Amazon Inspector Explained: Boosting Cloud Security for Your AWS Workloads

Learn how to automate vulnerability management and compliance with Amazon Inspector.

AWS Cloud gives us unmatched flexibility and scalability, allowing us to create resources at the snap of our fingers. But there’s a golden rule that cloud provider emphasize:

They handle the “Security of the Cloud,” while we’re responsible for “Security in the Cloud.”

So, roll up your sleeves—it’s time to secure what’s inside your cloud environment.

AWS environment deserves a vigilant guardian, someone quietly monitoring resources and identifying vulnerabilities with precision. That’s Amazon Inspector—AWS’s built-in security specialist, always on duty to keep your cloud secure.

It scans your workloads, checks on your EC2 instances, Lambdas, Containers images and lets you know if anything’s out of line. And the best part? It doesn’t just point out issues; it offers ways to fix them.

In this blog series, we’ll walk you through Amazon Inspector, guiding you on setup and showing how it can shield you from potential cyber risks.

In first part, we’ll cover the essentials: what Amazon Inspector is, how to get it up and running, and how to interpret its findings.

Let's get started

Setting up Amazon Inspector

• Individual Account Setup

If you are not using AWS Org or don't want to aggregated findings or manage inspector setting at centralized place, you can enabled inspector in member/individual account.

1. Sing in AWS Console, choose respective region.
2. Go to Amazon Inspector using search.
3. Activate Inspector.

For this demo, I will be activating EC2 scan, Lambda Standard + Code Scan, ECR scan.

Inspector provides 15-days trial period. If you would like continue using Inspector, refer pricing here.

• Delegated Admin Account

If you would like to manage Inspector within organization, managing settings, aggregating findings at central place, I would advised to enable delegated admin at org level and to do that :

1. Sign in to the AWS Organizations Management account and Go to Amazon Inspector.

2. Under Delegated administrator account ID, enter the 12-digit ID of the AWS account you want to designate as the delegated administrator, and then choose Delegate.

3. One enabled, login into delegated admin account. Go to Inspector --> Account Management.

4. From delegated admin account you can decide for which member account Inspector needs to be enabled, which type scan needs to be selected. Please find below screenshot

Understand Scan Type

- Amazon EC2 scanning: This scan type gathers metadata from your EC2 instances and compares it to security advisories, checking for package vulnerabilities and network exposure. Activating it scans all eligible instances in your account for these issues.

- Amazon ECR Scanning: Scans container images in Amazon ECR, upgrading the scan setting from basic to enhanced scanning for private registries.

- Lambda Standard Scanning: Default scan for Lambda functions, checking for code vulnerabilities in functions invoked or updated within the last 90 days.

- Lambda Code Scanning: Focuses on custom application code in Lambda functions, scanning those invoked or updated in the past 90 days for vulnerabilities.

In this first part of blog, I will be focusing on EC2 and Lambda Scan.

EC2 Scan

For EC2, scan can be Agent-based (using the SSM agent) or Agentless (using Amazon EBS snapshots). Amazon Inspector’s EC2 scanning pulls metadata from your instance, comparing it against security advisories to detect package vulnerabilities and network reachability issues. Network reachability scans run every 24 hours, while package vulnerability scans follow a variable schedule based on the scan method.

By default, Inspector will scan the instance which is managed by SSM.

Configure Scan

To configure scan type for EC2, Go To General Setting -> EC2 Setting.
You need to select Hybrid option in order to have both Agent-based and Agent-less.

I will not go into details on Agent-Based and Agent-Less. Just remember Agent-based is SSM agent based, if you have SSM agent running and EC2 role have policy AmazonSSMManagedInstanceCore attached, inspector should able to scan the instance.
Agent-less is using EBS Snapshot. Amazon Inspector generates an EBS snapshot for each volume attached to the instance. While in use, the snapshot is stored in your account, tagged with InspectorScan as the tag key and a unique scan ID as the tag value. For this demo, I'm using both.

Now we have Inspector ready to scan EC2 instance. Let's create an EC2 instance. If you already have EC2 instance, that's awesome because within few minutes inspector will start scanning EC2 instance and will show findings.

To make sure, Inspector Scans (for Agent-Based) make sure you have policy AmazonSSMManagedInstanceCore attached to EC2 instance.

If you don't attached above policy, inspector will perform Agent-less scan provided you have Hybrid scan type selected under EC2 Setting in inspector.

I already have EC2 instance created and I can see finding in Inspector Dashboard.

You will able to see EC2 instance under Resource Coverage -> EC2 Instance. For this blog, I have created EC2 instance that can do Agent-Based and Agent-less scan. You can find in below screenshot, I have 2 agent-based scan and 1 agent-less scan.

Understanding and Fixing Vulnerabilities

To check finding, go to Findings -> Instance, we should able to see finding per instance. Click on instance id and we should able see details.

Select any one of the findings and you should able to see details in right pane.

And good part here is , along with finding it also shows how to remediate it. In my case, it suggested to upgrade software packages by running sudo df check-update . I tried and updated software packages. In your case, it can be different.

After running above command, it gave below list of software package upgrade and its corresponding release notes.

I choose the recent software package updates for upgrade. Once done, in few minutes, inspector updates the findings.

If you compare previous finding screenshot and above one, you can see number of high findings reduced from 12 to 4 and same with Medium from 61 to 44.

Excluding EC2 Scans

You must have thought what if I don't want to scan EC2 instance with inspector, exclude specific instance from scanning. We have provision for it, you can simply tag your EC2 instance with Key InspectorEc2Exclusion. In my case, I have created one EC2 instance and added tag with key as InspectorEc2Exclusion and value as True.

Inspector will not scan this instance as it will detect this tag and will also in overview instance is excluded from scanning due to tag.

As you can see in below screenshot, instance which I tagged is excluded from scan.

Lambda Scan

Now it's time to play with AWS Lambda. As shown in inspector activation steps, I hope you have activated Lambda Scanning in inspector. Make sure you have enabled Lambda Standard scanning and Lambda code scanning as well.

Part of this demo, I have created simple NodeJs code which have hard-coded credentials

import requests  # Ensure 'requests' library is added in the Lambda environment

def lambda_handler(event, context):
    # Hard-coded sensitive information (vulnerable practice)
    api_key = "aspoklew0233qvdsrw3rq
    secret_token = "qw3sda2343"

    # Insecure HTTP connection (instead of HTTPS)
    url = "http://example.com/insecure-endpoint"

    # Send request with hard-coded sensitive information
    try:
        headers = {
            "Authorization": f"Bearer {secret_token}",
            "x-api-key": api_key
        }
        response = requests.get(url, headers=headers)

        if response.status_code == 200:
            print("Request successful:", response.text)
        else:
            print(f"Request failed with status: {response.status_code}")

        return {
            "statusCode": response.status_code,
            "body": response.text
        }
    except Exception as e:
        print("An error occurred:", e)
        return {
            "statusCode": 500,
            "body": "An error occurred"
        }

Once we deploy above lambda function. Inspector scans it for vulnerable code. To check findings, Go to Inspector --> Findings -> Lambda Function.

Same like EC2, you should able to see details about vulnerabilities.

It also gives exact location of code where vulnerability is present.

It also suggest for remediation, what needs to be done like storing secretes in AWS Secrete manager and accessing it using Roles.

I hope this blog gave you an kick-start to start with Amazon Inspector. Amazon Inspector provides robust security assessments for both EC2 instances and Lambda functions, helping you quickly detect vulnerabilities and misconfiguration. With this, you can enhance your cloud security posture, proactively address risks, and maintain a more resilient AWS environment.

Keep building and deploying secure workload on Cloud!!!