Amazon Inspector¶

What Is This Service?¶

Managed AWS vulnerability management and continuous exposure assessment service.

Mental model:

Amazon Inspector = Discover → Assess → Prioritize → Alert → Remediate

Primary purpose:

Continuously identify:

software vulnerabilities
unintended network exposure
package CVEs
container vulnerabilities
code weaknesses
workload risk

across AWS compute environments.

Typical targets:

EC2 instances
Amazon ECR container images
AWS Lambda functions
Lambda code packages

Why It Matters for Security¶

Traditional scanning creates problems:

periodic visibility
stale findings
missed vulnerabilities
operational overhead

Inspector exists to answer:

What is vulnerable?
How severe is it?
What should be fixed first?

Security outcomes:

continuous assessment
exposure reduction
faster remediation
centralized vulnerability visibility

MOST TESTED:

Inspector is vulnerability management.

It is not attack detection.

It is not packet inspection.

Architecture Example¶

Continuous Vulnerability Management¶

flowchart TD

subgraph Compute
    EC2[Amazon EC2]
    LambdaFn[AWS Lambda]
    ECR[Amazon ECR Repository]
end

subgraph InspectorService[Amazon Inspector]
    Coverage[Continuous Assessment]
    Risk[Risk Prioritization]
    Findings[Findings]
end

subgraph Operations
    SecurityHub[Security Hub]
    EventBridge[EventBridge]
    Remediation[Automation]
end

Coverage -. scans .-> EC2
Coverage -. scans .-> LambdaFn
Coverage -. scans .-> ECR

Coverage --> Risk
Risk --> Findings

Findings --> SecurityHub
Findings --> EventBridge

EventBridge --> Remediation

Architecture goals:

continuous scanning
risk prioritization
automated remediation

Workflow(s)¶

EC2 Vulnerability Assessment¶

sequenceDiagram

participant EC2
participant Inspector
participant CVE
participant Findings

EC2->>Inspector: Inventory packages

Inspector->>CVE: Match vulnerabilities

CVE->>Inspector: Return severity

Inspector->>Findings: Generate findings

Container Image Scanning¶

sequenceDiagram

participant ECR
participant Inspector
participant CVE
participant Findings

ECR->>Inspector: New image pushed

Inspector->>CVE: Evaluate packages

CVE->>Inspector: Match findings

Inspector->>Findings: Publish

Event-Driven Remediation¶

sequenceDiagram

participant Inspector
participant EventBridge
participant Automation
participant Resource

Inspector->>EventBridge: Finding

EventBridge->>Automation: Trigger

Automation->>Resource: Remediate

Core Concepts¶

Continuous Scanning¶

MOST TESTED

Inspector automatically scans:

running EC2
ECR repositories
Lambda deployments

Characteristics:

event driven
continuous
managed

Exam trap:

Inspector does not require scheduled scan windows.

EC2 Scanning¶

Inspector evaluates:

installed packages
operating system
CVEs
unintended exposure

Data sources:

AWS Systems Manager
package inventory

Examples:

OpenSSL vulnerable

Outdated package

Public exposure

MASSIVE EXAM TRAP:

Modern Inspector uses agentless scanning via Systems Manager integration.

Do not think legacy agents.

ECR Container Scanning¶

MOST TESTED

Inspector scans:

OS packages
application packages
container layers

Trigger:

Push image
↓
Scan
↓
Generate findings

Benefits:

shift-left security
image visibility

Lambda Scanning¶

HIGH VALUE

Inspector scans:

deployed packages
dependency vulnerabilities
runtime exposure

Purpose:

Detect vulnerable functions.

Exam trap:

Inspector scans Lambda packages.

Not runtime requests.

Code Security¶

HIGH VALUE

Inspector supports:

Code Security Scanning¶

Scans source code repositories.

Capabilities:

insecure patterns
vulnerable dependencies
code weaknesses

Purpose:

Shift security earlier.

Exam trap:

Code scanning differs from runtime scanning.

Findings¶

Inspector produces:

vulnerability findings
exposure findings

Severity:

Critical
High
Medium
Low
Informational

Important Integrations¶

Service	Purpose
EC2	Vulnerability scanning
ECR	Container scanning
Lambda	Dependency scanning
Security Hub	Findings aggregation
EventBridge	Automation
Systems Manager	Inventory
CloudTrail	Audit
Organizations	Multi-account
IAM	Authorization
SNS	Notifications
Config	Compliance
Detective	Investigation

Security Features¶

CVE Intelligence¶

MOST TESTED

Inspector continuously maps:

Package
↓
Known CVEs
↓
Risk score

Benefits:

prioritization
remediation focus

Reachability Analysis¶

HIGH VALUE

Inspector evaluates:

internet exposure
network reachability
exploitability

Risk model:

Vulnerability
+
Exposure
=
Priority

Exam trap:

Severity alone does not determine prioritization.

Risk Prioritization¶

Inspector prioritizes using:

CVSS
exploitability
network exposure
runtime context

Purpose:

Reduce remediation effort.

Continuous Discovery¶

Automatically detects:

new EC2
new images
Lambda updates

No manual registration.

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Control Plane:

enable scanning
configure coverage
manage findings

Data Plane:

package inventory
metadata analysis

Exam trap:

Inspector does not inspect network traffic.

Multi-Account Architecture¶

MOST TESTED

flowchart LR

Organizations

Organizations --> DelegatedAdmin

DelegatedAdmin --> Inspector

Inspector --> AccountA

Inspector --> AccountB

Inspector --> AccountC

Benefits:

centralized visibility
governance

Delegated Administrator¶

Best practice:

Dedicated security account.

Responsibilities:

findings
scanning coverage
operations

Inspector vs GuardDuty¶

MASSIVE EXAM TRAP

Capability	Inspector	GuardDuty
Vulnerability scanning	Yes	No
Threat detection	No	Yes
Runtime attack detection	No	Yes
CVEs	Yes	No

Rule:

Inspector finds weaknesses.

GuardDuty detects attacks.

Inspector vs Macie¶

Capability	Inspector	Macie
Vulnerability scanning	Yes
Sensitive data	No	Yes
S3 discovery	No	Yes

Rule:

Macie protects data.

Inspector protects workloads.

Inspector vs Security Hub¶

Capability	Inspector	Security Hub
Generate findings	Yes
Aggregate findings	No	Yes
Risk scoring	Yes	Limited

Rule:

Inspector generates.

Security Hub centralizes.

Inspector vs ECR Native Scanning¶

MASSIVE EXAM TRAP

Capability	Inspector	Basic ECR Scan
Continuous	Yes
Risk context	Yes
Multi-resource	Yes
Findings aggregation	Yes

Rule:

Need enterprise vulnerability management → Inspector.

Event-Driven Remediation¶

flowchart LR

Inspector

Inspector --> EventBridge

EventBridge --> Lambda

Lambda --> SSM

SSM --> Resource

Examples:

isolate EC2
rebuild container
notify owners

Regional Behavior¶

HIGH VALUE

Inspector is regional.

Implications:

enable per Region
findings remain regional

Exam trap:

Inspector does not automatically enable globally.

Cost Model¶

Primary drivers:

EC2 instances
ECR images
Lambda scanning
code security coverage

Optimization:

disable unused repos
lifecycle policies
selective coverage

Exam trap:

Pricing follows protected resources.

Comparisons¶

Service	Primary Role
Inspector	Vulnerability management
GuardDuty	Threat detection
Security Hub	Findings aggregation
Macie	Data discovery
Config	Compliance
ECR Scanning	Image scanning

Common Exam Traps¶

Inspector is not GuardDuty.
Inspector performs vulnerability assessment.
Inspector does not inspect traffic.
Inspector continuously scans.
Modern Inspector is agentless.
Inspector integrates with Systems Manager.
ECR scanning differs from runtime scanning.
Lambda scanning analyzes packages.
Reachability influences priority.
Severity alone does not prioritize.
Security Hub aggregates findings.
Inspector is regional.
Code security differs from workload scanning.
Inspector does not replace patching.
Pricing depends on scanned resources.

5-Second Recall¶

Inspector = vulnerability management
EC2 + ECR + Lambda
Continuous scanning
CVE prioritization
Reachability matters
Security Hub aggregates
GuardDuty detects attacks
Regional service

Quick Revision Notes¶

Continuously assess workloads
Scan EC2, ECR, Lambda
Prioritize using exposure
Integrate with Security Hub
Automate with EventBridge
Systems Manager powers inventory
Reachability changes priority
Code scanning is shift-left
Enable per Region
Inspector finds weaknesses, not attacks