Menu
Amazon Inspector
User Guide (Version Latest)

What is Amazon Inspector?

Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues. Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment run of this target.

During the assessment run, the network, file system, and process activity within the specified target are monitored, and a wide set of activity and configuration data is collected. This data includes details of communication with AWS services, use of secure channels, details of the running processes, network traffic among the running processes, and more. The collected data is correlated, analyzed, and compared to a set of security rules specified in the assessment template. A completed assessment run produces a list of findings - potential security problems of various severity.

Important

AWS does not guarantee that following the provided recommendations will resolve every potential security issue. The findings generated by Amazon Inspector depend on your choice of rules packages included in each assessment template, the presence of non-AWS components in your system, and other factors. You are responsible for the security of applications, processes, and tools that run on AWS services. For more information, see the AWS Shared Responsibility Model for security.

Note

AWS is responsible for protecting the global infrastructure that runs all the services offered in the AWS cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS services. AWS provides several reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations. For more information, see AWS Cloud Compliance.

For more information, see Amazon Inspector Terminology and Concepts.

Benefits of Amazon Inspector

  • Amazon Inspector enables you to quickly and easily assess the security of your AWS resources for forensics, troubleshooting, or active auditing purposes at your own pace, either as you progress through the development of your infrastructures or on a regular basis in a stable production environment.

  • Amazon Inspector enables you to focus on more complex security problems by offloading the overall security assessment of your infrastructure to this automated service.

  • By using Amazon Inspector, you can gain deeper understanding of your AWS resources because Amazon Inspector findings are produced through the analysis of the real activity and configuration data of your AWS resources.

Features of Amazon Inspector

  • Configuration Scanning and Activity Monitoring Engine - Amazon Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.

  • Built-in Content Library - Amazon Inspector incorporates a built-in library of rules and reports. These include checks against best practices, common compliance standards and vulnerabilities. These checks include detailed recommended steps for resolving potential security issues.

  • Automatable via API - Amazon Inspector is fully automatable via an API. This allows organizations to incorporate security testing into the development and design process, including selecting, executing, and reporting the results of those tests.

Amazon Inspector Pricing

Amazon Inspector is priced per agent per assessment (agent-assessment) per month. For detailed information about Amazon Inspector pricing, see Amazon Inspector Pricing.

Accessing Amazon Inspector

You can work with the Amazon Inspector service in any of the following ways.

Amazon Inspector Console

Sign in to the AWS Management Console and open the Amazon Inspector console at https://console.aws.amazon.com/inspector/.

The console is a browser-based interface to access and use the Amazon Inspector service.

AWS SDKs

AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to the Amazon Inspector service. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

Amazon Inspector HTTPS API

You can access Amazon Inspector and AWS programmatically by using the Amazon Inspector HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the Amazon Inspector API Reference.

AWS Command Line Tools

You can use the AWS command line tools to issue commands at your system's command line to perform Amazon Inspector tasks; this can be faster and more convenient than using the console. The command line tools are also useful if you want to build scripts that perform AWS tasks. For more information, see the Amazon Inspector's AWS Command Line Interface.