⬡ Hub
Skip to content

AWS Inspector

Detailed Content

Amazon Inspector is an automated vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure. It helps you identify security flaws in your EC2 instances and container images stored in Amazon ECR.

Core Concepts and Features

  • Automated Vulnerability Management: Inspector continuously scans your resources (EC2 instances, container images in ECR) for vulnerabilities without requiring manual scheduling or configuration.
  • Continuous Scanning: Unlike traditional vulnerability assessment tools that perform periodic scans, Inspector continuously monitors for new vulnerabilities and misconfigurations. As new CVEs (Common Vulnerabilities and Exposures) are published, Inspector automatically assesses your resources against them.
  • Findings: When Inspector identifies a vulnerability or misconfiguration, it generates a finding. Findings are prioritized by severity (Critical, High, Medium, Low) and provide detailed information, including the vulnerability description, affected packages, CVSS scores, remediation recommendations, and links to CVE details.
  • Supported Resource Types:
    • Amazon EC2 instances: Scans operating systems and applications (via SSM Agent) for software vulnerabilities and misconfigurations.
    • Amazon ECR container images: Scans container images for software vulnerabilities. This can be triggered on push or continuously.
  • Agentless Scanning (for EC2): Inspector can perform agentless scanning for EC2 instances by leveraging the AWS Systems Manager (SSM) Agent, which is typically already installed on EC2 instances. This simplifies deployment and management.
  • Network Reachability: Identifies network configurations that allow internet accessibility to EC2 instances, highlighting unintended network exposure.
  • Common Vulnerabilities and Exposures (CVEs): Inspector uses an extensive vulnerability database, including publicly disclosed CVEs and AWS-specific security best practices, to identify threats.
  • Integration with other AWS Services:
    • AWS Security Hub: Inspector findings are automatically sent to Security Hub for centralized security posture management.
    • Amazon EventBridge: Inspector generates events for new or updated findings, enabling automated responses (e.g., triggering Lambda functions).
    • AWS Organizations: Allows for multi-account management, delegating an administrator account to centrally manage Inspector across your organization.
  • Suppression Rules: Allows you to filter out specific findings that are not relevant to your security posture (e.g., known false positives or vulnerabilities in non-production environments).

Assessment Types

Amazon Inspector focuses on:

  • EC2 Instance Vulnerability Scanning:
    • Scans operating systems (OS) and application packages for known vulnerabilities (CVEs).
    • Leverages the SSM Agent to collect software inventory and configuration details.
    • Identifies open network paths to instances (network reachability).
  • ECR Container Image Vulnerability Scanning:
    • Scans container images stored in Amazon Elastic Container Registry (ECR) for software vulnerabilities.
    • Scans can be configured to run automatically on image push or on a recurring basis.
    • Provides findings for vulnerabilities at the package level within your container images.

Use Cases

  • Continuous Vulnerability Management: Automatically identify and prioritize software vulnerabilities in your EC2 instances and ECR container images across your AWS environment.
  • Compliance and Auditing: Provide continuous visibility into the security posture of your workloads, helping to meet compliance requirements and prepare for audits.
  • Secure Software Development Lifecycle (SDLC): Integrate ECR scanning into your CI/CD pipelines to catch container image vulnerabilities early in the development process.
  • Remediation Prioritization: Use severity levels, CVSS scores, and reachability information provided in findings to prioritize the most critical vulnerabilities for remediation.
  • Inventory of Vulnerabilities: Maintain a clear inventory of vulnerabilities across your fleet, enabling targeted patching and mitigation efforts.
  • Optimizing Network Security: Identify unintended network exposure of EC2 instances, helping to tighten security group and NACL configurations.

Interview Questions

Conceptual Questions

  1. What is Amazon Inspector and what is its primary purpose?
    • Amazon Inspector is an automated vulnerability management service that continuously scans your AWS workloads (EC2 instances and ECR container images) for software vulnerabilities and unintended network exposure. Its primary purpose is to help identify and prioritize security flaws to protect your AWS environment.
  2. How does the new Amazon Inspector (launched in 2021) differ from the classic Inspector?
    • The new Inspector offers continuous scanning, supports ECR container images in addition to EC2, uses agentless scanning for EC2 (via SSM Agent), and prioritizes findings based on context (reachability, exploitability).
  3. What types of AWS resources does Inspector scan for vulnerabilities?
    • It scans Amazon EC2 instances for OS and application software vulnerabilities and network reachability. It also scans Amazon ECR container images for software vulnerabilities.
  4. How does Inspector conduct scanning for EC2 instances without requiring a dedicated agent?
    • Inspector leverages the existing AWS Systems Manager (SSM) Agent which is typically already installed on EC2 instances. It uses the SSM Agent to collect software inventory and configuration details from the instance for vulnerability assessment, making it effectively agentless from a deployment perspective.
  5. How does Inspector integrate with other AWS services for security management and automated responses?
    • AWS Security Hub: Inspector findings are automatically pushed to Security Hub for centralized visibility.
    • Amazon EventBridge: Inspector emits events for new/updated findings, allowing you to trigger automated actions (e.g., Lambda functions for remediation) with EventBridge rules.
    • AWS Organizations: For multi-account environments, you can delegate an administrator account to manage Inspector findings centrally.

Scenario-Based Questions

  1. You have a fleet of Windows and Linux EC2 instances running various applications. Your security team requires continuous monitoring for software vulnerabilities without manual intervention. How would you use Amazon Inspector to achieve this?
    • I would enable Amazon Inspector for EC2 instance scanning across my AWS account. Inspector would automatically discover and continuously scan all my eligible EC2 instances (Windows and Linux) by leveraging the SSM Agent. As new vulnerabilities are published, Inspector would automatically assess my instances and generate findings, which can then be viewed in the Inspector console or forwarded to Security Hub and EventBridge for further action.
  2. Your organization uses containerized applications and stores their images in Amazon ECR. You need to ensure that container images are scanned for vulnerabilities before they are deployed to production. How would you integrate Inspector into your CI/CD pipeline for this?
    • I would enable Amazon Inspector ECR scanning for my container repositories. I would configure Inspector to scan images on push. In my CI/CD pipeline, after an image is built and pushed to ECR, I would add a step to wait for Inspector to complete its scan and then check the generated findings. If Inspector reports critical or high-severity vulnerabilities, the pipeline step would fail, preventing the deployment of vulnerable images to production.
  3. You receive a critical Inspector finding for an EC2 instance that indicates a severe OS vulnerability with internet reachability. How would you investigate and potentially automate a response?
    • The Inspector finding would alert me (e.g., via EventBridge to SNS). The finding details would include the specific CVE and the network path that makes it internet-reachable. I would first confirm the reachability. Then, I could create an Amazon EventBridge rule specifically for this type of critical finding combined with internet reachability. This rule could trigger a Lambda function to automatically perform an initial remediation step, such as modifying the instance's security group to remove internet access, thus isolating it, while simultaneously notifying my security team for deeper investigation.

Coding/CLI Examples

Here are some common Amazon Inspector operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Enable Amazon Inspector (new version) for your account: bash aws inspector2 enable \ --resource-types EC2 ECR \ --account-ids 123456789012 # Replace with your account ID. # If managing for an organization, use --organization-management-account

  2. List Inspector findings: bash aws inspector2 list-findings \ --filter-criteria '{ "findingStatus": [{ "comparison": "EQUALS", "value": "ACTIVE" }], "severity": [{ "comparison": "EQUALS", "value": "HIGH" }, { "comparison": "EQUALS", "value": "CRITICAL" }] }' \ --query 'findings[*].{Title:title,Severity:severity,Description:description,Remediation:remediation.recommendation.text}' \ --output json

  3. Get details of a specific Inspector finding: bash aws inspector2 get-findings \ --finding-arns "arn:aws:inspector2:us-east-1:123456789012:finding/your-finding-id"

  4. Create a suppression rule: bash aws inspector2 create-filter \ --name "IgnoreLowSeverityWebServers" \ --description "Suppress low severity findings on web servers" \ --filter-action SUPPRESS \ --filter-criteria '{ "severity": [{ "comparison": "EQUALS", "value": "LOW" }], "resourceTags": [{ "comparison": "EQUALS", "key": "Environment", "value": "Prod" }, { "comparison": "EQUALS", "key": "Role", "value": "WebServer" }] }' \ --tags Key=ManagedBy,Value=Automation

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Enable Amazon Inspector2: ```python import boto3

    inspector2_client = boto3.client('inspector2')

    try: # Enable for current account response = inspector2_client.enable( resourceTypes=["EC2", "ECR"] ) print("Amazon Inspector2 enabled for current account.")

    # To enable for specific account IDs in an organization
# response = inspector2_client.enable(
#     accountIds=["123456789012", "234567890123"],
#     resourceTypes=["EC2", "ECR"]
# )

    except Exception as e: print(f"Error enabling Inspector2: {e}") ```

  2. List active critical and high severity findings: ```python import boto3

    inspector2_client = boto3.client('inspector2')

    try: paginator = inspector2_client.get_paginator('list_findings') response_iterator = paginator.paginate( filterCriteria={ 'findingStatus': [{'comparison': 'EQUALS', 'value': 'ACTIVE'}], 'severity': [ {'comparison': 'EQUALS', 'value': 'CRITICAL'}, {'comparison': 'EQUALS', 'value': 'HIGH'} ] } )

    print("Active Critical/High Severity Findings:")
for page in response_iterator:
    for finding in page['findings']:
        print(f"- Title: {finding.get('title')}")
        print(f"  Severity: {finding.get('severity')}")
        print(f"  Resource: {finding['resources'][0].get('id')}")
        print(f"  Description: {finding.get('description')[:100]}...")
        print(f"  Remediation: {finding.get('remediation', {}).get('recommendation', {}).get('text')}")
        print("--------------------------------------------------")

    except Exception as e: print(f"Error listing findings: {e}") ```