This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Vulnerability management
The Vulnerability Management component capability allows scanning and managing vulnerabilities across the enterprise.
Table 16 — Vulnerability management capability and the associated AWS services
Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
---|---|---|---|---|
Vulnerability Management ID.RA-1, ID.RA-5, PR.IP-12, DE.CM-8, RS.MI-3 |
Amazon ECR image scanning |
Amazon ECR image scanning helps to identify software vulnerabilities in your container images. Each container image may be scanned once per 24 hours.
Amazon ECR uses the Common Vulnerabilities and Exposures
(CVEs) database from the open-source
Clair
project |
Docker image scanning against CVEs. | Yes |
Amazon Inspector |
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. |
Provides logs from vulnerability scanning. | Yes | |
AWS Security Hub |
AWS Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
With Security Hub, you now have a single place that
aggregates, organizes, and prioritizes your security
alerts, or findings, from multiple AWS services, such as
Amazon GuardDuty A Security Hub insight is a collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub offers several managed (default) insights that you cannot modify or delete. You can also create custom insights to track security issues that are unique to your AWS environment and usage. |
This control gives you a comprehensive view of your high priority security alerts and compliance status across AWS accounts. | Yes |