Amazon Inspector FAQs

Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), AWS Lambda functions, and container images in Amazon ECR and within continuous integration and continuous delivery (CI/CD) tools, in near-real time for software vulnerabilities and unintended network exposure.

Amazon Inspector removes the operational overhead associated with deploying and configuring a vulnerability management solution by allowing you to deploy Amazon Inspector across all accounts with a single step. Additional benefits include:

• Automated discovery and continual scanning that delivers near real-time vulnerability findings

• Central management, configuration, and view of findings for all your organization’s accounts by setting a Delegated Administrator (DA) account

• A highly contextualized and meaningful Amazon Inspector risk score for each finding to help you set more accurate response priorities

• An intuitive Amazon Inspector dashboard for coverage metrics, including accounts, Amazon EC2 instances, Lambda functions, and container images in Amazon ECR and within CI/CD tools, and code repositories within your Source Code Management (SCM) platform, in near-real time.

• Maximize vulnerability assessment coverage by seamlessly scanning EC2 instances, switching between agent-based and agentless scanning.

• Centrally manage software bill of materials (SBOM) exports for all monitored resources. 

• Integration with AWS Security Hub and Amazon EventBridge to automate workflows and ticket routing

You can deactivate Amazon Inspector Classic by simply deleting all assessment templates in your account. To access findings for existing assessment runs, you can download them as reports or export them using the Amazon Inspector API. You can activate the new Amazon Inspector with a few steps in the AWS Management Console, or by using the new Amazon Inspector APIs. You can find the detailed migration steps in the Amazon Inspector Classic User Guide.

Amazon Inspector has been rearchitected and rebuilt to create a new vulnerability management service. Here are the key enhancements over Amazon Inspector Classic:

• Built for scale: The new Amazon Inspector is built for scale and the dynamic cloud environment. There’s no limit to the number of instances or images that can be scanned at a time.

• Support for container images and Lambda functions: The new Amazon Inspector also scans container images residing in Amazon ECR and within CI/CD tools, and Lambda functions for software vulnerabilities. Container-related findings are also pushed to the Amazon ECR console.

• Support for multi-account management: The new Amazon Inspector is integrated with AWS Organizations, allowing you to delegate an administrator account for Amazon Inspector for your organization. This Delegated Administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.

• AWS Systems Manager Agent: With the new Amazon Inspector, you no longer need to install and maintain a standalone Amazon Inspector agent on all of your Amazon EC2 instances. The new Amazon Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent), which removes that need.

• Automated and continual scanning: The new Amazon Inspector automatically detects all newly launched Amazon EC2 instances, Lambda functions, and eligible container images pushed to Amazon ECR and immediately scans them for software vulnerabilities and unintended network exposure. When an event occurs that may introduce a new vulnerability, the involved resources are automatically rescanned. Events that initiate rescanning a resource include installing a new package in an EC2 instance, installing a patch, and when a new common vulnerabilities and exposures (CVE) that impacts the resource is published.

• Amazon Inspector risk score: The new Amazon Inspector calculates an Inspector risk score by correlating up-to-date CVE information with temporal and environmental factors such as network accessibility and exploitability information to add context to help prioritize your findings.

• Vulnerability assessment coverage: The new Amazon Inspector enhances vulnerability assessment by seamlessly scanning EC2 instances and switching between agent-based and agentless scanning.

• Software bill of materials (SBOM) export: The new Amazon Inspector centrally manages and exports SBOM for all monitored resources. 

• Scan your code repositories: The new Amazon Inspector with it’s native integration to GitHub and GitLab, helps you rapidly identify and prioritize security vulnerabilities and misconfigurations across your application source-code, dependencies, and infrastructure as code (IaC).

Yes, you can use both simultaneously in the same account.

See the Amazon Inspector pricing page for full pricing details.

All accounts new to Amazon Inspector are eligible for a 15-day free trial to evaluate the service and estimate its cost. During the trial, all eligible Amazon EC2 instances, AWS Lambda functions, and container images pushed to Amazon ECR are continually scanned at no cost. You can also review estimated spend in the Amazon Inspector console. Free trial is also extended to scan your code repositories with Code Security.

Amazon Inspector is available globally. Specific availability by Region is listed here.

You can activate Amazon Inspector for your entire organization or an individual account with a few steps in the AWS Management Console. Once activated, Amazon Inspector automatically discovers running Amazon EC2 instances, Lambda functions, and Amazon ECR repositories and immediately starts continually scanning workloads for software vulnerabilities and unintended network exposure. For Code Security, establish a secure integration to your Source Code Management (SCM) platform to begin scanning. If you’re new to Amazon Inspector, there’s a 15-day free trial as well.

An Amazon Inspector finding is a potential security vulnerability. For example, when Amazon Inspector detects software vulnerabilities or open network paths to your compute resources or code, it creates security findings.

Yes. Amazon Inspector is integrated with AWS Organizations. You can assign a DA account for Amazon Inspector, which acts as the primary administrator account for Amazon Inspector and can manage and configure it centrally. The DA account can centrally view and manage findings for all the accounts that are part of your AWS organization.

The AWS Organizations Management account can assign a DA account for Amazon Inspector in the Amazon Inspector console or by using Amazon Inspector APIs.

If you’re starting Amazon Inspector for the first time, all scanning types, including EC2 scanning, Lambda scanning, and ECR container image scanning are activated by default. However, you can deactivate any or all of these across all accounts in your organization. Existing users can activate new features in the Amazon Inspector console or by using Amazon Inspector APIs.

No, you don’t need an agent for scanning. For vulnerability scanning of Amazon EC2 instances, you can use the AWS Systems Manager Agent (SSM Agent) for an agent-based solution. Amazon Inspector also offers agentless scanning if you don’t have the SSM Agent deployed or configured. For assessing network reachability of Amazon EC2 instances, vulnerability scanning of container images, or vulnerability scanning of Lambda functions, no agents are necessary. 

To successfully scan Amazon EC2 instances for software vulnerabilities, Amazon Inspector recommends that these instances are managed by AWS Systems Manager and the SSM agent. See Systems Manager prerequisites in the AWS Systems Manager User Guide for instructions to activate and configure Systems Manager. For information about managed instances, see the Managed Instances section in the AWS Systems Manager User Guide. For instances that do not have SSM agent installed, they can be scanned via agentless scanning with hybrid-mode support.

Amazon Inspector supports the configuration of inclusion rules to select which ECR repositories are scanned. Inclusion rules can be created and managed under the registry settings page within the ECR console or using ECR APIs. The ECR repositories that match the inclusion rules are configured for scanning. Detailed scanning status of repositories is available in both the ECR and Amazon Inspector consoles.

The Resource Coverage panel in the Amazon Inspector dashboard shows the metrics for accounts, Amazon EC2 instances, Lambda functions, Code Repositories and ECR repositories being actively scanned by Amazon Inspector. Each instance and image have a scanning status: Scanning or Not Scanning. Scanning means the resource is continually being scanned in near real time. A status of Not Scanning could mean the initial scan has not been performed yet, the OS is unsupported, or something else is preventing the scan. For Code Security, scan status of Active or Inactive represents the state, wherein Active would mean it has a scan configuration set up to periodically scan the project.

All scans are automatically performed based on events. All workloads are initially scanned upon discovery and subsequently rescanned.

• For Amazon EC2 instances: For SSM agent-based scans, rescans are started when a new software package is installed or uninstalled on an instance, when a new CVE is published, and after a vulnerable package is updated (to confirm there are no additional vulnerabilities). For agentless scans, scans are performed every 24 hours.

• For Amazon ECR container images: Automated re-scans are started for eligible container images when a new CVE affecting an image is published. The automated rescans for container images are based on the rescan durations configured for image last in use date and push date in the Amazon Inspector console or APIs. If the push date of an image is less than the configured “Push date rescan duration” and image last in use date is within the configured “last in use rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. Available re-scan duration configurations for image last in use date are 14 days (by default), 30 days, 60 days, 90 days, or 180 days. The rescan duration configurations for image pull date are 14 days (by default), 30 days, 60 days, 180 days or Lifetime.

• For Lambda functions: All new Lambda functions are initially assessed upon discovery, and continually reassessed when there is an update to the Lambda function or a new CVE is published.

• For Code Repositories: All new code repositories are assessed as per the default configuration settings. If periodic scans and/or change-based scans are configured, the repositories will be scanned as per the configured triggers. There are no CVE based automated re-scans triggered.

Container images residing in Amazon ECR repositories that are configured for continual scanning are scanned for the duration configured in the Amazon Inspector console or APIs. Available rescan duration configurations for image last in use date are 14 days (by default), 30 days, 60 days, 90 days, or 180 days. The rescan duration configurations for image pull date are 14 days (by default), 30 days, 60 days, 180 days, or Lifetime.

• When Amazon Inspector ECR scanning is activated, Amazon Inspector only picks up images pushed in last 14 days for scanning, but continually scans them for the rescan duration configured for last in use and push date. i.e, 14 days (by default), 30 days, 60 days, 90 days, or 180 days. If the push date of an image is less than the configured “Push date rescan duration” AND image has last in use date within the configured “last in use rescan duration”, the container image will continue to be monitored and automated rescans are started when a new CVE affecting an image is published. For example, when activating Amazon Inspector ECR scanning, Amazon Inspector will pick up images pushed in the last 14 days for scanning. However post-activation, if you select 30 days rescan duration for both push date and last in use date configurations, Amazon Inspector will continue to scan the images if they were pushed in the last 30 days or have been last in use on running container at least once in the last 30 days. If an image hasn’t been push or last in use on a running container in the last 30 days, Amazon Inspector will stop monitoring it.

• All images pushed to ECR after Amazon Inspector ECR scanning is activated are continually scanned for the duration configured in “Last in use date rescan duration” and “Push date rescan duration”. Available rescan duration configurations for image push date are 14 days (by default), 30 days, 60 days, 90 days, 180 days, or lifetime. The rescan duration configurations for image last in use date are 14 days (by default), 30 days, 60 days, 90 days or 180 days. The automated re-scan duration is calculated based on last push or last in use date of a container image. For example, after activating Amazon Inspector ECR scanning, if you select 180 days rescan duration for both push data and last in use date configurations, Amazon Inspector will continue to scan the images if they were pushed in the last 180 days or have been last in use on a running container at least once in the last 180 days. However, if an image hasn’t been pushed or last in use on a running container in the last 180 days, Amazon Inspector will stop monitoring it.

• If the image is in “scan eligibility expired” state, you can pull the image to bring it back under Amazon Inspector monitoring. The image will be continually scanned for the push and pull date rescan durations configured from the last pulled date.

• For Amazon EC2 instances: Yes, an EC2 instance can be excluded from scanning by adding a resource tag. You can use the key ‘InspectorEc2Exclusion’, and value is <optional>.

• For container images residing in Amazon ECR: Yes. Although you can select which Amazon ECR repositories are configured for scanning, all images within a repository will be scanned. You can create inclusion rules to select which repositories should be scanned.

• For Lambda functions: Yes, a Lambda function can be excluded from scanning by adding a resource tag. For standard scanning, use the key 'InspectorExclusion' and the value 'LambdaStandardScanning'. For code scanning, use the key 'InspectorCodeExclusion' and the value 'LambdaCodeScanning'.

• For Code Security: Yes, you can select which code repositories are configured for scanning. You can create inclusion rules to select which repositories should be scanned within your scan configurations.

In a multi-account structure, you can activate Amazon Inspector for Lambda vulnerabilities assessments for all your accounts within the AWS Organization from the Amazon Inspector console or APIs through the Delegated Administrator (DA) account, while other member accounts can activate Amazon Inspector for their own account if the central security team hasn’t already activated it for them. Accounts that are not a part of the AWS Organization can activate Amazon Inspector for their individual account through the Amazon Inspector console or APIs.

Amazon Inspector will continually monitor and assess only the $LATEST version. Automated rescans will continue only for the latest version, so new findings will be generated only for the latest version. In the console, you will be able to see the findings from any version by selecting the version from the dropdown.

No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or embedded secrets.

Changing the default SSM inventory collection frequency can have an impact on the continual nature of scanning. Amazon Inspector relies on SSM Agent to collect the application inventory to generate findings. If the application inventory duration is increased from the default of 30 minutes, that will delay the detection of changes to the application inventory, and new findings might be delayed.

The Amazon Inspector risk score is a highly contextualized score that is generated for each finding by correlating common vulnerabilities and exposures (CVE) information with network reachability results, exploitability data, and social media trends. This makes it easier for you to prioritize findings and focus on the most critical findings and vulnerable resources. You can see how the Inspector risk score was calculated and which factors influenced the score in the Inspector Score tab within the Findings Details side panel.

For example: There is a new CVE identified on your Amazon EC2 instance, which can only be exploited remotely. If the Amazon Inspector continual network reachability scans also discover that the instance is not reachable from the internet, it knows that the vulnerability is less likely to be exploited. Therefore, Amazon Inspector correlates the scan results with the CVE to adjust the risk score downward, more accurately reflecting the impact of the CVE on that particular instance.

Amazon Inspector allows you to suppress findings based on the customized criteria you define. You can create suppression rules for findings that are considered acceptable by your organization.

You can generate reports in multiple formats (CSV or JSON) with a few steps in the Amazon Inspector console or through the Amazon Inspector APIs. You can download a full report with all findings, or generate and download a customized report based on the view filters set in the console.

You can generate and export SBOMs for all resources monitored with Amazon Inspector, in multiple formats (CycloneDx or SPDX), with a few steps in the Amazon Inspector console or through the Amazon Inspector APIs. You can download a full report with SBOM for all resources, or selectively generate and download SBOMs for a few select resources based on the set view filters.

For existing Amazon Inspector customers using a single account, you can enable agentless scanning by visiting the account management page within the Amazon Inspector console or using APIs.

For existing Amazon Inspector customers using AWS Organizations, your Delegated Admin needs to either completely migrate the entire organization to an agentless solution or continue using the SSM agent-based solution exclusively. You can change the scan mode  configuration from the EC2 settings page in the console or through APIs.

For new Amazon Inspector customers, hybrid scan mode is turned on by default when you enable EC2 scanning. In the hybrid scan mode, Amazon Inspector relies on SSM Agents for application inventory collection to perform vulnerability assessments and automatically falls back on agentless scanning for instances that don’t have SSM Agents installed or configured.

For existing Amazon Inspector customers using a single account, you can enable agentless scanning by visiting the account management page within the Amazon Inspector console or using APIs.

For existing Amazon Inspector customers using AWS Organizations, your Delegated Admin needs to either completely migrate the entire organization to an agentless solution or continue using the SSM agent-based solution exclusively. You can change the scan mode  configuration from the EC2 settings page in the console or through APIs.

For new Amazon Inspector customers, hybrid scan mode is turned on by default when you enable EC2 scanning. In the hybrid scan mode, Amazon Inspector relies on SSM Agents for application inventory collection to perform vulnerability assessments and automatically falls back on agentless scanning for instances that don’t have SSM Agents installed or configured.

Amazon Inspector will automatically trigger a scan every 24 hours for instances that are marked for agentless scanning. There will be no change to the continuous scanning behavior for instances marked for SSM agent-based scans. 

No, in a multi-account setup, only delegated admins can set up scan mode configuration for the complete organization.

Application and platform teams can integrate Amazon Inspector into their build pipelines using purpose-built Amazon Inspector plugins designed for various CI/CD tools, such as Jenkins, AWS Code Pipeline, GitHub Actions and TeamCity. These plugins are available in the marketplace of each respective CI/CD tool. Once the plugin is installed, you can add a step in the pipeline to perform an assessment of the container image and take actions, such as blocking the pipeline based on the assessment results. When vulnerabilities are identified in the assessment, actionable security findings are generated. These findings include vulnerability details, remediation recommendations, and exploitability details. They are returned to the CI/CD tool in both JSON and CSV formats, which can then be translated into a human-readable dashboard by the Amazon Inspector plugin or can be downloaded by teams.

No, you don’t need to enable Amazon Inspector to use this feature provided you have an active AWS account.

Yes. Amazon Inspector uses SSM Agent to collect application inventory, which can be set up as Amazon Virtual Private Cloud (VPC) endpoints to avoid sending information over the internet.

You can find the list of operating systems (OS) supported here.

You can find the list of programming language packages supported here.

Yes. Instances that use NAT are automatically supported by Amazon Inspector.

Yes. See how to configure SSM Agent to use a proxy for more information.

Amazon Inspector integrates with Amazon EventBridge to provide notification for events such as a new finding, change of state of a finding, or creation of a suppression rule. Amazon Inspector also integrates with AWS CloudTrail for call logging. Amazon Inspector integrates with Security Hub to send findings for a comprehensive view across organization and services

Yes. You can run Amazon Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for Amazon EC2 instances across your AWS Organization.

Yes. See Amazon Inspector Partners for more information.

Yes. You can deactivate all scanning types (Amazon EC2 scanning, Amazon ECR container image scanning, and Lambda function scanning) by deactivating the Amazon Inspector service, or you can deactivate each scanning type individually for an account.

No. Amazon Inspector does not support a suspended state.

Amazon Inspector provides comprehensive code security capabilities that help secure applications before they reach production. The service delivers three key features for application security. Static Application Security Testing (SAST) analyzes application source code to identify potential vulnerabilities in custom-written code. Software Composition Analysis (SCA) evaluates third-party dependencies to ensure libraries and packages don't introduce hidden risks. Infrastructure as code (IaC) scanning validates infrastructure definitions to help prevent misconfigurations before deployment. These capabilities work together to help provide a complete view of application security, from code to infrastructure.

Amazon Inspector integrates with GitHub and GitLab to help incorporate security scanning throughout the development process. You can evaluate code security at multiple stages: when developers do code changes with pull request, merge request or push code changes in repositories, on-demand, or through scheduled security reviews. This flexibility allows your teams to implement security scanning that aligns with their development practices. By adapting to existing workflows, Amazon Inspector helps make security an integral part of the development lifecycle without disrupting team productivity.

Amazon Inspector supports multiple scan frequencies to scan your code repositories. You can choose to scan periodically at a set schedule either weekly on a particular day of the week, or monthly. Additionally, you can also enable scanning when code is changed such as pull_request or merge_request, and at push. Individual projects or repositories can be scanned on-demand as well.   

Amazon Inspector supports a default and a general scan configuration. The difference between the two is that a default scan configuration can automatically be attached to new projects discovered. Default scan configuration is embedded into the integration workflow while establishing the connection to your Source Code Management (SCM) platform. You can skip creating a default scan configuration, and can always add it later. A general scan configuration is applied to existing projects discovered at the time of creation of the scan configuration only.