{
  "content": "# Amazon Inspector: What It Is and When to Use It\n\n## Definition\n\nAmazon Inspector is a fully managed, automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It helps customers fulfill their side of the [AWS Shared Responsibility Model](/terms/shared-responsibility-model) by identifying security weaknesses in the resources they manage *in* the cloud.\n\n## How It Works\n\nAmazon Inspector has been re-architected from its "Classic" version (which is being deprecated as of May 20, 2026) into a more automated, scalable service that integrates deeply with the AWS ecosystem. Once enabled, it automatically discovers and begins scanning all supported resources across an organization.\n\nIts core architecture relies on different scanning mechanisms depending on the resource type:\n\n*   **[Amazon EC2](/terms/ec2) Instances**: Inspector uses a hybrid scanning model that combines agent-based and agentless methods.\n    *   **Agent-Based Scanning**: This is the primary, continuous method. It leverages the [AWS Systems Manager](/terms/systems-manager) (SSM) Agent, which is pre-installed on most Amazon Machine Images (AMIs). Because you don't need to install a separate Inspector agent, this is often referred to as \"agentless\" from a user management perspective. This method performs deep inspection for vulnerabilities in both operating system packages and application programming language packages (for supported Linux distributions).\n    *   **Agentless Scanning**: As a fallback for instances where the SSM agent is not configured or running, Inspector can take snapshots of the underlying EBS volumes to perform vulnerability assessments. This expands coverage to ensure even unmanaged instances are scanned.\n    *   **Network Reachability**: Inspector also analyzes network configurations (like [Security Group](/terms/security-group)s, Network ACLs, and VPC routing) to determine if instances are reachable from the internet, adding crucial context to vulnerability findings.\n\n*   **[Amazon ECR](/terms/ecr) Container Images**: Inspector scans container images in Amazon Elastic Container Registry (ECR) for vulnerabilities in both the OS and application packages. It offers \"Enhanced Scanning,\" which can be configured to scan images on push and to continuously re-scan images as new vulnerabilities are discovered.\n\n*   **[AWS Lambda](/terms/lambda) Functions**: Inspector scans Lambda functions and their associated layers for vulnerabilities in application package dependencies. It also offers an optional, deeper scan for code vulnerabilities in your custom application code, identifying issues like injection flaws or insecure data handling.\n\nWhen a vulnerability or exposure is found, Inspector creates a *finding*. Each finding is enriched with a contextual **Inspector Risk Score**, which correlates the base CVE score with factors like network reachability and known exploitability to help prioritize remediation. Findings are aggregated in the Inspector console and can be routed to [AWS Security Hub](/terms/security-hub) for centralized visibility and [Amazon EventBridge](/terms/eventbridge) to trigger automated remediation workflows.\n\n## Key Features and Limits\n\n*   **Automated Resource Discovery & Continuous Scanning**: Automatically discovers and scans new resources as they are launched, providing continuous assessment without manual intervention.\n*   **Broad Workload Coverage**: Supports Amazon EC2 instances (Linux, Windows, macOS), Amazon ECR container images, and AWS Lambda functions.\n*   **Centralized Management**: Integrates with [AWS Organizations](/terms/organizations), allowing a single delegated administrator account to enable and manage Inspector across thousands of accounts.\n*   **Contextual Risk Scoring**: Provides an Inspector-specific risk score to help prioritize the most critical findings based on environmental context.\n*   **Software Bill of Materials (SBOM)**: Can export a detailed SBOM for monitored resources in industry-standard formats like CycloneDX and SPDX, aiding in supply chain security and compliance.\n*   **CIS Benchmarking**: Performs on-demand or scheduled assessments of EC2 instances against Center for Internet Security (CIS) configuration benchmarks.\n*   **CI/CD Integration**: Provides plugins and integrations to scan container images for vulnerabilities within developer CI/CD tools like Jenkins and TeamCity before they are pushed to a registry.\n\n**Service Quotas (as of 2026)**:\n*   **Member Accounts**: Up to 10,000 accounts can be managed by a delegated administrator.\n*   **Suppression Rules**: 500 per account per region.\n*   **CIS Scan Configurations**: 500 per account per region.\n*These limits are subject to change. Always consult the official AWS documentation for the latest quotas.*\n\n## Common Use Cases\n\n1.  **Automated Vulnerability Management**: For organizations seeking to replace periodic, manual scans with a continuous, automated solution that scales with their cloud environment.\n2.  **DevSecOps Pipeline Security**: Integrating ECR container image scanning directly into CI/CD pipelines to identify and block vulnerabilities before deployment, shifting security left.\n3.  **Compliance and Auditing**: Using Inspector's findings and CIS benchmark reports to generate evidence for compliance frameworks like PCI DSS, HIPAA, and SOC 2, proving that systems are regularly assessed for vulnerabilities.\n4.  **Risk Prioritization and Incident Response**: Leveraging the Inspector Risk Score to focus remediation efforts on the most critical, internet-exposed vulnerabilities first, reducing the mean time to remediation (MTTR).\n5.  **Software Supply Chain Security**: Generating and analyzing SBOMs to maintain a complete inventory of software components and their dependencies across all workloads, a key requirement for modern cybersecurity frameworks.\n\n## Pricing Model\n\nAmazon Inspector uses a pay-as-you-go pricing model with no upfront fees or long-term commitments. A 15-day free trial is available for new accounts.\n\nBilling is based on several dimensions:\n*   **Amazon EC2 Instances**: Priced per instance per month, with costs prorated for instances that run intermittently.\n*   **Amazon ECR Container Images**: Priced per image for the initial scan, with a separate, lower cost for subsequent re-scans.\n*   **AWS Lambda Functions**: Priced per function per month. An additional charge applies if you enable the more intensive Lambda code scanning feature.\n*   **CIS Benchmark Assessments**: Priced per assessment per instance.\n\nCosts are calculated based on the average number of resources scanned over the month. For detailed and up-to-date pricing, always refer to the official [Amazon Inspector Pricing](https://aws.amazon.com/inspector/pricing/) page and use the AWS Pricing Calculator.\n\n## Pros and Cons\n\n**Pros**:\n*   **Fully Managed and Automated**: Simplifies deployment and operations by automatically discovering and scanning resources with minimal configuration.\n*   **Seamless AWS Integration**: Natively integrates with AWS Organizations, Security Hub, EventBridge, and Systems Manager, providing a cohesive security management experience.\n*   **Agentless for EC2**: The reliance on the ubiquitous SSM Agent for EC2 scanning removes the operational burden of managing a separate security agent.\n*   **Contextual Prioritization**: The Inspector Risk Score helps teams cut through the noise and focus on vulnerabilities that pose the most immediate threat.\n*   **Scalability**: Designed to scale effortlessly from a single account to thousands within an AWS Organization.\n\n**Cons**:\n*   **AWS-Only**: The service is designed exclusively for workloads running on AWS and cannot be used for on-premises or multi-cloud environments.\n*   **Limited Scope**: Only scans for vulnerabilities in specific resource types (EC2, ECR, Lambda). It does not assess other services like [Amazon RDS](/terms/rds) databases or S3 buckets directly.\n*   **No Auto-Remediation**: Inspector identifies and provides guidance on vulnerabilities but does not automatically patch or fix them. Remediation must be orchestrated through other tools like AWS Systems Manager Patch Manager.\n*   **Potential for Finding Overload**: In large or legacy environments, the volume of findings can be overwhelming without a well-defined process for triage, suppression, and remediation.\n\n## Comparison with Alternatives\n\n*   **[Amazon GuardDuty](/terms/guardduty)**: Inspector and GuardDuty are complementary services that should be used together. **Inspector** is a *vulnerability scanner* that proactively finds weaknesses (the open doors) in your workloads. **GuardDuty** is a *threat detection* service that analyzes logs to find malicious activity (someone trying to walk through the doors).\n\n*   **AWS Security Hub**: Security Hub is not an alternative but an aggregator and a posture management service. It ingests findings from Inspector, GuardDuty, [AWS Config](/terms/config), and other services to provide a single-pane-of-glass view of your security posture. Inspector is a primary data source *for* Security Hub.\n\n*   **Third-Party Vulnerability Scanners (e.g., Tenable, Qualys, Snyk)**: These tools often provide broader platform support (on-premises, multi-cloud) and may offer different types of scanning (e.g., Dynamic Application Security Testing - DAST). However, they typically require more complex setup and management of agents and scanners and lack the deep, native integration with the AWS control plane that Inspector provides.\n\n## Exam Relevance\n\nAmazon Inspector is a key topic on several AWS certification exams, particularly those focused on security and architecture.\n\n*   **AWS Certified Security - Specialty (SCS-C02)**: Expect in-depth questions about Inspector's capabilities, its role in vulnerability management, its integration with other services, and how it differs from GuardDuty.\n*   **AWS Certified Solutions Architect - Professional (SAP-C02)**: Questions may focus on designing secure and compliant architectures, where Inspector plays a crucial role in the overall security strategy.\n*   **AWS Certified Solutions Architect - Associate (SAA-C03)**: Candidates should understand the fundamental purpose of Inspector, what resources it scans, and how it contributes to a secure AWS environment.\n\nExaminees should know its core function (vulnerability management), the resources it covers (EC2, ECR, Lambda), its reliance on the SSM agent for EC2, and its key integrations (Organizations, Security Hub).\n\n## Frequently Asked Questions\n\n### Q: Is Amazon Inspector agentless?\nA: For Amazon EC2, Inspector is effectively agentless from a user's perspective. It uses the AWS Systems Manager (SSM) Agent, which is installed by default on most AWS-provided AMIs, so you don't have to install or manage a dedicated Inspector agent. For instances without a functioning SSM agent, Inspector can use an agentless method that analyzes EBS snapshots.\n\n### Q: What is the difference between Amazon Inspector and Amazon GuardDuty?\nA: They serve two distinct, complementary purposes. Amazon Inspector is a proactive vulnerability management service that scans your workloads for known software vulnerabilities (CVEs) and network configuration weaknesses. Amazon GuardDuty is a reactive threat detection service that continuously monitors network logs and account activity for signs of active threats, malicious behavior, or compromised resources.\n\n### Q: How does Amazon Inspector find vulnerabilities?\nA: Inspector compares the inventory of software packages on your resources against a constantly updated database of over 50 sources, including the National Vulnerability Database (NVD) of Common Vulnerabilities and Exposures (CVEs) and vendor advisories. For network exposure, it analyzes your VPC network configurations to determine if ports on your EC2 instances are accessible from the internet.\n\n---\n*This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the [official AWS documentation](https://docs.aws.amazon.com/) before making production decisions.*",
  "contentPlain": "# Amazon Inspector: What It Is and When to Use It\n\n## Definition\n\nAmazon Inspector is a fully managed, automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. It helps customers fulfill their side of the AWS Shared Responsibility Model by identifying security weaknesses in the resources they manage *in* the cloud.\n\n## How It Works\n\nAmazon Inspector has been re-architected from its \"Classic\" version (which is being deprecated as of May 20, 2026) into a more automated, scalable service that integrates deeply with the AWS ecosystem. Once enabled, it automatically discovers and begins scanning all supported resources across an organization.\n\nIts core architecture relies on different scanning mechanisms depending on the resource type:\n\n*   Amazon EC2 Instances: Inspector uses a hybrid scanning model that combines agent-based and agentless methods.\n    *   Agent-Based Scanning: This is the primary, continuous method. It leverages the AWS Systems Manager (SSM) Agent, which is pre-installed on most Amazon Machine Images (AMIs). Because you don't need to install a separate Inspector agent, this is often referred to as \"agentless\" from a user management perspective. This method performs deep inspection for vulnerabilities in both operating system packages and application programming language packages (for supported Linux distributions).\n    *   Agentless Scanning: As a fallback for instances where the SSM agent is not configured or running, Inspector can take snapshots of the underlying EBS volumes to perform vulnerability assessments. This expands coverage to ensure even unmanaged instances are scanned.\n    *   Network Reachability: Inspector also analyzes network configurations (like Security Groups, Network ACLs, and VPC routing) to determine if instances are reachable from the internet, adding crucial context to vulnerability findings.\n\n*   Amazon ECR Container Images: Inspector scans container images in Amazon Elastic Container Registry (ECR) for vulnerabilities in both the OS and application packages. It offers \"Enhanced Scanning,\" which can be configured to scan images on push and to continuously re-scan images as new vulnerabilities are discovered.\n\n*   AWS Lambda Functions: Inspector scans Lambda functions and their associated layers for vulnerabilities in application package dependencies. It also offers an optional, deeper scan for code vulnerabilities in your custom application code, identifying issues like injection flaws or insecure data handling.\n\nWhen a vulnerability or exposure is found, Inspector creates a *finding*. Each finding is enriched with a contextual **Inspector Risk Score**, which correlates the base CVE score with factors like network reachability and known exploitability to help prioritize remediation. Findings are aggregated in the Inspector console and can be routed to AWS Security Hub for centralized visibility and Amazon EventBridge to trigger automated remediation workflows.\n\n## Key Features and Limits\n\n*   Automated Resource Discovery & Continuous Scanning: Automatically discovers and scans new resources as they are launched, providing continuous assessment without manual intervention.\n*   Broad Workload Coverage: Supports Amazon EC2 instances (Linux, Windows, macOS), Amazon ECR container images, and AWS Lambda functions.\n*   Centralized Management: Integrates with AWS Organizations, allowing a single delegated administrator account to enable and manage Inspector across thousands of accounts.\n*   Contextual Risk Scoring: Provides an Inspector-specific risk score to help prioritize the most critical findings based on environmental context.\n*   Software Bill of Materials (SBOM): Can export a detailed SBOM for monitored resources in industry-standard formats like CycloneDX and SPDX, aiding in supply chain security and compliance.\n*   CIS Benchmarking: Performs on-demand or scheduled assessments of EC2 instances against Center for Internet Security (CIS) configuration benchmarks.\n*   CI/CD Integration: Provides plugins and integrations to scan container images for vulnerabilities within developer CI/CD tools like Jenkins and TeamCity before they are pushed to a registry.\n\n**Service Quotas (as of 2026)**:\n*   Member Accounts: Up to 10,000 accounts can be managed by a delegated administrator.\n*   Suppression Rules: 500 per account per region.\n*   CIS Scan Configurations: 500 per account per region.\n*These limits are subject to change. Always consult the official AWS documentation for the latest quotas.*\n\n## Common Use Cases\n\n1.  Automated Vulnerability Management: For organizations seeking to replace periodic, manual scans with a continuous, automated solution that scales with their cloud environment.\n2.  DevSecOps Pipeline Security: Integrating ECR container image scanning directly into CI/CD pipelines to identify and block vulnerabilities before deployment, shifting security left.\n3.  Compliance and Auditing: Using Inspector's findings and CIS benchmark reports to generate evidence for compliance frameworks like PCI DSS, HIPAA, and SOC 2, proving that systems are regularly assessed for vulnerabilities.\n4.  Risk Prioritization and Incident Response: Leveraging the Inspector Risk Score to focus remediation efforts on the most critical, internet-exposed vulnerabilities first, reducing the mean time to remediation (MTTR).\n5.  Software Supply Chain Security: Generating and analyzing SBOMs to maintain a complete inventory of software components and their dependencies across all workloads, a key requirement for modern cybersecurity frameworks.\n\n## Pricing Model\n\nAmazon Inspector uses a pay-as-you-go pricing model with no upfront fees or long-term commitments. A 15-day free trial is available for new accounts.\n\nBilling is based on several dimensions:\n*   Amazon EC2 Instances: Priced per instance per month, with costs prorated for instances that run intermittently.\n*   Amazon ECR Container Images: Priced per image for the initial scan, with a separate, lower cost for subsequent re-scans.\n*   AWS Lambda Functions: Priced per function per month. An additional charge applies if you enable the more intensive Lambda code scanning feature.\n*   CIS Benchmark Assessments: Priced per assessment per instance.\n\nCosts are calculated based on the average number of resources scanned over the month. For detailed and up-to-date pricing, always refer to the official [Amazon Inspector Pricing](https://aws.amazon.com/inspector/pricing/) page and use the AWS Pricing Calculator.\n\n## Pros and Cons\n\n**Pros**:\n*   Fully Managed and Automated: Simplifies deployment and operations by automatically discovering and scanning resources with minimal configuration.\n*   Seamless AWS Integration: Natively integrates with AWS Organizations, Security Hub, EventBridge, and Systems Manager, providing a cohesive security management experience.\n*   Agentless for EC2: The reliance on the ubiquitous SSM Agent for EC2 scanning removes the operational burden of managing a separate security agent.\n*   Contextual Prioritization: The Inspector Risk Score helps teams cut through the noise and focus on vulnerabilities that pose the most immediate threat.\n*   Scalability: Designed to scale effortlessly from a single account to thousands within an AWS Organization.\n\n**Cons**:\n*   AWS-Only: The service is designed exclusively for workloads running on AWS and cannot be used for on-premises or multi-cloud environments.\n*   Limited Scope: Only scans for vulnerabilities in specific resource types (EC2, ECR, Lambda). It does not assess other services like Amazon RDS databases or S3 buckets directly.\n*   No Auto-Remediation: Inspector identifies and provides guidance on vulnerabilities but does not automatically patch or fix them. Remediation must be orchestrated through other tools like AWS Systems Manager Patch Manager.\n*   Potential for Finding Overload: In large or legacy environments, the volume of findings can be overwhelming without a well-defined process for triage, suppression, and remediation.\n\n## Comparison with Alternatives\n\n*   Amazon GuardDuty: Inspector and GuardDuty are complementary services that should be used together. **Inspector** is a *vulnerability scanner* that proactively finds weaknesses (the open doors) in your workloads. **GuardDuty** is a *threat detection* service that analyzes logs to find malicious activity (someone trying to walk through the doors).\n\n*   AWS Security Hub: Security Hub is not an alternative but an aggregator and a posture management service. It ingests findings from Inspector, GuardDuty, AWS Config, and other services to provide a single-pane-of-glass view of your security posture. Inspector is a primary data source *for* Security Hub.\n\n*   Third-Party Vulnerability Scanners (e.g., Tenable, Qualys, Snyk): These tools often provide broader platform support (on-premises, multi-cloud) and may offer different types of scanning (e.g., Dynamic Application Security Testing - DAST). However, they typically require more complex setup and management of agents and scanners and lack the deep, native integration with the AWS control plane that Inspector provides.\n\n## Exam Relevance\n\nAmazon Inspector is a key topic on several AWS certification exams, particularly those focused on security and architecture.\n\n*   AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions about Inspector's capabilities, its role in vulnerability management, its integration with other services, and how it differs from GuardDuty.\n*   AWS Certified Solutions Architect - Professional (SAP-C02): Questions may focus on designing secure and compliant architectures, where Inspector plays a crucial role in the overall security strategy.\n*   AWS Certified Solutions Architect - Associate (SAA-C03): Candidates should understand the fundamental purpose of Inspector, what resources it scans, and how it contributes to a secure AWS environment.\n\nExaminees should know its core function (vulnerability management), the resources it covers (EC2, ECR, Lambda), its reliance on the SSM agent for EC2, and its key integrations (Organizations, Security Hub).\n\n## Frequently Asked Questions\n\n### Q: Is Amazon Inspector agentless?\nA: For Amazon EC2, Inspector is effectively agentless from a user's perspective. It uses the AWS Systems Manager (SSM) Agent, which is installed by default on most AWS-provided AMIs, so you don't have to install or manage a dedicated Inspector agent. For instances without a functioning SSM agent, Inspector can use an agentless method that analyzes EBS snapshots.\n\n### Q: What is the difference between Amazon Inspector and Amazon GuardDuty?\nA: They serve two distinct, complementary purposes. Amazon Inspector is a proactive vulnerability management service that scans your workloads for known software vulnerabilities (CVEs) and network configuration weaknesses. Amazon GuardDuty is a reactive threat detection service that continuously monitors network logs and account activity for signs of active threats, malicious behavior, or compromised resources.\n\n### Q: How does Amazon Inspector find vulnerabilities?\nA: Inspector compares the inventory of software packages on your resources against a constantly updated database of over 50 sources, including the National Vulnerability Database (NVD) of Common Vulnerabilities and Exposures (CVEs) and vendor advisories. For network exposure, it analyzes your VPC network configurations to determine if ports on your EC2 instances are accessible from the internet.\n\n---\n*This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the [official AWS documentation](https://docs.aws.amazon.com/) before making production decisions.*",
  "faq": [
    {
      "question": "Is Amazon Inspector agentless?",
      "answer": "For Amazon EC2, Inspector is effectively agentless from a user's perspective. It uses the AWS Systems Manager (SSM) Agent, which is installed by default on most AWS-provided AMIs, so you don't have to install or manage a dedicated Inspector agent. For instances without a functioning SSM agent, Inspector can use an agentless method that analyzes EBS snapshots."
    },
    {
      "question": "What is the difference between Amazon Inspector and Amazon GuardDuty?",
      "answer": "They serve two distinct, complementary purposes. Amazon Inspector is a proactive vulnerability management service that scans your workloads for known software vulnerabilities (CVEs) and network configuration weaknesses. Amazon GuardDuty is a reactive threat detection service that continuously monitors network logs and account activity for signs of active threats, malicious behavior, or compromised resources."
    },
    {
      "question": "How does Amazon Inspector find vulnerabilities?",
      "answer": "Inspector compares the inventory of software packages on your resources against a constantly updated database of over 50 sources, including the National Vulnerability Database (NVD) of Common Vulnerabilities and Exposures (CVEs) and vendor advisories. For network exposure, it analyzes your VPC network configurations to determine if ports on your EC2 instances are accessible from the internet."
    }
  ]
}