AWS Security & Identity
Inspector
Automated vulnerability scanning for EC2 instances, Lambda, and container images
Amazon Inspector is an automated vulnerability management service that continuously scans EC2 instances, Lambda functions, and container images in ECR for software vulnerabilities (CVEs) and unintended network exposure. It integrates with AWS Systems Manager Agent on EC2 and eliminates the need to schedule manual scans. Inspector findings feed into Security Hub for centralized posture management.
What Inspector Scans and How
| Target | How it scans | Agent required |
|---|---|---|
| EC2 instances | Uses SSM Agent to inspect installed packages, running processes, network config | Yes - SSM Agent + Inspector association |
| Lambda functions | Scans function package and layers for vulnerable dependencies | No - agentless |
| ECR container images | Scans on push and continuously for new CVEs against stored images | No - agentless |
| Lambda code | Static code analysis for application code vulnerabilities (Inspector v2) | No |
Inspector uses the Common Vulnerabilities and Exposures (CVE) database along with vendor security advisories (Amazon Linux, Ubuntu, Red Hat, etc.) to identify vulnerabilities. It calculates an Inspector score based on CVSS base score + environmental factors like network reachability.
Inspector v2 (the current version) is fundamentally different from Inspector Classic. It is always-on and continuous rather than scheduled, and covers Lambda and ECR in addition to EC2. Inspector Classic is deprecated.
Inspector Findings and Risk Scoring
Inspector generates findings with a severity of Critical, High, Medium, Low, or Informational based on an adjusted CVSS score that factors in AWS-specific context.
| Factor | How it adjusts the score |
|---|---|
| Network reachability | A vulnerability on a publicly reachable instance scores higher than the same CVE on a private instance |
| Exploit availability | CVEs with known public exploits score higher |
| CVSS base score | Starting point from the NVD database |
| Package path | Vulnerabilities in packages directly exposed to user input score higher |
# List critical findings across all EC2 instances
aws inspector2 list-findings \
--filter-criteria '{"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}' \
--query 'findings[].{Title:title,Resource:resources[0].id,Score:inspectorScore}'
# Get findings for a specific ECR image
aws inspector2 list-findings \
--filter-criteria '{"ecrImageRepositoryName": [{"comparison": "EQUALS", "value": "my-app"}]}'A high CVSS score (e.g., 9.8) does not always mean immediate risk. Inspector's contextual scoring is more actionable. A 9.8 CVE in an OpenSSL library on an instance with no inbound network access is far less urgent than a 7.0 CVE on a public-facing web server with a known exploit.
Centralized Inspector Management Across Accounts
Inspector integrates with AWS Organizations to enable centralized management of vulnerability findings across all accounts. A delegated administrator account aggregates all findings.
# Enable Inspector for the entire organization (run from delegated admin account)
aws inspector2 enable \
--account-ids SELF \
--resource-types EC2 ECR LAMBDA
# Auto-enable for new accounts
aws inspector2 update-organization-configuration \
--auto-enable ec2=true,ecr=true,lambda=true
# Get an account-level summary of coverage
aws inspector2 list-coverage \
--filter-criteria '{"accountId": [{"comparison": "EQUALS", "value": "123456789012"}]}'Integration with Security Hub, ECR, and CI/CD
Inspector integrates with the broader AWS security ecosystem to enable both reactive finding management and proactive CI/CD gatekeeping.
| Integration | What it enables |
|---|---|
| Security Hub | Inspector findings sent automatically as Security Hub findings in ASFF format |
| EventBridge | Critical findings trigger automated notifications or remediation workflows |
| ECR scan-on-push | Inspector scans every image pushed to ECR; can block deployment if critical CVEs found |
| Systems Manager Patch Manager | Remediate OS vulnerabilities Inspector found by running SSM patching |
| AWS Organizations | Centralized findings and auto-enable for new accounts |
For a mature DevSecOps pipeline, gate ECR image deployments on Inspector results: scan the image during CI, use the Inspector ECR API to retrieve results, and fail the pipeline if Critical findings exist with a CVSS score above a threshold you define.
Interview Focus Points
- 1What is the difference between Inspector v1 (Classic) and Inspector v2? What new target types does v2 add?
- 2How does Inspector calculate its severity score? How is it different from a raw CVSS score?
- 3How would you integrate Inspector into a CI/CD pipeline to prevent deploying containers with critical vulnerabilities?
- 4What agent does Inspector need on EC2 instances and what do you need to configure for it to work?
- 5How do you centralize Inspector findings across 50 AWS accounts?
- 6A developer says "Inspector flagged a Critical CVE in our Lambda function but we can't patch it because the library doesn't have a fix yet." What do you do?
- 7What is the difference between Inspector findings and GuardDuty findings?