Finding types in Amazon Inspector

Amazon Inspector generates findings for the following AWS resources: Amazon EC2 instances, and container images residing in Amazon ECR repositories.

Following are the finding types identified by Amazon Inspector:

Package vulnerability

Package vulnerability findings identify software packages in your environment that are exposed to common vulnerabilities and exposures (CVEs). Attackers can exploit these unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of data, or to access other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. For more information, see https://cve.mitre.org/.

Package vulnerability findings are generated for both Amazon EC2 instances and ECR container images.

Network reachability

Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges such as an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, ACLs, or IGWs, or that may allow for potentially malicious access.

Network reachability findings are only generated for Amazon EC2 resources.

Amazon Inspector evaluates the following configurations when scanning for network paths:

• Amazon EC2 instances

• Application Load Balancers

• Direct Connect

• Elastic Load Balancers

• Elastic Network Interfaces

• Internet Gateways

• Network Access Control Lists

• Route Tables

• Security Groups

• Subnets

• Virtual Private Clouds

• Virtual Private Gateways

• VPC endpoints

• VPC gateway endpoints

• VPC peering connections

• VPN connections