Viewing the Amazon Inspector score and understanding vulnerability intelligence details - Amazon Inspector
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing the Amazon Inspector score and understanding vulnerability intelligence details

Amazon Inspector creates a score for Amazon Elastic Compute Cloud (Amazon EC2) instance findings. You can view the Amazon Inspector score and vulnerability intelligence details in the Amazon Inspector console. The Amazon Inspector score provides you with details that you can compare with metrics in the Common Vulnerability Scoring System. These details are only available for package vulnerability findings. This section describes how to interpret the Amazon Inspector score and understand vulnerability intelligence details.

Amazon Inspector score

The Amazon Inspector score is a contextualized score that Amazon Inspector creates for each EC2 instance finding. The Amazon Inspector score is determined by correlating the base CVSS v3.1 score information with information collected from your compute environment during scans, such as network reachability results and exploitability data. For example, the Amazon Inspector score of a finding may be lower than the base score if the vulnerability is exploitable over the network but Amazon Inspector determines that no open network path to the vulnerable instance is available from the internet.

The base score for a finding is the CVSS v3.1 base score provided by the vendor. RHEL, Debian, or Amazon vendor base scores are supported, for other vendors, or cases where the vendor hasn't provided a score Amazon Inspector uses the base score from the National Vulnerability Database (NVD). Amazon Inspector uses the Common Vulnerability Scoring System Version 3.1 Calculator to calculate the score. You can see the source of the base score of an individual finding in the finding’s details under vulnerability details, as Vulnerability source (or packageVulnerabilityDetails.source in the finding JSON)

Note

Amazon Inspector score isn't available for Linux instances running Ubuntu. This is because Ubuntu defines its own vulnerability severity that may differ from the associated CVE severity.

Amazon Inspector score details

When you open the details page of a finding you can select the Inspector score and vulnerability intelligence Tab. This panel shows the difference between the base score and the Inspector score. This section explains how Amazon Inspector assigned the severity rating based on a combination of the Amazon Inspector score and the vendor score for the software package. If the scores differ this panel shows an explanation of why.

In the CVSS score metrics section you can see a table with comparisons between the CVSS base score metrics and the Inspector score. The metrics compared are the base metrics defined in the CVSS specification document maintained by first.org. The following is a summary of the base metrics:

Attack Vector

The context by which a vulnerability can be exploited. For Amazon Inspector findings this can be Network, Adjacent Network, or Local.

Attack Complexity

This describes the level of difficulty an attacker will face when exploiting the vulnerability. A Low score means that the attacker will need to meet little or no additional conditions to exploit the vulnerability. A High score means that an attacker will need invest a considerable amount of effort in order carry out a successful attack with this vulnerability.

Privilege Required

This describes the level of privilege an attacker will need to exploit a vulnerability.

User Interaction

This metric states if a successful attack using this vulnerability requires a human user, other than the attacker.

Scope

This states whether a vulnerability in one vulnerable component impacts resources in components beyond the vulnerable component’s security scope. If this value is Unchanged the affected resource and the impacted resource are the same. If this value is Changed then the vulnerable component can be exploited to impact resources managed by different security authorities.

Confidentiality

This measures the level of impact to the confidentiality of data within a resource when the vulnerability is exploited. This ranges from None, where no confidentiality is lost, to High where all information within a resource is divulged or confidential information such as passwords or encryption keys can be divulged.

Integrity

This measures the level of impact to the integrity of data within the impacted resource if the vulnerability is exploited. Integrity is at risk when the attacker to modify files within impacted resources. The score ranges from None, where the exploit does not allow an attacker to modify any information, to High, where if exploited, the vulnerability would allow an attacker to modify any or all files, or the files that could be modified have serious consequences.

Availability

This measures the level of impact to the availability of the impacted resource when the vulnerability is exploited. The score ranges from None, when the vulnerability does not impact availability at all, to High, where if exploited, the attacker can completely deny availability to the resource, or cause a service to become unavailable.

Vulnerability Intelligence

This section summarizes available intelligence about the CVE from Amazon as well as industry standard security intelligence sources such as Recorded Future, and Cybersecurity and Infrastructure Security Agency (CISA).

Note

Intel from CISA, Amazon, or Recorded Future won't be available for all CVEs.

You can view vulnerability intelligence details in the console or by using the BatchGetFindingDetails API. The following details are available in the console:

ATT&CK

This section shows the MITRE tactics, techniques, and procedures (TTPs) associated with the CVE. The associated TTPs are shown, if there are more than two applicable TTPs you can select the link to see a complete list. Selecting a tactic or technique opens information about it on the MITRE website.

CISA

This section covers relevant dates associated with the vulnerability. The date Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, and the Due date CISA expects systems to be patched by. This information is sourced from CISA.

Known malware

This section lists known exploit kits and tools that exploit this vulnerability.

Evidence

This section summarizes the most critical security events involving this vulnerability. If more than 3 events have the same criticality level the top three most recent events are displayed.

Last time reported

This section shows the Last known public exploit date for this vulnerability.