Amazon Inspector & Vulnerability Management
Difficulty: medium
Overview
Amazon Inspector provides automated vulnerability assessments for compute workloads.
Amazon Inspector v2 (current):
- Continuously scans: EC2 instances, ECR container images, Lambda functions
- No agents for EC2 (uses SSM Agent) — requires SSM Agent and managed instance
- Uses CVSS scores and VEX (Vulnerability Exploitability eXchange) data
- Findings sent to Security Hub and EventBridge for automated response
Inspector v2 Coverage:
| Resource | What's Scanned |
|---|---|
| EC2 | OS packages, software vulnerabilities (CVEs), network reachability |
| ECR | Container image packages when pushed or periodically |
| Lambda | Function code packages and layers |
Network Reachability (EC2):
- Identifies EC2 instances accessible from the internet via VPC configurations
- Checks: open ports, route tables, security groups, NACLs, Internet Gateways
Integration with AWS Organizations:
- Designate an Inspector delegated administrator account
- Automatically enable Inspector for all current and new member accounts
Automated Remediation Workflow:
- Inspector finding → EventBridge → SNS notification + Lambda trigger
- Lambda invokes SSM Automation (e.g.,
AWS-InstallMissingWindowsUpdates) or Patch Manager - Or: Lambda creates a Jira/ServiceNow ticket for tracked remediation
ECR Enhanced Scanning:
- Inspector continuously rescans images when new CVEs are published (not just on push)
- Basic scanning (native ECR): only scans on push, uses Clair open-source
- Enhanced scanning (Inspector): continuous, more CVE sources, Lambda support
Inspector vs Macie vs GuardDuty:
| Service | Purpose |
|---|---|
| Inspector | Software vulnerabilities in compute |
| Macie | Sensitive data discovery in S3 |
| GuardDuty | Runtime threat detection (behavioral) |
Practice Linked Questions
Q1. Amazon Inspector v2 is enabled in an AWS account. Which resources are continuously scanned for vulnerabilities?
Select one answer before revealing.
Q2. Amazon Inspector detects a critical CVE in an EC2 instance's OS package. The team wants to AUTOMATICALLY patch the instance. Which workflow achieves this?
Select one answer before revealing.
Q3. A DevSecOps team wants to ensure that container images in ECR are scanned for critical vulnerabilities continuously — not just when first pushed. Which service provides this?
Select one answer before revealing.