Automated resource scanning with Amazon Inspector - Amazon Inspector
Overview of Amazon Inspector scan types
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Automated resource scanning with Amazon Inspector

Amazon Inspector uses its own, purpose-built scanning engine. This engine monitors your resources for software vulnerabilities or open network paths that can result in compromised workloads, malicious use of resources, or unauthorized access to your data. When Amazon Inspector detects a vulnerability, it creates a finding. Findings include details associated with the detection to help you remediate the vulnerability. You can review findings on the Amazon Inspector console and by using the Amazon Inspector API. For more information, see Managing findings in Amazon Inspector.

When activated, Amazon Inspector automatically discovers all eligible resources and begins continuous scans of those resources. Amazon Inspector scans for software vulnerabilities and unintended network exposure. Amazon Inspector also runs scans in response to events, such as the installation of a new application or patch.

When you activate Amazon Inspector for the first time, your account is automatically enrolled in all scan types. The following topics cover specific details about the scan types Amazon Inspector provides. Amazon Inspector categorizes scan types based on the resource type impacted by a vulnerability. The following topics cover which resources Amazon Inspector scans, what initiates new scans for those resources, and how to configure scans for each resource type.

Topics

When you activate Amazon Inspector for the first time, your account is automatically enrolled in the following scan types: Amazon Amazon EC2 scanning, Amazon ECR Scanning, Lambda standard scanning. Lambda code scanning is an optional layer of Lambda function scanning that you can activate at any time.

Overview of Amazon Inspector scan types

Amazon Inspector offers different scan types that focus on specific resource types in your Amazon environment.

Amazon EC2 scanning

When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances for the following:

  • Common vulnerabilities and exposures

  • Operating system and programming language package vulnerabilities

  • Network reachability

  • Network exposure issues

Amazon Inspector performs scans through the use of the SSM agent installed on your instance or through Amazon EBS snapshots of instances. For more information about scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Note

By default, when you activate Amazon EC2 scanning, you automatically enable hybrid scanning mode. For more information, see Agentless scanning.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all Basic scanning container repositories in your private registry to Enhanced scanning with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days, or pulled within the last 90 days are initially scanned. Amazon Inspector continues to monitor images for a 90 day duration by default, this setting can be changed at any time. For more information about scans for Amazon ECR, see Scanning Amazon ECR container images with Amazon Inspector.

Lambda standard scanning

When you activate Lambda standard scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they're deployed, and rescans them when they're updated or when new Common Vulnerabilities and Exposures (CVEs) are published. For more information about Lambda function scanning, see Scanning Amazon Lambda functions with Amazon Inspector.

Lambda standard scanning + Lambda code scanning

This can option combines Lambda standard scanning with Lambda code scanning. When Lambda code scanning is activated Amazon Inspector discovers the Lambda functions and layers in your account and scans for code vulnerabilities your application package dependencies. Lambda code scanning scans the custom application code in your Lambda functions for code vulnerabilities. These two scan types must be activated together. For more information see Amazon Inspector Lambda code scanning.