Lalit's Cloud & DevOps notes

Inspector

3 min read

Amazon Inspector — Automated security assessment service that scans applications for vulnerabilities.

Overview

Amazon Inspector automatically discovers software vulnerabilities in your EC2 instances, ECR container images, and Lambda functions.

Key Insight: Inspector is like an automated security auditor — it continuously scans your compute resources for known vulnerabilities (CVEs) and security best practice violations.

Core Inspector Concepts

ConceptDescriptionKey Point
Assessment TargetWhat to scan (EC2 instances, ECR images, Lambda)Define scope
VulnerabilityKnown security issue (CVE)Severity levels
FindingDetected vulnerabilityContains details, severity, fix info
ScanInspection processCan be continuous or one-time
Network ReachabilityIdentifies exposed network pathsShows attack surface

How Inspector Works

flowchart TD
    subgraph Inputs["Resources to Scan"]
        EC2["EC2 Instances"]
        ECR["ECR Images"]
        LAMBDA["Lambda Functions"]
    end

    DISC["Discovery and Scan Setup<br/>Agent-based or agentless"]
    CVE["CVE and Package Analysis"]
    NET["Network Reachability Analysis"]
    FIND["Generate Findings<br/>Severity + remediation guidance"]

    EC2 --> DISC
    ECR --> DISC
    LAMBDA --> DISC
    DISC --> CVE --> NET --> FIND

    FIND --> HUB["Security Hub<br/>(centralized findings)"]
    FIND --> PATCH["Patch and remediation workflow"]
    FIND --> CONSOLE["Inspector Console"]

Inspector Scanning Types

EC2 Instance Scanning

ModeDescription
Agent-basedInstalls SSM Agent on instances for deep scanning
Network ReachabilityIdentifies exposed network paths (no agent)

ECR Container Scanning

TriggerDescription
PushAutomatic scan on image push
On-DemandManual scan of specific image
ContinuousRescans when new vulnerabilities discovered

Lambda Function Scanning

Scans Lambda function code and dependencies for vulnerabilities.

Vulnerability Severity Levels

SeverityDescriptionAction
CriticalExploitable, remote code executionFix immediately
HighHigh risk, exploit availableFix soon
MediumModerate riskPlan fix
LowMinor riskMonitor
InformationalNo risk, for awarenessOptional

Key Features

FeatureDescription
Auto-DiscoveryAutomatically finds EC2 instances in account
Network ReachabilityMaps potential attack paths
Continuous ScanningRescans when new CVEs published
Integration with Security HubCentralized findings management
ECR IntegrationScans container images automatically
Lambda ScanningScans serverless functions

Use Cases

Use CaseDescription
Vulnerability ManagementFind and fix CVEs before they’re exploited
Container SecurityScan ECR images before deployment
ComplianceMeet security standards (PCI DSS, CIS)
CI/CD IntegrationScan before promoting to production
Serverless SecurityScan Lambda functions

Pricing

ComponentPriceFree Trial
EC2 ScanningPer instance per month15-day free trial
ECR ScanningPer GB scanned15-day free trial
Lambda ScanningPer function15-day free trial

⚠️ Important Note: Amazon Inspector Classic is being deprecated on May 20, 2026. Migrate to the new Inspector before this date.

⚠️ Pricing Disclaimer: AWS pricing is subject to change. Always verify current pricing at the official Inspector pricing page.

Inspector vs Other Security Tools

ToolFocusComplementarity
InspectorVulnerability scanningFinds CVEs in compute resources
GuardDutyThreat detectionDetects active attacks/anomalies
Security HubCentralized findingsAggregates Inspector + other findings
ConfigConfiguration complianceEnsures resources meet standards

TL;DR

  • Amazon Inspector = Automated vulnerability scanning for compute resources
  • Scans = EC2 instances, ECR container images, Lambda functions
  • Finds = Known vulnerabilities (CVEs), network exposure
  • Severity = Critical, High, Medium, Low, Informational
  • Pricing = Per resource type; 15-day free trial
  • Important = Inspector Classic ends May 20, 2026 — migrate to new Inspector
  • Use Cases = Vulnerability management, container security, compliance
  • Integrates with = Security Hub (centralized findings)

Resources

Amazon Inspector Documentation Complete Inspector user guide.

Inspector Pricing Detailed pricing breakdown.

Inspector Classic Migration Guide to migrate from Inspector Classic.

Graph View

Backlinks