Amazon Inspector
💡 Definition
Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure.
🔑 Key Concepts
- Continuous Scanning: Automatically discovers and scans running EC2 instances, container images in ECR, and Lambda functions for vulnerabilities.
- Vulnerability Database: Uses a database of Common Vulnerabilities and Exposures (CVEs) to identify known software issues.
- Network Reachability: Assesses network configurations to identify potential exposure of your EC2 instances to the internet.
- Centralized Findings: Consolidates findings from across the organization into a central dashboard.
⚙️ How it Works
- Enable Inspector: You enable it with a single click in the AWS console.
- Scan Resources: Inspector automatically discovers and begins scanning your supported resources. It uses the Systems Manager Agent (SSM Agent) for EC2 instances.
- Generate Findings: It generates detailed findings that describe the vulnerability, the affected resource, and remediation recommendations. Findings are prioritized by severity.
🎯 Use Cases
- Vulnerability Management: Identifying and prioritizing software vulnerabilities in your compute environments.
- Compliance: Meeting compliance requirements that mandate regular vulnerability scanning.
- Security Assessment: Continuously assessing your security posture to reduce the attack surface.
💰 Pricing Model
- Per Resource Scan: Charged based on the number of instances, container images, or Lambda functions scanned per month.
📝 Exam Tips (CLF-C02)
- Keywords: "Automated vulnerability assessment", "Vulnerability scanning", "Network exposure".
- It helps you identify security issues within your instances and container images (e.g., unpatched software).
- Contrasts with AWS Trusted Advisor, which provides best practice recommendations across a broader set of categories (Cost, Performance, etc.), whereas Inspector focuses specifically on software vulnerabilities and network exposure.
See Also: * EC2 * AWS Trusted Advisor * Systems Manager