Which AWS automated vulnerability management service continuously scans workloads for software vulnerabilities and unintended network exposure?
Amazon Inspector
This deck covers Amazon Inspector Classic
Which AWS services does Amazon Inspector assess for vulnerabilities and deviations from security best practices?
- Amazon EC2
- Amazon ECR
- AWS Lambda
How frequently can Amazon Inspector run vulnerability scans?
Scans can run as often as:
- 15 minutes
- 1 hour
- 1 day
What does Amazon Inspector produce after a scan completes?
A prioritized findings report, ordered by severity
What two assessment types does Amazon Inspector provide?
- Network assessment: agent or agentless
- Host assessment: requires an agent
Which Amazon Inspector assessment type analyzes network configurations for unintentional exposure to the internet?
Network assessment
Which Amazon Inspector assessment type analyzes EC2 instances and container images for software vulnerabilities and configuration issues?
Host assessments
What collection of security rules does Amazon Inspector use to assess a security posture?
Rules packages
Which Amazon Inspector rules package analyzes end-to-end network reachability across EC2, ALB, Direct Connect, ELB, ENIs, Internet Gateway, NACLs, route tables, security groups, subnets, VPCs, VGWs, and VPC peering?
Network Reachability Rules Package
What findings can the Network Reachability Rules Package return?
- RecognizedPortWithListener
- RecognizedPortNoListener
- RecognizedPortNoAgent
- UnrecognizedPortWithListener
Which Amazon Inspector rules packages require an agent?
Host rules packages:
- Common Vulnerabilities and Exposures (CVE)
- Center for Internet Security (CIS) Benchmark
- Security Best Practices for Amazon Inspector
What types of container image scanning does Amazon Inspector support?
- Enhanced scanning
- Basic scanning
What does Amazon Inspector Enhanced Scanning provide?
Continuous scanning of container images for OS and programming language vulnerabilities, and event generation when new vulnerabilities are detected
How does Amazon Inspector Basic Scanning work?
Performs scans on image push or manual trigger using the Common Vulnerabilities and Exposures (CVE) database from the open-source Clair project
What types of vulnerabilities are detected by Amazon Inspector Enhanced Scanning?
Operating system and programming language package vulnerabilities
-
IAM39
-
STS9
-
Organizations14
-
CloudTrail16
-
KMS14
-
S3128
-
EBS61
-
EFS14
-
VPC104
-
Hybrid Networking66
-
EC2152
-
Route 5336
-
RDS59
-
AWS Backup8
-
ELB44
-
SSM11
-
ECS12
-
ECR11
-
EKS7
-
ASG43
-
Lambda66
-
EventBridge11
-
SNS11
-
Step Functions15
-
API Gateway25
-
SQS41
-
Kinesis45
-
Cognito17
-
Glue13
-
MQ9
-
AppFlow6
-
ACM13
-
CloudFront75
-
Global Accelerator8
-
Storage Gateway58
-
CloudWatch65
-
CloudFormation110
-
Snow Family8
-
Directory Service17
-
DataSync12
-
FSx for Windows File Server13
-
FSx for Lustre15
-
Transfer Family15
-
Code*44
-
Elastic Beanstalk45
-
X-Ray27
-
DynamoDB97
-
ElastiCache19
-
Secrets Manager11
-
Systems Manager12
-
Web Application Firewall30
-
Shield17
-
CloudHSM11
-
Macie14
-
Inspector15
-
GuardDuty8
-
Athena8
-
Redshift12
-
Comprehend3
-
Kendra5
-
Lex4
-
Polly6
-
Rekognition4
-
Textract5
-
Transcribe5
-
Translate6
-
Forecast3
-
Fraund Detector3
-
SageMaker5
-
Local Zones6
