Amazon Inspector finding types - Amazon Inspector
Package vulnerabilityCode vulnerabilityNetwork reachability

Amazon Inspector finding types

This section describes the different finding types in Amazon Inspector.

Package vulnerability

Package vulnerability findings identify software packages in your AWS environment that are exposed to Common Vulnerabilities and Exposures (CVEs). Attackers can exploit these unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of data, or to access other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. For more information, see https://www.cve.org/.

Amazon Inspector can generate package vulnerability findings for EC2 instances, ECR container images, and Lambda functions. Package vulnerability findings have additional details unique to this finding type, these are the Inspector score and vulnerability intelligence.

Code vulnerability

Code vulnerability findings help identify lines of code that can be exploited. Code vulnerabilities include missing encryption, data leaks, injection flaws, and weak cryptography. Amazon Inspector generates code vulnerability findings through Lambda function scanning and its Code Security feature.

Amazon Inspector evaluates Lambda function application code using automated reasoning and machine learning to analyzes application code for overall security compliance. It identifies policy violations and vulnerabilities based on internal detectors developed in collaboration with Amazon CodeGuru. For a list of possible detections, see CodeGuru Detector Library.

Code scanning captures snippets of code to highlight detected vulnerabilities. For example, a code snippet might show hardcoded credentials or other sensitive materials in plaintext. CodeGuru stores code snippets associated with code vulnerabilities. By default, your code is encrypted with an AWS owned key. However, you can create a customer managed key to encrypt your code if you want more control over this information. For more information, see Encryption at rest for code in your findings.

Note

The delegated administrator for an organization cannot view code snippets that belong to member accounts.

Network reachability

Network reachability findings indicate that there are open network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges, such as an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, Access Control Lists, or internet gateways, or that may allow for potentially malicious access.

Amazon Inspector only generates network reachability findings for Amazon EC2 instances. Amazon Inspector performs scans for network reachability findings every 12 hours once Amazon Inspector is enabled.

Amazon Inspector evaluates the following configurations when scanning for network paths: