EC2 Instances
- Leveraging the SSM agent
- Check Unintended network access
- Analyze the running OS against known vulnerabilities
Container Images in ECR
- Assess container images when they are pushed into the repository
Lambda Functions
- Identify vulnerabilities in function code and dependencies when functions are deployed
Golden AMIs
- A golden AMI is an AMI that contains the latest security patches, software, configuration, and software agents that you need to install for logging, security maintenance, and performance monitoring.
- You cannot run the Inspector assessment directly on the AMIs.
- Create an instance from the golden AMI
- Attach the tag to the instance
- Run the Inspector assessment
Setup EC2 Instances for Inspector
- Install SSM Agent and make sure the agent is running
- Security Group
- Allow Outbound traffic (port 443 to SSM endpoint)
- EC2 Instance Profile (role)
- Allow to communicate with Systems Manager
Inspector vs. GuardDuty
| Inspector | GuardDuty | |
|---|---|---|
| What to look at | Resource configurations | Logs |
| Goals | Checks what happens when you get an attack | Analyze actual logs to check whether a threat exists |
| Use Cases | Quickly discover vulnerabilities, Prioritize vulnerable resources, Meet compliance requirements, | Unusual API calls, API calls from known malicious domains or IPs, Unauthorized deployments, Port Scanning, Crypto-currency mining |
Scriptorium 