A First Look At The Brand New Amazon Inspector
Amazon Inspector first launched in 2015. Now in 2021, it’s re-launching with a brand new architecture and a host of new features.
This is a vulnerability management service. What that means is that Inspector tries to find software vulnerabilities with your Amazon EC2 instances and container images stored in Amazon ECR (the Elastic Container Registry) and bring them to your attention.
In this version 2 edition of the service, the goal appears to have been “reduce friction.” When enabled, Inspector will automatically detect new resources (instances and registries) and where possible, start to scan then continuously.
Based on my initial experiences, it delivers. It’s truly a delightful experience.
During a scan, Inspector looks for operating system and application vulnerabilities and small number of potential misconfigurations. If it detects an issue, it then issues a finding.
A finding contains a host of details to help you figure out what you want to do with this particular vulnerability.
Sometimes, you’ll simply accept that it’s there and move on. Other times, you’ll patch the software removing the issue. And sometimes, you’ll use another security control—like AWS WAF (a web application firewall)—to prevent anyone from exploiting the vulnerability.
There are only two issues with the new service.
The first is potential huge for users of Amazon Inspector Classic, The new version of the service supports a wide variety of Linux distributions but Windows support was (temporarily?) dropped.
The second issue is reasonably simple. IN order to scan an EC2 instance, that instance must be able to access AWS Systems Manager. The easier way to do this is by using the
AmazonSSMManagedInstanceCore policy in AWS IAM. This policy is the simplest way to grant the required permissions.
Amazon Inspector prices based on the number of container image scans run and average number of EC2 instances scanned.
Like any AWS service, it’s important to understand the pricing structure and how your usage will map to it. This service can be pricey at scale. But remember to evaluate that cost vs. the additional protect it offers to your builds.
In the video above 👆, I walk through setting the service up and scanning some resources. That demo will give you an idea of how easy the service is to use (very) and the value it can provide you and your team (a lot).
The new Amazon Inspector is generally available today in most AWS regions with a 15 day free trial. Simply visit the Amazon Inspector Management Console to get started.