Overview

• Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities.
• Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.
• When a software vulnerability or network issue is discovered, Amazon Inspector creates a finding. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and provides remediation guidance. 

Features of Amazon Inspector

• Centrally manage multiple Amazon Inspector accounts
  • If your AWS environment has multiple accounts, you can centrally manage your environment through a single account by using AWS Organizations and designating an account as the delegated administrator account for Amazon Inspector.
• Continuously scan your environment for vulnerabilities and network exposure
  • With Amazon Inspector you do not need to manually schedule or configure assessment scans
  • Amazon Inspector continues to assess your environment throughout the lifecycle of your resources by automatically scanning resources whenever you make changes to them.
• Assess vulnerabilities accurately with the Amazon Inspector Risk score
  • As Amazon Inspector collects information about your environment through scans, it provides severity scores specifically tailored to your environment. 
• Identify high-impact findings with the Amazon Inspector dashboard
  • The risk-based remediation panel in the Amazon Inspector dashboard presents the findings that affect the largest number of instances and images.
  • This panel makes it easier to identify the findings with the greatest impact on your environment, see findings details, and view suggested solutions.
• Manage your findings using customizable views
• Monitor and process findings with other services and systems
  • ​​​​​​​AWS EventBridge
  • AWS Security Hub

Understanding findings

• In Amazon Inspector, a finding is a detailed report about a potential vulnerability that affects one of your resources.
• Amazon Inspector generates a finding whenever it detects a potential vulnerability for an Amazon EC2 instance or a potential software vulnerability in a container image within an Amazon ECR repository.
• A finding can be assigned one of the following states:
  • Active - The finding is identified by Amazon Inspector and has not yet been remediated. Active findings are subject to suppression rules and, if applicable, the status is changed to Suppressed.
  • Suppressed - The finding meets one or more criteria of one or more suppression rules. Suppressed findings are hidden from most views, with the exception of the Suppressed findings list.
  • Closed - After a vulnerability is remediated, Amazon Inspector automatically detects it and changes the state of the finding to closed. Closed findings are deleted after 30 days if there are no other changes.
• finding types
  • Package vulnerability
    • Package vulnerability findings identify software packages in your environment that are exposed to common vulnerabilities and exposures (CVEs)
    • Package vulnerability findings are generated for both Amazon EC2 instances and ECR container images.
  • Network reachability
    • Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment.
    • Network reachability findings are only generated for Amazon EC2 resources.

Scanning resources

• Amazon Inspector initiates scans of EC2 instances in the following situations:
  • As soon as the EC2 instance is discovered by Amazon Inspector
  • When you launch a new instance
  • When you install new software on an existing instance
  • When Amazon Inspector adds a new common vulnerabilities and exceptions (CVE) item to its database
• Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate Package Vulnerability findings.
  • Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level.
  • Continuous scanning includes on-push scans and automated rescans.
  • On-push scanning scans only when you push an image.
  • For both options you can refine the scanning scope through inclusion filters.

Managing multiple accounts with AWS Organizations

• With Amazon Inspector you can manage multiple accounts that are associated through AWS Organizations.
• To manage multiple Amazon Inspector accounts, the Organizations management account designates an account within the organization as the delegated administrator account for Amazon Inspector.
• The delegated administrator manages Amazon Inspector for the organization and is granted special permissions to perform tasks on behalf of your organization.
• These tasks include enabling or disabling scans for member accounts, viewing aggregated finding data from the entire organization, and the creation and management of suppression rules.
• A delegated administrator is Regional.
• An organization can have only one delegated administrator.
• Changing a delegated administrator does not disable Amazon Inspector for member accounts.

Amazon Inspector integrations

• Amazon ECR
  • You can use Amazon Inspector to scan container images residing in your Amazon ECR repositories for vulnerable operating system packages and programming language packages.
• AWS Security Hub
  • Enabling Security Hub with Amazon Inspector automatically allows Amazon Inspector findings data to be ingested by Security Hub.

Reference

What is Amazon Inspector? - Amazon Inspector