Amazon Inspector

Amazon Inspector: Complete Guide for AWS Security Specialty Exam

Amazon Inspector: A Comprehensive Guide for AWS Security Specialty

Why Amazon Inspector Is Important

In today's cloud environments, vulnerabilities in workloads can be exploited within hours of discovery. Organizations need automated, continuous vulnerability assessment to maintain a strong security posture. Amazon Inspector addresses this critical need by automatically discovering and scanning workloads for software vulnerabilities and unintended network exposure. For the AWS Security Specialty exam, Amazon Inspector is a key service under the Infrastructure Security domain, and understanding its capabilities, limitations, and integration points is essential.

What Is Amazon Inspector?

Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It is important to distinguish between the two versions:

Amazon Inspector Classic (v1):
- Agent-based assessment service
- Required manual setup of assessment targets and templates
- Operated on a schedule-based or manual trigger model
- Supported EC2 instances only

Amazon Inspector v2 (Current Version):
- Fully redesigned, modern service
- Automatically discovers and scans eligible workloads
- Supports EC2 instances, Amazon ECR container images, and AWS Lambda functions
- Uses the AWS Systems Manager (SSM) Agent for EC2 scanning (no separate Inspector agent needed)
- Provides continuous scanning rather than periodic assessments
- Integrates natively with AWS Organizations for multi-account management
- Calculates a contextualized Amazon Inspector risk score for each finding

How Amazon Inspector Works

1. Activation and Discovery
When you enable Amazon Inspector, it automatically discovers eligible resources across your account (or organization). For EC2 instances, it requires the SSM Agent to be installed and running, and the instance must be an SSM managed instance. For ECR, it scans container images pushed to repositories. For Lambda, it scans function code and layers.

2. Scanning Types

Software Vulnerability Scanning (EC2, ECR, Lambda):
- Compares installed packages against vulnerability databases (CVE databases, vendor security advisories, NVD, etc.)
- For EC2: Uses SSM Agent to collect software inventory
- For ECR: Scans container images at push time and continuously rescans when new CVEs are published
- For Lambda: Scans application dependencies in function code and layers

Network Reachability Scanning (EC2 only):
- Analyzes VPC configuration, security groups, NACLs, internet gateways, VPC peering, and route tables
- Identifies network paths that allow access to EC2 instances from the internet or other external sources
- Does not require the SSM Agent (agentless network analysis)

3. Continuous Scanning
Amazon Inspector v2 provides continuous, event-driven scanning. Rescans are triggered automatically when:
- A new CVE is published
- A new package is installed on an EC2 instance
- A new container image is pushed to ECR
- An EC2 instance configuration changes (e.g., security group modification)

4. Findings and Risk Score
Each finding includes:
- The affected resource
- The vulnerability details (CVE ID, description)
- The Inspector Score (a contextualized score based on CVSS base score adjusted for factors like network reachability and exploitability)
- Severity rating: Critical, High, Medium, Low, or Informational
- Remediation guidance

5. Integration Points

- AWS Security Hub: Findings are automatically sent to Security Hub for centralized security view
- Amazon EventBridge: Findings generate events that can trigger automated remediation workflows (e.g., Lambda functions, SNS notifications, Step Functions)
- Amazon S3: Findings can be exported to S3 for long-term storage and analysis
- AWS Organizations: A delegated administrator account can manage Inspector across all member accounts
- SBOM (Software Bill of Materials): Inspector can generate and export SBOMs in CycloneDX and SPDX formats

6. Suppression Rules
You can create suppression rules to filter out findings that you consider acceptable risks or false positives. Suppressed findings are not deleted—they are marked as suppressed and can still be viewed.

Key Differences: Inspector v2 vs. Inspector Classic

- Agent: v2 uses SSM Agent; Classic used a dedicated Inspector Agent
- Scope: v2 covers EC2, ECR, and Lambda; Classic covered EC2 only
- Scanning Model: v2 is continuous; Classic was assessment-run-based
- Setup: v2 auto-discovers resources; Classic required manual target and template configuration
- Scoring: v2 uses Inspector Score (enhanced CVSS); Classic used standard rules packages
- Multi-account: v2 integrates with AWS Organizations; Classic did not

Amazon Inspector Rules Packages (Classic Reference)
While the exam primarily focuses on Inspector v2, you may encounter Classic concepts:
- Common Vulnerabilities and Exposures (CVE)
- CIS Benchmarks (Center for Internet Security)
- Network Reachability
- Security Best Practices

Pricing Model
Amazon Inspector v2 pricing is based on:
- Number of EC2 instances scanned per month
- Number of container images scanned (initial scan + rescan)
- Number of Lambda functions scanned per month
There is a 15-day free trial for new accounts.

---

Exam Tips: Answering Questions on Amazon Inspector

Tip 1: Know What Inspector Scans
Amazon Inspector v2 scans EC2 instances, ECR container images, and Lambda functions. If a question asks about scanning S3 buckets, RDS databases, or DynamoDB tables for vulnerabilities, Inspector is NOT the answer. For S3, think Amazon Macie. For broader security posture, think Security Hub or AWS Config.

Tip 2: SSM Agent Is Required for EC2 Vulnerability Scanning
If a question mentions EC2 vulnerability scanning not working, check whether the SSM Agent is installed and the instance is a managed instance. Network reachability scanning does NOT require the SSM Agent.

Tip 3: Distinguish Inspector from GuardDuty
This is a common exam trap. Amazon Inspector focuses on vulnerability assessment (known CVEs, misconfigurations, network exposure). Amazon GuardDuty focuses on threat detection (malicious activity, anomalous behavior, compromised resources). If the question is about detecting active threats or suspicious API calls, choose GuardDuty. If it is about finding unpatched software or open ports, choose Inspector.

Tip 4: Integration with Security Hub and EventBridge
When questions ask about centralizing findings or automating remediation based on Inspector findings, remember: Inspector sends findings to Security Hub for aggregation and to EventBridge for event-driven automation. A common pattern is Inspector → EventBridge → Lambda for automated patching or notification.

Tip 5: Multi-Account Management
For questions involving multiple AWS accounts, Inspector v2 integrates with AWS Organizations. A delegated administrator account can enable and manage Inspector across all organization member accounts. This is the recommended approach for enterprise-scale deployments.

Tip 6: Continuous vs. On-Demand
Inspector v2 is continuous by default. It automatically rescans when new vulnerabilities are published or when resource configurations change. You do not need to schedule assessment runs as you did with Inspector Classic.

Tip 7: Network Reachability Analysis
If a question asks about identifying EC2 instances that are unintentionally exposed to the internet, Inspector's network reachability scanning is a valid answer. However, also consider VPC Reachability Analyzer for specific path analysis between two endpoints, and AWS Config rules for compliance checking of security group configurations.

Tip 8: Inspector Score vs. CVSS Score
Amazon Inspector calculates its own contextualized risk score that adjusts the base CVSS score based on factors like network reachability and exploit availability. If a question asks about prioritizing vulnerabilities based on actual risk in your environment (not just theoretical severity), the Inspector Score is the relevant metric.

Tip 9: Container Image Scanning
For ECR scanning, know that there are two scanning options: Basic scanning (provided by ECR itself using Clair) and Enhanced scanning (powered by Amazon Inspector). Enhanced scanning provides continuous monitoring and richer vulnerability data. If a question mentions needing continuous container image scanning with detailed CVE information, Enhanced scanning with Inspector is the answer.

Tip 10: SBOM Generation
Amazon Inspector can export Software Bill of Materials (SBOM) for your resources. If a question asks about generating an inventory of all software packages and dependencies across your workloads for compliance or supply chain security, Inspector's SBOM export feature is relevant.

Tip 11: Suppression Rules vs. Remediation
Suppression rules do not fix vulnerabilities—they simply hide findings you deem acceptable. If an exam question asks about reducing findings noise for known accepted risks, suppression rules are appropriate. If it asks about actually resolving vulnerabilities, you need patching (via SSM Patch Manager) or image rebuilds.

Common Exam Scenario Patterns:

Scenario: An organization wants to automatically patch EC2 instances when critical vulnerabilities are found.
Answer: Amazon Inspector → Amazon EventBridge → AWS Lambda or AWS Systems Manager Automation → SSM Patch Manager

Scenario: A company needs to ensure all container images in ECR are free of critical vulnerabilities before deployment.
Answer: Enable Enhanced scanning (powered by Inspector) on ECR repositories. Use ECR image scanning results in CI/CD pipeline gates.

Scenario: Security team wants a single pane of glass for all vulnerability findings across multiple accounts.
Answer: Enable Inspector across the organization with a delegated administrator, and aggregate findings in AWS Security Hub.

Remember: Amazon Inspector is about finding vulnerabilities, not fixing them. It identifies the problems; remediation requires other services like SSM Patch Manager, manual patching, or image rebuilds. Always pair Inspector with a remediation strategy in exam answers that ask for a complete solution.