Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Finding types in Amazon Inspector

Amazon Inspector generates findings for Amazon Elastic Compute Cloud (Amazon EC2) instances, container images in Amazon Elastic Container Registry (Amazon ECR) repositories, and Amazon Lambda functions. Amazon Inspector can generate the following types of findings.

Package vulnerability

Package vulnerability findings identify software packages in your Amazon environment that are exposed to Common Vulnerabilities and Exposures (CVEs). Attackers can exploit these unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of data, or to access other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. For more information, see https://www.cve.org/.

CVE detections for Linux are added to Amazon Inspector within 24 hours of release by vendor security advisories. CVE detections for Windows are added to Amazon Inspector within 48 hours of being released by Microsoft. You can use the Amazon Inspector vulnerability database search to see if a CVE detection is supported.

Amazon Inspector can generate package vulnerability findings for EC2 instances, ECR container images, and Lambda functions. Package vulnerability findings have additional details unique to this finding type, these are the Inspector score and vulnerability intelligence.

Code vulnerability

Code vulnerability findings identify lines in your code that attackers could exploit. Code vulnerabilities include injection flaws, data leaks, weak cryptography, or missing encryption in your code.

Amazon Inspector evaluates your Lambda function application code using automated reasoning and machine learning that analyzes your application code for overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon CodeGuru. For a list of possible detections, see CodeGuru Detector Library.

Amazon Inspector can generate Code vulnerability findings for Lambda functions if you have Amazon Inspector Lambda code scanning activated.

Code snippets detected in connection with a code vulnerability are stored by the CodeGuru service. By default an Amazon owned key controlled by CodeGuru is used to encrypt your code, however, you can use your own customer managed key for encryption through the Amazon Inspector API. For more information see Encryption at rest for code in your findings.