The new Amazon Inspector

BY:

The new Amazon Inspector

 

The new Amazon Inspector offers customers the following capabilities:

 

  • Easy to Enable (literally two clicks)
  • AWS Organizations (Multi-Account) Support
  • Continuous Vulnerability and Network Reachability Scanning
  • Utilizes SSM Agent (no longer requires a standalone agent)
  • Findings are Scored
  • Findings can be Suppressed
  • Remediated Findings are Automatically Closed
  • Dashboard has been Redesigned
  • In addition to EC2 Scanning, ECR Stored Container Images can be Scanned
  • Available in All Commercial, GovCloud and China Regions

 

Let’s explore each of these capabilities!

 

Easy to Enable (literally two clicks)

 

As depicted in the screenshot below, individual accounts can enable the service by clicking Enable, optionally selecting EC2 or ECR container scanning options:

 

 

As soon as it’s enabled, any instance with a recent SSM Agent version, and a properly configured IAM Role, starts to automatically scan:

 

 

Pictured above is an “Unmanaged Instance”, which does not have a running SSM Agent or a properly configured IAM Role. This state (and other states) are not only visually depicted, to identify coverage gaps, but an event is emitted to EventBridge as well (more on this later!).

 

Compared to Amazon Inspector Classic, which relied on tags to specify in-scope instances, all instances are in-scope by default.

 

AWS Organizations (Multi-Account) Support

 

Similar to GuardDuty, Amazon Inspector supports the automatic enablement of scanning for new member accounts that are part of an Organization:

 

 

Additionally, individual account status is clearly depicted:

 

 

Both of these capabilities further support the identification of coverage gaps – by ensuring new accounts are enabled by default (and subsequently instances and ECR container scanning enabled automatically and accounts in which the feature is disabled are easily identified, as displayed above.

 

Compared to the previous version, in which individual accounts configured and emitted events, configuration and events can now be centrally administered and emitted.

 

Continuous Vulnerability and Network Reachability Scanning

 

Rather than relying on a scheduled based scanning, scanning of instance and container vulnerability, and instance network reachability is continuous, avoiding potential gaps, in which a vulnerability or a configuration resulting in broad network reachability exists between scan intervals.

 

An example of this would be the detection of subsequent vulnerabilities days apart:

 

 

Utilizes SSM Agent (no longer requires a standalone agent)

 

The previous version of Inspector required a separate agent to be installed, which was installed either manually, bootstrapping, included in an image, or deployed via SSM, by the Inspector service. This version utilizes the SSM Agent, reducing the overall impact on system resources.

 

Findings are Scored

 

In addition to providing the NVD/CVVS or Vendor Score, Inspector provides it’s own score, based on the NVD/CVVS or Vendor Score, Adjusted for the Compute Environment. For example, if the Compute Environment is not Internet Accessible, the Score may be Reduced. An example of this is shown below:

 

 

In the Previous Version of Inspector, the NVD/CVVS or Vendor Score was displayed.

 

Findings can be Suppressed

 

Finding can be suppressed using similar rule notation as Guard Duty to suppress findings that may not be relevant to your organization, for example, suppressing findings with an Inspector score less than or equal to 5 would be configured like this:

 

 

In the previous version, findings could not be suppressed.

 

Remediated Findings are Automatically Closed

 

Remediated findings are automatically closed when they are no longer detected. Example of this would be updating a vulnerable library or removing an excessively permissive Security Group grant. An example of this is below:

 

 

In the previous version, findings did not have a status.

 

Dashboard has been Redesigned

 

With the simplification of Amazon Inspector configuration (elimination of assessment targets, templates and schedules), and the addition of the new features described above and below the dashboard has been redesigned:

 

 

In addition to EC2 Scanning, ECR Stored Container Images can be Scanned

 

ECR Stored Container Images can be Scanned, with findings included in the same Dashboard and emitted to the EventBridge:

 

 

Previously, Inspector did not support Container Scanning.

 

Available in All Commercial, GovCloud and China Regions

 

Finally, Inspector is available in All Commercial, GovCloud and China Regions whereas previously Inspector was available in _most_ regions and GovCloud, with some exceptions.

 

In Conclusion, the new Amazon Inspector offers significant advantages over the previous version of Inspector, eliminating complex configurations, adopting an opt-in by default approach to scanning and eliminating potential gaps in workload and image scanning.

 

We are looking forward to leveraging it within our organization, along with SecurityHub and EventBridge based integrations to automate common vulnerability identification, triaging, mitigation/remediation and reporting activities. One such example of that can be found here: https://aws.amazon.com/blogs/apn/sending-amazon-inspector-common-vulnerabilities-and-exposures-findings-to-the-servicenow-secops-module/

 

– Patrick Hannah, CTO, CloudHesive

Related Blogs

  • A call center agent on the phone is in the middle of this illustration." alt="">
    Integrate ConnectPath CX with CRM to Enhance Customer Experience and Call Center Performance

    Enable both customers and agents to do more Key Takeaways: ConnectPath CX, powered by CloudHesive, offers a way to modernize your contact center with nothing to install and configure, ready in 45...

    Learn More
  • Illustration of skill training concept, man climb up ladder to fix and lubricate gear cogs on his brain head." alt="">
    Enhance Your Customer Service Skills with Amazon Connect Training

    Amazon Connect and ConnectPath CX resources help elevate productivity, efficiency, and more  Understanding the ins and outs of a complex customer service management system helps build employee...

    Learn More
  • Against a turquoise background, workers sit around a table on their computers. In the center, a cloud has arrows that show data moving both ways, with information accessible by everyone present." alt="">
    Boost Your Business Efficiency – How to Integrate Amazon Web Services with Other Tools

    Improve collaboration, communication, and get ready to grow   The speed of business today requires a cloud partner that’s reliable, easy to use, flexible, cost-effective, scalable, fast, and...

    Learn More