Amazon Inspector FAQs

General

Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), AWS Lambda functions, and container images in Amazon ECR and within continuous integration and continuous delivery (CI/CD) tools, in near-real time for software vulnerabilities and unintended network exposure.

Amazon Inspector removes the operational overhead associated with deploying and configuring a vulnerability management solution by allowing you to deploy Amazon Inspector across all accounts with a single step. Additional benefits include:

  • Automated discovery and continual scanning that delivers near real-time vulnerability findings
  • Central management, configuration, and view of findings for all your organization’s accounts by setting a Delegated Administrator (DA) account
  • A highly contextualized and meaningful Amazon Inspector risk score for each finding to help you set more accurate response priorities
  • An intuitive Amazon Inspector dashboard for coverage metrics, including accounts, Amazon EC2 instances, Lambda functions, and container images in Amazon ECR and within CI/CD tools, in near-real time.
  • Maximize vulnerability assessment coverage by seamlessly scanning EC2 instances, switching between agent-based and agentless scanning (preview).
  • Centrally manage software bill of materials (SBOM) exports for all monitored resources. 
  • Integration with AWS Security Hub and Amazon EventBridge to automate workflows and ticket routing

You can deactivate Amazon Inspector Classic by simply deleting all assessment templates in your account. To access findings for existing assessment runs, you can download them as reports or export them using the Amazon Inspector API. You can activate the new Amazon Inspector with a few steps in the AWS Management Console, or by using the new Amazon Inspector APIs. You can find the detailed migration steps in the Amazon Inspector Classic User Guide.

Amazon Inspector has been rearchitected and rebuilt to create a new vulnerability management service. Here are the key enhancements over Amazon Inspector Classic:

  • Built for scale: The new Amazon Inspector is built for scale and the dynamic cloud environment. There’s no limit to the number of instances or images that can be scanned at a time.
  • Support for container images and Lambda functions: The new Amazon Inspector also scans container images residing in Amazon ECR and within CI/CD tools, and Lambda functions for software vulnerabilities. Container-related findings are also pushed to the Amazon ECR console.
  • Support for multi-account management: The new Amazon Inspector is integrated with AWS Organizations, allowing you to delegate an administrator account for Amazon Inspector for your organization. This Delegated Administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
  • AWS Systems Manager Agent: With the new Amazon Inspector, you no longer need to install and maintain a standalone Amazon Inspector agent on all of your Amazon EC2 instances. The new Amazon Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent), which removes that need.
  • Automated and continual scanning: The new Amazon Inspector automatically detects all newly launched Amazon EC2 instances, Lambda functions, and eligible container images pushed to Amazon ECR and immediately scans them for software vulnerabilities and unintended network exposure. When an event occurs that may introduce a new vulnerability, the involved resources are automatically rescanned. Events that initiate rescanning a resource include installing a new package in an EC2 instance, installing a patch, and when a new common vulnerabilities and exposures (CVE) that impacts the resource is published.
  • Amazon Inspector risk score: The new Amazon Inspector calculates an Inspector risk score by correlating up-to-date CVE information with temporal and environmental factors such as network accessibility and exploitability information to add context to help prioritize your findings.
  • Vulnerability assessment coverage: The new Amazon Inspector enhances vulnerability assessment by seamlessly scanning EC2 instances and switching between agent-based and agentless scanning (preview).
  • Software bill of materials (SBOM) export: The new Amazon Inspector centrally manages and exports SBOM for all monitored resources. 

Yes, you can use both simultaneously in the same account.

 

  Amazon Inspector container image scanning (ECR enhanced scanning) Amazon ECR native container image scanning (ECR basic scanning)

Scanning engine

Amazon Inspector is a vulnerability management service developed by AWS that has built-in support for container images residing in Amazon ECR

Amazon ECR offers a managed AWS native basic scanning solution

Package coverage

Identifies vulnerabilities in both operating system (OS) packages and programming language (such as Python, Java, and Ruby) packages

Identifies software vulnerabilities only in OS packages

Scanning frequency

Offers both continual scanning and on-push scanning

Offers only on-push scanning

Vulnerability intelligence Provides enhanced vulnerability intelligence such as whether an exploit is available for a CVE, fixed in package version remediation guidance, EPSS scores, and malware kits being used to exploit a CVE

Provides only basic information about a software vulnerability

Findings

Findings are available in both the Amazon Inspector and Amazon ECR consoles, as well as the Amazon Inspector and Amazon ECR Application Programming Interface (APIs) and Software Development Kit (SDK)

Findings are available in the Amazon ECR console and Amazon ECR APIs and SDK

Vulnerability scoring

Provides a contextual Inspector score and Common Vulnerability Scoring System (CVSS) v2 and v3 scores from both National Vulnerability Database (NVD) and vendors

CVSS v3 and v2 scores only

AWS service integrations

Integrated with AWS Security Hub, AWS Organizations, and AWS EventBridge

No built-in integrations with other AWS services are available

See the Amazon Inspector pricing page for full pricing details.

All accounts new to Amazon Inspector are eligible for a 15-day free trial to evaluate the service and estimate its cost. During the trial, all eligible Amazon EC2 instances, AWS Lambda functions, and container images pushed to Amazon ECR are continually scanned at no cost. You can also review estimated spend in the Amazon Inspector console.

Amazon Inspector is available globally. Specific availability by Region is listed here.

Getting started

You can activate Amazon Inspector for your entire organization or an individual account with a few steps in the AWS Management Console. Once activated, Amazon Inspector automatically discovers running Amazon EC2 instances, Lambda functions, and Amazon ECR repositories and immediately starts continually scanning workloads for software vulnerabilities and unintended network exposure. If you’re new to Amazon Inspector, there’s a 15-day free trial as well.

An Amazon Inspector finding is a potential security vulnerability. For example, when Amazon Inspector detects software vulnerabilities or open network paths to your compute resources, it creates security findings.

Yes. Amazon Inspector is integrated with AWS Organizations. You can assign a DA account for Amazon Inspector, which acts as the primary administrator account for Amazon Inspector and can manage and configure it centrally. The DA account can centrally view and manage findings for all the accounts that are part of your AWS organization.

The AWS Organizations Management account can assign a DA account for Amazon Inspector in the Amazon Inspector console or by using Amazon Inspector APIs.

If you’re starting Amazon Inspector for the first time, all scanning types, including EC2 scanning, Lambda scanning, and ECR container image scanning are activated by default. However, you can deactivate any or all of these across all accounts in your organization. Existing users can activate new features in the Amazon Inspector console or by using Amazon Inspector APIs.

No, you don’t need an agent for scanning. For vulnerability scanning of Amazon EC2 instances, you can use the AWS Systems Manager Agent (SSM Agent) for an agent-based solution. Amazon Inspector also offers agentless scanning (preview) if you don’t have the SSM Agent deployed or configured. For assessing network reachability of Amazon EC2 instances, vulnerability scanning of container images, or vulnerability scanning of Lambda functions, no agents are necessary. 

To successfully scan Amazon EC2 instances for software vulnerabilities, Amazon Inspector requires that these instances are managed by AWS Systems Manager and the SSM agent. See Systems Manager prerequisites in the AWS Systems Manager User Guide for instructions to activate and configure Systems Manager. For information about managed instances, see the Managed Instances section in the AWS Systems Manager User Guide.

Amazon Inspector supports the configuration of inclusion rules to select which ECR repositories are scanned. Inclusion rules can be created and managed under the registry settings page within the ECR console or using ECR APIs. The ECR repositories that match the inclusion rules are configured for scanning. Detailed scanning status of repositories is available in both the ECR and Amazon Inspector consoles.

Working with Amazon Inspector

The Environmental Coverage panel in the Amazon Inspector dashboard shows the metrics for accounts, Amazon EC2 instances, Lambda functions, and ECR repositories being actively scanned by Amazon Inspector. Each instance and image have a scanning status: Scanning or Not Scanning. Scanning means the resource is continually being scanned in near real time. A status of Not Scanning could mean the initial scan has not been performed yet, the OS is unsupported, or something else is preventing the scan.

All scans are automatically performed based on events. All workloads are initially scanned upon discovery and subsequently rescanned.

  • For Amazon EC2 instances: For SSM agent-based scans, rescans are started when a new software package is installed or uninstalled on an instance, when a new CVE is published, and after a vulnerable package is updated (to confirm there are no additional vulnerabilities). For agentless scans, scans are performed every 24 hours.
  • For Amazon ECR container images: Automated re-scans are started for eligible container images when a new CVE affecting an image is published. The automated rescans for container images are based on the rescan durations configured for both image push date and pull date in the Amazon Inspector console or APIs. If the push date of an image is less than the configured “Push date rescan duration” and image has been pulled within the configured “Pull date rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. Available re-scan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days.
  • For Lambda functions: All new Lambda functions are initially assessed upon discovery, and continually reassessed when there is an update to the Lambda function or a new CVE is published.

Container images residing in Amazon ECR repositories that are configured for continual scanning are scanned for the duration configured in the Amazon Inspector console or APIs. Available rescan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days.

 

  • When Amazon Inspector ECR scanning is activated, Amazon Inspector only picks up images pushed or pulled in last 30 days for scanning, but continually scans them for the rescan duration configured for push and pull date. i.e, 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. If the push date of an image is less than the configured “Push date rescan duration” AND image has been pulled within the configured “Pull date rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. For example, when activating Amazon Inspector ECR scanning, Amazon Inspector will pick up images pushed or pulled in the last 30 days for scanning. However post-activation, if you select 180 days rescan duration for both push date and pull date configurations, Amazon Inspector will continue to scan the images if they were pushed in the last 180 days or have been pulled at least once in the last 180 days. If an image hasn’t been push or pulled in the last 180 days, Amazon Inspector will stop monitoring it.
  • All images pushed to ECR after Amazon Inspector ECR scanning is activated are continually scanned for the duration configured in “Push date rescan duration” and “Pull date rescan duration”. Available rescan duration configurations for image push date are 90 days (by default), 14 days, 30 days, 60 days, 180 days, or lifetime. The rescan duration configurations for image pull date are 90 days (by default), 14 days, 30 days, 60 days, or 180 days. The automated re-scan duration is calculated based on last push or pull date of a container image. For example, after activating Amazon Inspector ECR scanning, if you select 180 days rescan duration for both push data and pull date configurations, Amazon Inspector will continue to scan the images if they were pushed in the last 180 days or have been pulled at least once in the last 180 days. However, if an image hasn’t been pushed or pulled in the last 180 days, Amazon Inspector will stop monitoring it.
  • If the image is in “scan eligibility expired” state, you can pull the image to bring it back under Amazon Inspector monitoring. The image will be continually scanned for the push and pull date rescan durations configured from the last pulled date.
  • For Amazon EC2 instances: Yes, an EC2 instance can be excluded from scanning by adding a resource tag. You can use the key ‘InspectorEc2Exclusion’, and value is <optional>.
  • For container images residing in Amazon ECR: Yes. Although you can select which Amazon ECR repositories are configured for scanning, all images within a repository will be scanned. You can create inclusion rules to select which repositories should be scanned.
  • For Lambda functions: Yes, a Lambda function can be excluded from scanning by adding a resource tag. For standard scanning, use the key 'InspectorExclusion' and the value 'LambdaStandardScanning'. For code scanning, use the key 'InspectorCodeExclusion' and the value 'LambdaCodeScanning'.

In a multi-account structure, you can activate Amazon Inspector for Lambda vulnerabilities assessments for all your accounts within the AWS Organization from the Amazon Inspector console or APIs through the Delegated Administrator (DA) account, while other member accounts can activate Amazon Inspector for their own account if the central security team hasn’t already activated it for them. Accounts that are not a part of the AWS Organization can activate Amazon Inspector for their individual account through the Amazon Inspector console or APIs.

Amazon Inspector will continually monitor and assess only the $LATEST version. Automated rescans will continue only for the latest version, so new findings will be generated only for the latest version. In the console, you will be able to see the findings from any version by selecting the version from the dropdown.

No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or embedded secrets.

Changing the default SSM inventory collection frequency can have an impact on the continual nature of scanning. Amazon Inspector relies on SSM Agent to collect the application inventory to generate findings. If the application inventory duration is increased from the default of 30 minutes, that will delay the detection of changes to the application inventory, and new findings might be delayed.

The Amazon Inspector risk score is a highly contextualized score that is generated for each finding by correlating common vulnerabilities and exposures (CVE) information with network reachability results, exploitability data, and social media trends. This makes it easier for you to prioritize findings and focus on the most critical findings and vulnerable resources. You can see how the Inspector risk score was calculated and which factors influenced the score in the Inspector Score tab within the Findings Details side panel.

For example: There is a new CVE identified on your Amazon EC2 instance, which can only be exploited remotely. If the Amazon Inspector continual network reachability scans also discover that the instance is not reachable from the internet, it knows that the vulnerability is less likely to be exploited. Therefore, Amazon Inspector correlates the scan results with the CVE to adjust the risk score downward, more accurately reflecting the impact of the CVE on that particular instance.

Amazon Inspector Score  Severity 
0 Informational
0.2–3.9 Low
4.0–6.9 Medium
7.0–8.9 High
9.0–10.0 Critical

Amazon Inspector allows you to suppress findings based on the customized criteria you define. You can create suppression rules for findings that are considered acceptable by your organization.

You can generate reports in multiple formats (CSV or JSON) with a few steps in the Amazon Inspector console or through the Amazon Inspector APIs. You can download a full report with all findings, or generate and download a customized report based on the view filters set in the console.

No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or embedded secrets.

You can generate and export SBOMs for all resources monitored with Amazon Inspector, in multiple formats (CycloneDx or SPDX), with a few steps in the Amazon Inspector console or through the Amazon Inspector APIs. You can download a full report with SBOM for all resources, or selectively generate and download SBOMs for a few select resources based on the set view filters.

For existing Amazon Inspector customers using a single account, you can enable agentless scanning (preview) by visiting the account management page within the Amazon Inspector console or using APIs.

For existing Amazon Inspector customers using AWS Organizations, your Delegated Admin needs to either completely migrate the entire organization to an agentless solution or continue using the SSM agent-based solution exclusively. You can change the scan mode  configuration from the EC2 settings page in the console or through APIs.

For new Amazon Inspector customers, during the agentless scanning preview period, instances are scanned in agent-based scan mode when you enable EC2 scanning. You can switch to hybrid scan mode if needed. In the hybrid scan mode, Amazon Inspector relies on SSM Agents for application inventory collection to perform vulnerability assessments and automatically falls back on agentless scanning for instances that don’t have SSM Agents installed or configured.

Amazon Inspector will automatically trigger a scan every 24 hours for instances that are marked for agentless scanning (preview). There will be no change to the continuous scanning behavior for instances marked for SSM agent-based scans. 

You can see the scanning mode in the ‘monitored using’ column by simply visiting the resource coverage pages in the Amazon Inspector console or by using Amazon Inspector coverage APIs. 

No, in a multi-account setup, only delegated admins can set up scan mode configuration for the complete organization.

Application and platform teams can integrate Amazon Inspector into their build pipelines using purpose-built Amazon Inspector plugins designed for various CI/CD tools, such as Jenkins and TeamCity. These plugins are available in the marketplace of each respective CI/CD tool. Once the plugin is installed, you can add a step in the pipeline to perform an assessment of the container image and take actions, such as blocking the pipeline based on the assessment results. When vulnerabilities are identified in the assessment, actionable security findings are generated. These findings include vulnerability details, remediation recommendations, and exploitability details. They are returned to the CI/CD tool in both JSON and CSV formats, which can then be translated into a human-readable dashboard by the Amazon Inspector plugin or can be downloaded by teams.

No, you don’t need to enable Amazon Inspector to use this feature provided you have an active AWS account.

Yes. Amazon Inspector uses SSM Agent to collect application inventory, which can be set up as Amazon Virtual Private Cloud (VPC) endpoints to avoid sending information over the internet.

You can find the list of operating systems (OS) supported here.

You can find the list of programming language packages supported here.

Yes. Instances that use NAT are automatically supported by Amazon Inspector.

Yes. See how to configure SSM Agent to use a proxy for more information.

Amazon Inspector integrates with Amazon EventBridge to provide notification for events such as a new finding, change of state of a finding, or creation of a suppression rule. Amazon Inspector also integrates with AWS CloudTrail for call logging.

Yes. You can run Amazon Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for Amazon EC2 instances across your AWS Organization.

Yes. See Amazon Inspector Partners for more information.

Yes. You can deactivate all scanning types (Amazon EC2 scanning, Amazon ECR container image scanning, and Lambda function scanning) by deactivating the Amazon Inspector service, or you can deactivate each scanning type individually for an account.

No. Amazon Inspector does not support a suspended state.