Cloud & Security, Manage Vulnerabilities Automatically with AWS
Have a service that can instantly discover and scan
Amazon Web Services
workloads for software vulnerabilities and inadvertent network exposure with a single click. If you were thinking that it’s literally impossible, you’re very wrong. It’s called
Amazon Inspector
, and it’s an AWS service that organizations of all sizes use to automate security assessment and management at scale to improve application security and compliance.
Originally introduced in 2015, Amazon Inspector has simplified the effort of implementing a detection mechanism for both operating systems and applications on EC2 instances and container images that reside in Amazon Elastic Container Registry (Amazon ECR).
Amazon Inspector automatically evaluates vulnerabilities and deviations from best practices. It provides a detailed report that includes the steps for repair after each assessment is performed.
We were recently introduced to a new Amazon Inspector that replaces what is now called
Amazon Inspector Classic
. There are significant differences between the two, mainly related to automation, integration with other AWS services , and near real-time performance. Amazon Inspector is now
available in 19 global regions
. You can scan your environment for vulnerabilities with a
15-day free trial
.
But what does it do specifically? Let’s figure it out together.
The first significant enhancement to Amazon Inspector is that it uses
the Systems Manager agent
. The previous version used its own dedicated agent. Merging agents simplifies provisioning and improves performance. The System Management Agent is automatically installed on most Amazon Linux and AWS Windows AMIs. This agent is available on
GitHub
and is open source.
What’s really important is that merging agents allows Amazon Inspector to integrate with other services and system managers, allowing you to monitor your network, file system , and process activity.
It also checks the operating system and all installed applications. It includes a knowledge base with hundreds of rules on security compliance standards and vulnerability definitions. It provides severity score control with the security metrics that make up the
National Vulnerability Database (ed. NVD
) and adapts them to your environment. The score is in CVSS format and is compatible with the Common Vulnerability Scoring System score provided by the National Vulnerability Database. You can always check if your fleet has vulnerable software versions installed and take the required mitigation measures. If you dim a result, the Inspector detects the correction and closes the result.
There are many web giants that rely on this feature. Starting with
Uber
, the San Francisco-based company that provides the smartest private car transport service there is. “The new Amazon Inspector ,” said Oliver Szimmetat, Security Engineering Manager – Simplified the adoption of a cloud vulnerability management solution for our different AWS instances. Leveraging our existing Systems Manager agents with Inspector, we’ve automated ongoing remediation and streamlined operations with one-click onboarding, centralized controls , and operational visibility. In addition, Inspector’s auto-trigger capability identifies recommended patches in near real-time. After patching, Inspector automatically re-examines the instances, verifying that no new vulnerabilities have been introduced. The use of Inspector has dramatically reduced the mean time to repair for Uber”.
