Amazon Inspector features

Amazon Inspector is a comprehensive vulnerability management service that spans across various resources, such as Amazon EC2, AWS Lambda, container workloads, and code repositories. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure, which can be used to compromise workloads, repurpose resources for malicious use, or facilitate data exfiltration.

Once started, Amazon Inspector automatically discovers all Amazon EC2 instances, Lambda functions, container images within Amazon ECR, and code repositories. It promptly initiates scans for software vulnerabilities and unintended network exposure. All resources are continually rescanned when new CVEs are published or when changes occur, including new software installation in an EC2 instance or updates to code repositories.

Amazon Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent) to collect the software inventory and configurations from your Amazon EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.

Amazon Inspector offers continuous monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software. Amazon Inspector takes a snapshot of the EBS volume to extract data about the system and configuration of the instances to perform vulnerability assessments. With this capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless scanning for EC2 instances that do not have SSM Agents installed or configured.

Amazon Inspector provides a comprehensive, near real-time overview of organization-wide environment coverage so you can avoid gaps in coverage. It provides metrics and detailed information on accounts, as well as Amazon EC2 instances, Amazon ECR repositories, container images, and code repositories that are actively being scanned by Amazon Inspector. Additionally, it highlights the resources not being actively monitored and provides guidance on how to include them.

All findings are aggregated in the Amazon Inspector console, routed to AWS Security Hub, and pushed through Amazon EventBridge to automate workflows such as ticketing.

Amazon Inspector scans the custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices. Upon detecting code vulnerabilities within the AWS Lambda function or layer, Amazon Inspector generates actionable security findings that provide several details, such as security detector name, impacted code snippets, and remediation suggestions to address vulnerabilities. Using generative AI and automated reasoning, Amazon Inspector provides in-context code patches for multiples classes of vulnerabilities, reducing the effort required to fix code vulnerabilities. By addressing vulnerabilities at the foundational layers, you can help improve security of all downstream Lambda functions.

Amazon Inspector offers automated and centralized management of software bill of materials (SBOM) exports. It enables the easy export of a consolidated SBOM for all monitored resources to a pre-configured S3 bucket, supporting industry standard formats. You can download the SBOM artifact, perform Amazon Athena queries, or create Amazon QuickSight dashboards to gain valuable insights and visualize trends.

Amazon Inspector enhances vulnerability management by mapping Amazon Elastic Container Registry (Amazon ECR) images to their deployment footprint across Amazon Elastic Container Service (Amazon ECS) tasks and Amazon Elastic Kubernetes Service (Amazon EKS) pods. For each scanned Amazon ECR image, Amazon Inspector provides insights into its deployment scope—identifying when the images were last in use, how many tasks or pods are using them, and which clusters are running the image. This helps you prioritize vulnerability remediation based on actual image usage and deployment status, focusing efforts on widely deployed images while reducing noise from unused ones. With support for scratch, distroless, and Chainguard images, Amazon Inspector extends its coverage to minimal and security-focused container base images, enabling teams to maintain more robust vulnerability management practices even with highly optimized container environments.

Amazon Inspector expands vulnerability management to application source code through native integration with GitHub and GitLab, helping you secure applications before they reach production. The service automatically scans for security vulnerabilities and misconfigurations across your application source code, dependencies, and infrastructure as code (IaC) definitions. Amazon Inspector performs Static Application Security Testing (SAST) to analyze application source code, Software Composition Analysis (SCA) to evaluate third-party dependencies, and IaC scanning to validate infrastructure definitions. Findings from these scans are surfaced both in the Amazon Inspector console for an aggregated view across the organization and within the source code management platform as fast feedback for developers, enabling consistent vulnerability management from your code to compute resources running on AWS.