⌂ Home

Amazon Inspector — Vulnerability Assessment

Continuous scanning for EC2, container images, and Lambda functions

What does Inspector do?

Amazon Inspector is a vulnerability management service that automatically discovers workloads and assesses them for software vulnerabilities and unintended network exposure. It produces findings with severity scores (often aligned to CVSS) and rich metadata to help you prioritize patching, image rebuilds, and security group tightening.

Scanning types

TargetWhat is evaluated
Amazon EC2Instance OS packages via SSM agent-based scanning; network reachability from the Internet/VPC where configured.
Container imagesImages in Amazon ECR (push or continuous re-scan); package and language-ecosystem CVEs.
AWS LambdaFunction code and dependencies for known vulnerabilities (language/runtime dependent).

How it works (agent-based assessment)

  1. Enable Inspector in the account (delegated admin supported via Organizations).
  2. For EC2, instances report inventory through the AWS Systems Manager (SSM) agent; Inspector correlates package versions with vulnerability intelligence.
  3. For ECR, scans run on image layers after push or on a schedule you configure.
  4. Findings are stored in Inspector and can be forwarded to Security Hub, EventBridge, and ticketing.

Network reachability analysis models paths (security groups, NACLs, ALB/NLB) to highlight exploitable combinations with open CVEs.

Finding severity levels

Inspector surfaces severities such as Critical High Medium Low Informational using vendor/CVE scoring where available. Use Inspector score plus exploitability and network exposure fields to triage beyond raw CVSS.

CVE database integration

Inspector consumes national vulnerability databases and vendor advisories, mapping installed package versions on your assets to CVE IDs. Each finding typically includes CVE reference, affected package, fixed version (if any), and remediation guidance. Patch cadence in CI/CD (rebuild golden AMIs, retag container images) closes the loop.

Integration with AWS Security Hub

When integration is enabled, Inspector findings appear as Security Hub controls and findings, enabling cross-service dashboards, automated response, and correlation with GuardDuty and Config. Use Hub automation rules to route critical CVE + internet exposure to on-call channels.

Inspector Classic vs modern Amazon Inspector

TopicInspector Classic (legacy)Current Amazon Inspector
ModelAssessment templates, per-run assessments, optional agents/rules packages.Fully managed continuous scanning with auto-discovery.
AgentsOften required for deep assessment packages.EC2 relies on SSM inventory path; ECR/Lambda are API-driven.
RulesPredefined rule packages (CVE, CIS benchmarks, etc.) selected per template.Unified vulnerability and network exposure findings with ongoing updates.
RecommendationMigrate off Classic; APIs and console differ.Use for new designs; integrate with Security Hub and CI image gates.