Tuesday, October 28, 2025

Amazon Inspector | Deep Dive.

A deep dive into Amazon Inspector.

Focus:

The Concept: Amazon Inspector
What Inspector scans / analyzes,
Core components & architecture (conceptual),
Typical finding schema (what twtech should see),
Detection categories and Samples,
Integration and automation patterns (practical),
Sample automation snippets,
Operational runbooks (Samples),
Deployment checklist (quick),
Tuning and prioritization guidance,
Costs & limits (guidance),
Limitations & gotchas,
Sample Key Performance Indicators (KPIs) & dashboards

1 , The Concept: Amazon Inspector

Amazon Inspector is AWS managed service for discovering security issues in twtech AWS workloads.

Amazon Inspector goals are:

Continuously identify vulnerabilities and insecure configurations in instances, images, and serverless functions.
Prioritize findings (severity, CVSS, exploitability) and provide actionable remediation guidance.
Integrate with AWS automation (EventBridge, Lambda, Systems Manager (SSM)) and Security Event Management (SIEMs) for triage / remediation.
There are two generations historically:

Inspector Classic
Inspector2.

Modern usage of Amazon Inspector is centers around the current, continuously-scanning Inspector service (often called Inspector2)
Inspector2 focuses on multi-account continuous scanning, image/Lambda/instance coverage, and centralized findings.

2 , What Inspector scans / analyzes

Typical scan targets and telemetry sources:

EC2 instances — OS packages, application packages, and optionally an agent-based scan. Agentless scanning is often possible via SSM inventory/insights.
Container images in ECR — image layers and packages scanned at push and continuously (image CVEs).
Lambda functions — the function package and its dependencies scanned for library/package CVEs.
OS/package metadata — NPM/Python/Ruby/JAR/OS package manifests (the service derives SBOM-like inventory).
Software configuration checks — CIS benchmark checks and common misconfigurations (depending on enabled checks).
Vulnerability intelligence — CVE databases, vendor advisories, and exploitability metadata to rank severity.

3, Core components & architecture (conceptual)

1. Collectors / Scanners

ECR integration scans images on push and periodically.
EC2 scanning via agent or SSM-driven inventory.
Lambda scans via packaged dependencies at deployment or during periodic assessment.

2. Analysis Engine

Matches package metadata to CVE databases and rules.
Computes severity, CVSS, and provides remediation steps (package fixes, upgrade versions).
Deduplicates and groups related findings.

3. Findings Store

Centralized, per-account findings that include metadata: resource id, region, package name/version, CVE, CVSS, remediation, first/last seen.

4. Publishing / Integration

Findings visible in the Inspector console.
Forwarding via EventBridge, Security Hub, or via APIs to SIEMs and S3 for archiving.
Multi-account aggregation (via Organizations) to enable centralized scanning and reporting.

4, Typical finding schema (what twtech should see)

A finding generally contains:

Finding ID (unique)
Resource (EC2 instance id, ECR image digest, Lambda ARN)
Finding type (vulnerability, CIS check, configuration)
Package / Component (e.g., openssl 1.0.2k)
CVE ID(s) (e.g., CVE-YYYY-XXXX)
Severity (Low / Medium / High / Critical)
Common Vulnerability Scoring System (CVSS) numeric.
Exploitability / Public exploit evidence (if known)
Remediation steps (update package to X, replace image, apply patch)
Timestamps (first seen, last seen)
Account & Region metadata

5, Detection categories and Samples

Package CVEs: outdated library with known CVE.
OS-level vulnerabilities: kernel / system libraries needing patch.
Container image vulnerabilities: insecure base images, outdated packages.
Function vulnerabilities: vulnerable runtime dependencies in Lambda zip/layers.
Configuration / Policy checks (when enabled): missing hardening controls, insecure permissions.
Package misconfiguration: e.g., a web server exposing debug endpoints.

6, Integration and automation patterns (practical)

EventBridge → Lambda: route Inspector findings by severity to Lambda for triage (create ticket, notify Slack/SysOps, or start remediation).
Inspector → Security Hub: centralize findings and use Security Hub insights/playbooks.
Inspector → SIEM / S3: export to SIEM for long-term correlation; export to S3 for retention and offline analytics.
Auto-remediation with SSM: for EC2, use SSM Run Command or Patch Manager to apply updates automatically for low-risk fixes.
CI/CD gate: block image promotion when ECR image scan reports critical CVEs; integrate with CodePipeline or scanning step.
Shift-left: run static scanning in build pipelines against the same CVE database sets to catch issues before deployment.

7, Sample automation snippets (conceptual — adapt names)

Below are illustrative patterns you can copy/paste and adapt.

# EventBridge rule (pseudo-JSON) to capture high/critical Inspector findings:

# json

  "source": ["aws.inspector2"],

  "detail-type": ["Inspector2 Finding"],

  "detail": {

    "severity": [{"numeric": [">=", 7.0]}],

    "status": ["ACTIVE"]

# Lambda handler (Python) to auto-initiate remediation on EC2 via SSM:

# python

import boto3

import twtech

ssm = boto3.client('ssm')

inspector = boto3.client('inspector2')  # or use event payload

def lambda_handler(event, context):

    finding = event['detail']

    resource = finding['resource']['id']

    # Example: trigger SSM Run Command to update packages

    response = ssm.send_command(

        InstanceIds=[resource],

        DocumentName='AWS-RunPatchBaseline',  # or custom patch document

        Parameters={'Operation': ['Install']}

    # Persist or ticket the run_command id for audit

    return {'status': 'started', 'command_id': response['Command']['CommandId']}

NB:

Adapt detail parsing and event source names for your environment. Always test in staging.

8, Operational runbooks (Samples)

A. High-severity CVE on EC2 (playbook)

1. Alert: EventBridge triggers SOC channel and creates a ticket.

2. Triage: Validate finding — confirm instance, package, and confirm whether exploit in environment (public exposure, open ports).

3. Contain (if exploited or exposed): isolate ENI (move to quarantine subnet / update NACLs), stop instance if needed, snapshot disks (for forensics).

4. Remediate:

o Preferred: patch via SSM Run Command / Patch Manager (apply updates).

o If patch unavailable: replace instance via image build with patched AMI.

5. Verify: Re-scan with Inspector to confirm fix; monitor for recurrence.

6. Post-mortem: root cause analysis (incident review, retrospective, or lessons learned); update CI/CD to prevent reintroduction.

B. Critical CVE in ECR image (playbook)

Block promotion of this image (CI/CD).
Rebuild image with patched base image or updated dependency.
Retest container, re-run image scan and integration tests.
Deploy patched image to production following canary/blue-green.
Deprecate (or delete) old image tags and update image lifecycle policies.

9, Deployment checklist (quick)

Enable Inspector across accounts (use Organizations for delegated admin).
Configure ECR image scanning on push and scheduled scanning.
Ensure EC2 inventory/SSM agent coverage for agentless scanning where possible.
Enable Lambda scanning for functions.
Hook Inspector findings into EventBridge and Security Hub.
Configure retention/export (S3 or SIEM).
Define automated playbooks for critical/urgent severities.
Define a patch policy and test SSM remediation runbooks.

10, Tuning and prioritization guidance

Tune scanning cadence: frequent enough for your risk posture, mindful of quotas.
Prioritize by exploitability: CVSS + presence of public exploit code + internet exposure.
Group findings: use grouping by package + CVE to reduce noise.
Suppress / mark as accepted: document compensating controls for false-positives (e.g., immutable read-only environments).
Shift-left: integrate image/library scanning into dev pipelines to reduce production churn(vulnerabilities).

11, Costs & limits (high-level guidance)

Expect costs from: image scan counts, API calls, multi-account aggregated scanning, and data export. Tuning scanning frequency and limiting non-critical accounts helps.
Use lifecycle policies in ECR and selective scanning if cost-constrained.

12, Limitations & gotchas

Not a full runtime EDR: Inspector finds vulnerabilities in artifacts and configurations; it’s not a behavioral endpoint detection product (use alongside EDR solutions).
Coverage variance: scanning quality depends on whether you use agent or agentless methods and whether the package metadata is visible.
False positives: package metadata mismatch or custom-built packages without upstream CVE mapping may show ambiguous findings.
Remediation complexity: some vulnerable libraries are transitive dependencies; remediation may require code changes or dependency upgrades.

13, Useful SOC metrics to track

Time-to-detect (TTD) — time between vulnerability disclosure and detection in your estate.
Time-to-remediate (TTR) — measured per severity bucket.
Number of critical/active findings (trend).
Percentage of images failing scan at build-time vs production-time.
Patch compliance rate (by baseline).

14, Sample Key Performance Indicators (KPIs) & dashboards

Weekly count of newly detected critical CVEs across accounts.
Mean days to remediate (critical/important).
ECR image pass rate at push.
EC2 instances missing SSM coverage.

Think - with -Tech