Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore

icon picker
Amazon Inspector

Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running Amazon EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and AWS Lambda functions for known software vulnerabilities and unintended network exposure.
Amazon Inspector creates a finding when it discovers a software vulnerability or network configuration issue. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and provides remediation guidance. You can analyze findings using the Amazon Inspector console, or view and process your findings through other AWS services. For more information, see
Understanding findings in Amazon Inspector
.
Agent must be installed on EC2 for host assessments.
Network assessments do not require an agent.
Amazon Inspector is a Regional service. Data is stored in the AWS Region where you want to use the service. You must repeat the procedures you complete in this tutorial in each AWS Region where you want to use Amazon Inspector.
With Amazon Inspector, you can activate Amazon EC2 instance, Amazon ECR container image, and AWS Lambda function scanning. You can manage your scanning preferences from the account management page in the Amazon Inspector console or using Amazon Inspector APIs.
Amazon Inspector can provide Common Vulnerabilities and Exposures (CVE) data for your EC2 instances if the Amazon EC2 Systems Manager (SSM) agent is installed and activated. The SSM agent is preinstalled on
many EC2 instances
, but you might need to
activate it manually
. Regardless of the SSM agent status, all of your EC2 instances are scanned for network exposure issues. For more information about configuring scans for Amazon EC2, see
Scanning Amazon EC2 instances
. Amazon ECR and AWS Lambda function scanning don't require the use of an agent.
Amazon Inspector can use an
agentless scanning
method on eligible instances if your account is configured for hybrid scanning. For agentless scans, Amazon Inspector uses Amazon EBS snapshots to collect a software inventory from your instances. With agentless scanning, Amazon Inspector scans for operating system package vulnerabilites and programming language package vulnerabilities.

Loading
docs.aws.amazon.com

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.