Amazon Inspector

An important component within the security management of organizations is the Technical Vulnerability Management part that involves carrying out a continuous process of reviewing the exposure and vulnerability status of your applications and all their associated components. Aligned with the Well-Architected Framework, precisely in the workload protection component, you have item SEC06-BP01: Perform Vulnerability Management, which recommends that you should “Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats.” In this sense, AWS offers the ability to address this important issue through Amazon Inspector. In Figure 1, you can see the general view. You just need to enable the service and it will automatically start the discovery process for EC2 instances, Container repositories, Container images, and Lambda functions.

Figure 1- Amazon Inspector dashboard

Amazon Inspector is an automated vulnerability management service provided by AWS. It is designed to continuously discover workloads and scan them for software vulnerabilities and unintended network exposure. This regional service is crucial for maintaining the security posture of your AWS environment by automatically identifying potential security issues in your EC2 instances, container images in Amazon ECR, and Lambda functions. As a fully managed (regional) service, Amazon Inspector reduces the operational overhead associated with vulnerability management. It eliminates the need for maintaining separate vulnerability scanning infrastructure, making it a cost-effective solution for organizations of all sizes. Figure 2 shows the discovered instances that were created along the chapter.

Figure 2 - Amazon Inspector Resources coverage.

Note: Amazon Inspector supports hybrid scanning, which includes agent-based scanning and agentless scanning. Agent-based scans are performed continuously using the SSM agent (on all eligible instances). It uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. For agentless scans, Amazon Inspector uses EBS snapshots to collect a software inventory from your instances. Agentless scanning checks instances for operating system and application programming language package vulnerabilities.

One of the standout features of Amazon Inspector is its ability to centrally manage multiple accounts. For organizations with complex AWS environments spanning multiple accounts, Amazon Inspector can be managed through a single delegated administrator account using AWS Organizations. This centralized approach allows for efficient management of findings data and settings across the entire organization.

Amazon Inspector eliminates the need for manual scheduling or configuration of assessment scans. It automatically discovers eligible resources and begins scanning them immediately. This continuous scanning approach ensures that your environment is constantly monitored for new vulnerabilities and network exposures, providing up-to-date security insights.

The service covers a wide range of resources within your AWS environment. It scans Amazon EC2 instances, container images stored in Amazon ECR, Lambda functions, and Lambda code scanning (scans for code vulnerabilities in your application package dependencies). These scan types can be activated based on your specific needs. The service automatically discovers new resources as they are added to your AWS environment. This ensures that new instances, containers, or functions are immediately brought under the security umbrella of Amazon Inspector, maintaining consistent security coverage as your infrastructure evolves.

Note: Amazon Inspector supports export to software bill of materials (SBOMs) to create/retrieve a nested inventory of all the open-source and third-party software components in your codebase. You can export SBOMs for all resources that Amazon Inspector supports and monitors. Exported SBOMs provide information about your software supply. Amazon Inspector supports exporting SBOMs in CycloneDX 1.4 and SPDX 2.3 compatible formats. Amazon Inspector exports SBOMs as JSON files to the Amazon S3 bucket you choose.

When Amazon Inspector detects a software vulnerability using CVEs or unintended network exposure, it generates a detailed finding. These findings provide in-depth information about the issue, allowing security teams to quickly understand and address potential risks. Findings can be managed through both the Amazon Inspector console and API, offering flexibility in how teams interact with the service.

Note: Amazon Inspector supports integration with CI/CD pipelines. You can integrate Amazon Inspector container image scans with your CI/CD pipeline to scan for software vulnerabilities and produce vulnerability reports, which allow you to investigate and remediate risks before deployment. For this integration, the service utilizes the Amazon Inspector SBOM Generator and Amazon Inspector Scan API to produce vulnerability reports.

Amazon Inspector integrates seamlessly with AWS Security Hub, providing a centralized view of security alerts and compliance status. This integration allows for a more holistic approach to security management within your AWS environment.

Thant Zin Phyo@Cracky (MCT, MCE, MVP, AWS CB)