What is Amazon Inspector?
Amazon Inspector is an automated security scanner for AWS workloads. The service continuously finds vulnerabilities in EC2 instances, Lambda functions, and container images without requiring you to install agents or manually start scans.
Inspector compares your software packages with the National Vulnerability Database (NVD) and identifies known CVEs. The service also analyzes network configurations and finds unintentionally exposed ports or services.
Core Features
- Automatic, continuous scanning of all supported workloads
- CVE detection with CVSS scoring and severity prioritization
- Network reachability analysis for EC2 instances
- Container image scanning in Amazon ECR
- Integration with Security Hub for centralized finding management
Common Use Cases
Compliance Audits: Inspector provides automated evidence of your infrastructure’s security posture. Findings document which vulnerabilities were detected and remediated when.
DevSecOps Pipelines: Container images are scanned on every push to ECR. Builds can be blocked on critical vulnerabilities before reaching production.
Continuous Security Monitoring: Inspector automatically scans on software updates or new CVE publications. You receive immediate notifications about new risks.
Benefits
- No agent management for Lambda and container scans
- Automatic prioritization by exploitability and impact
- Multi-account support via AWS Organizations
- Integration with EventBridge for automated remediation
Integration with innFactory
As an AWS reseller, innFactory supports you with Amazon Inspector: setup for multi-account environments, CI/CD pipeline integration, automated remediation workflows, and Security Hub dashboard configuration.
Typical Use Cases
Frequently Asked Questions
What is Amazon Inspector?
Amazon Inspector is an automated vulnerability scanner for AWS workloads. The service analyzes EC2 instances, Lambda functions, and container images in ECR for known security vulnerabilities (CVEs) and network misconfigurations. Inspector provides prioritized findings with remediation recommendations.
How much does Amazon Inspector cost?
Inspector charges per scanned workload: EC2 instances approximately 1.25 USD/month, Lambda functions approximately 0.30 USD/month per function, container images 0.09 USD per initial scan plus 0.01 USD per rescan. The first 15 days are free for testing.
How does Inspector differ from GuardDuty?
Inspector is proactive and finds vulnerabilities before an attack through CVE scans and configuration analysis. GuardDuty is reactive and detects active threats by analyzing CloudTrail, VPC Flow Logs, and DNS logs. Both services complement each other and should be used together.
What vulnerabilities does Inspector detect?
Inspector detects: software vulnerabilities from the NVD database (CVEs), network reachability of EC2 instances, package vulnerabilities in OS and applications, container image vulnerabilities. Findings are prioritized by CVSS score.
How do I enable Amazon Inspector?
Inspector can be enabled with one click for all EC2, Lambda, and ECR. The service uses SSM Agent for EC2 scans and requires no agent installation for Lambda/ECR. Multi-account activation is possible via AWS Organizations.