Amazon Inspector

• Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure.
• automatically discovers and scans EC2 instances, container images in Amazon ECR and within CI/CD tools, AWS Lambda functions, and code repositories for software vulnerabilities and unintended network exposure.
• creates a finding when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource, and provides remediation guidance.
• calculates a highly contextualized Inspector risk score for each finding by correlating CVE information with factors such as network access and exploitability to prioritize the most critical vulnerabilities.
• is a Regional service and configurations need to be repeated across each region.
• supports both agent-based and agentless scanning for EC2 instances.
• uses the Systems Manager (SSM) agent for agent-based scanning to collect software inventory and configurations.
• offers agentless scanning using EBS volume snapshots for instances without SSM Agent installed or configured.
• SSM agents can be set up as VPC Interface endpoints to avoid sending any information over the internet.
• uses an IAM AWSServiceRoleForAmazonInspector2 service-linked-role linked directly to Inspector with all the permissions required to call other AWS services on your behalf.
• has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
• supports organization-wide management through AWS Organizations policies to centrally configure and manage scan types across all accounts, selected OUs, or individual accounts.
• integrates with AWS Security Hub which collects and centralizes the security data from across the AWS accounts, services, and other supported products.
• is available both as a standalone service and as a core capability within AWS Security Hub.

AWS Inspector Features

• Continuously scan environments for vulnerabilities and network exposure
  • automatically discovers and begins scanning eligible resources without the need to manually schedule or configure assessment scans.
  • all resources are continually rescanned when new CVEs are published or when changes occur, including new software installation on an EC2 instance or updates to code repositories.
• Assess vulnerabilities accurately with the Inspector Risk score
  • Inspector calculates a highly contextualized risk score by correlating CVE information with environmental factors such as network reachability and exploitability data.
  • helps prioritize the most critical findings and vulnerable resources.
• Identify high-impact findings with the Inspector dashboard
  • offers a high-level view of findings from across your environment.
• Manage findings using customizable views
  • Inspector console offers a Findings view.
  • users can use filters and suppression rules to generate customized finding reports.
  • suppression rules allow suppression of findings based on criteria defined by the organization for acceptable risks.
• Automatic closure of remediated findings
  • automatically detects if a vulnerability has been patched or remediated and changes the state of the finding to “Closed” without manual intervention.
• Monitor and process findings with other services and systems
  • publishes findings to
    • Amazon EventBridge, which can then be monitored and processed in near-real time as part of the existing security and compliance workflows or routed to SNS, Lambda, etc.
    • AWS Security Hub.
    • Amazon ECR for container image vulnerabilities, enabling resource owners to view and remediate.
• Detailed coverage monitoring
  • provides a comprehensive, near real-time overview of organization-wide environment coverage.
  • highlights resources not being actively monitored and provides guidance on how to include them.

Inspector Scanning Types

Amazon EC2 Scanning

• scans EC2 instances for common vulnerabilities and exposures (CVEs), network exposure issues, and operating system and programming language package vulnerabilities.
• performs network reachability scans once every 12 hours and package vulnerability scans on a variable cadence depending on the scan method.
• supports two scanning methods:
  • Agent-based scanning – uses the SSM Agent to collect software inventory from running instances.
  • Agentless scanning – takes snapshots of EBS volumes to extract data without installing an agent. GA since April 2024.
• Enhanced EC2 Scanning (VM Scanner) – uses the Amazon Inspector VM Scanner (replacing the older SSM plugin) for more granular package collection with fewer compute resources. Installed and updated via SSM associations.
• supports expanded agentless scanning including Windows OS vulnerability scanning without requiring an agent (March 2026).
• Deep inspection for Linux-based instances automatically scans for programming language package vulnerabilities (Python, Java, Node.js, Go, etc.) beyond OS-level packages.

Amazon ECR Container Image Scanning

• scans container images in Amazon ECR for software vulnerabilities.
• supports scratch, distroless, and Chainguard images for minimal and security-focused container base images.
• maps ECR images to their deployment footprint across Amazon ECS tasks and Amazon EKS pods.
• provides insights on deployment scope – when images were last used, how many tasks or pods are using them, and which clusters are running the image.
• helps prioritize remediation based on actual image usage and deployment status.

AWS Lambda Function Scanning

• scans Lambda functions for software vulnerabilities in their application packages and dependencies.
• Lambda code scanning scans custom proprietary application code for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices.
• upon detecting code vulnerabilities, generates actionable security findings with detector name, impacted code snippets, and remediation suggestions.
• uses generative AI and automated reasoning to provide in-context code patches for multiple classes of vulnerabilities.
• can scan both Lambda functions and layers; by addressing vulnerabilities at foundational layers, it improves security of all downstream Lambda functions.
• does not support scanning Lambda functions encrypted with customer managed keys.

CI/CD Pipeline Scanning

• integrates with developer tools like Jenkins and TeamCity for container image assessments within CI/CD pipelines.
• pushes security earlier in the software development lifecycle (shift-left).
• findings are available in the CI/CD tool’s dashboard, allowing automated actions like blocking builds or image pushes to registries.
• CI/CD tools can be hosted anywhere – in AWS, on-premises, or hybrid clouds.
• uses the Amazon Inspector SBOM Generator (Sbomgen) to produce a Software Bill of Materials and the Inspector Scan API to scan for vulnerabilities.
• supports custom CI/CD integrations via the SBOM Generator and Scan API combination.

Code Security Scanning (June 2025)

• expands vulnerability management to application source code through native integration with GitHub and GitLab (SCM tools).
• delivers three core capabilities:
  • Static Application Security Testing (SAST) – analyzes application source code for security vulnerabilities.
  • Software Composition Analysis (SCA) – evaluates third-party dependencies for known vulnerabilities.
  • Infrastructure as Code (IaC) scanning – validates infrastructure definitions for misconfigurations.
• findings are surfaced both in the Inspector console for an aggregated view across the organization and within the SCM platform as fast feedback for developers.
• enables consistent vulnerability management from code to compute resources running on AWS.

CIS Benchmark Assessments

• supports the Center for Internet Security (CIS) Benchmarks for on-demand and targeted assessments against OS-level CIS configuration benchmarks for EC2 instances.
• supports both Level 1 and Level 2 configuration benchmark checks.
• supported operating systems include Amazon Linux 2, Windows Server 2019, and Windows Server 2022.
• CIS scans can be run across AWS Organization accounts.
• launched January 2024.

Inspector Finding Types

• Package Vulnerability
  • identifies software packages exposed to common vulnerabilities and exposures (CVEs).
  • generated for EC2 instances, ECR container images, and Lambda functions.
  • supports Java Gradle inventory and scanning (January 2026), plus MySQL, MariaDB, PHP, Jenkins-core, 7zip (Windows), Elasticsearch, and Curl/LibCurl.
• Network Reachability
  • indicates allowed network paths to EC2 instances in the environment.
  • generated only for EC2 resources.
• Code Vulnerability
  • identifies code security vulnerabilities in Lambda functions and code repositories.
  • includes missing encryption, data leaks, injection flaws, and weak cryptography.
  • provides code snippets and AI-powered remediation suggestions.

SBOM (Software Bill of Materials)

• offers automated and centralized management of SBOM exports.
• enables easy export of a consolidated SBOM for all monitored resources to a pre-configured S3 bucket.
• supports industry standard formats (CycloneDX).
• SBOM artifacts can be used with Amazon Athena queries or Amazon QuickSight dashboards for insights and trend visualization.
• Amazon Inspector SBOM Generator (Sbomgen) is used behind the scenes for ECR scanning, Lambda scanning, and agentless EC2 scanning.

Multi-Account Management

• supports simplified one-click onboarding and integration with AWS Organizations.
• allows assigning an Inspector Delegated Administrator (DA) account that can start and configure all member accounts and consolidate findings.
• supports organization-wide management through AWS Organizations policies (November 2025) to centrally configure scan types – EC2 scanning, ECR scanning, Lambda Standard and Code Scanning, and Code Security – across all accounts, selected OUs, or individual accounts.
• new accounts are automatically onboarded when Inspector policies are configured.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

References

• Amazon Inspector
• Amazon Inspector Features
• Amazon Inspector User Guide
• Scanning Amazon EC2 instances
• Scanning AWS Lambda functions
• CI/CD Pipeline Integration
• CIS Benchmark Assessments