Amazon Inspector Cheat Sheet

• Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

  • Legacy Note: This service replaces “Amazon Inspector Classic.” Inspector Classic required manual scheduling and custom agents; the new Inspector is continuous, automated, and integrated with AWS Organizations.



• Key Capabilities

  • Continuous Scanning: Automatically detects new resources and scans them immediately. It re-scans resources whenever changes occur (e.g., new software installed, new CVE released).

  • Multi-Resource Coverage: Scans Amazon EC2 instances, Amazon ECR container images, AWS Lambda functions, and Developer Code (CI/CD).

  • Centralized Management: Integrated with AWS Organizations, allowing a delegated administrator to manage findings for all member accounts.

  • Inspector automatically chooses the best available scan mode (agent or agentless).

Features

• Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.
• Inspector incorporates a built-in library of rules and reports. These include checks against best practices, common compliance standards and vulnerabilities.
• Automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems.
• Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate.

Concepts

• Findings: Potential security issues detected during scans (exploitable vulnerabilities, network exposure, package risks, code issues).
• Severity Levels:

  • Critical / High / Medium / Low — indicate risk impact on confidentiality, integrity, or availability.

  • Informational — highlights non-critical configuration details.

• Network Exposure Analysis: Inspector determines whether EC2 instance ports are reachable from external sources (e.g., internet gateway, VPC peering, VPN). It highlights overly permissive security groups, ACLs, and other misconfigurations.
• Resource Inventory: Inspector collects metadata such as installed packages, versions, Lambda layers, container base images, and software dependencies.

Scanning Engines

• EC2 Scanning:

  • Agent-Based (SSM): Uses the AWS Systems Manager (SSM) Agent to inspect the software inventory of instances. No separate “Inspector Agent” is required.

  • Agentless (Hybrid): Scans EC2 instances without an agent by taking a snapshot of the EBS volume and analyzing it. Useful for unmanaged or “hardened” instances where agents cannot be installed.

• ECR Scanning:

  • On-Push: Scans container images automatically when they are pushed to the registry.

  • Continuous: Continuously re-scans images when new vulnerabilities (CVEs) are added to the database.

• Lambda Scanning:

  • Standard Scanning: Scans application dependencies (e.g., Python pip packages, Node.js npm modules) within the Lambda function and layers.

  • Code Scanning: Scans your custom application code for security vulnerabilities (e.g., injection flaws, data leaks, hardcoded secrets).

• CIS Benchmarks:

  • Runs on-demand or scheduled assessments against Center for Internet Security (CIS) configuration benchmarks for operating systems (e.g., “CIS Amazon Linux 2 Benchmark Level 1”).

Assessment Reports

• Inspector findings can be exported or viewed in the AWS Console or Security Hub.
• Findings report includes:

  • Executive summary

  • Affected resources (EC2, Lambda, ECR, etc.)

  • Vulnerability details and CVE references

  • Recommended remediation steps

  • Package or code component involved

• You can generate detailed exportable reports for audits or compliance reviews.

Amazon Inspector Pricing

• Pricing depends on the resource type scanned.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Amazon Inspector Cheat Sheet References:
https://docs.aws.amazon.com/inspector/latest/userguide
https://aws.amazon.com/inspector/pricing/
https://aws.amazon.com/inspector/faqs/