Finding types in Amazon Inspector - Amazon Inspector

Finding types in Amazon Inspector

Amazon Inspector generates findings for Amazon Elastic Compute Cloud (Amazon EC2) instances, container images in Amazon Elastic Container Registry (Amazon ECR) repositories, and AWS Lambda functions. Amazon Inspector can generate the following types of findings.

Package vulnerability

Package vulnerability findings identify software packages in your AWS environment that are exposed to Common Vulnerabilities and Exposures (CVEs). Attackers can exploit these unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of data, or to access other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. For more information, see https://cve.mitre.org/.

Package vulnerability findings are generated for EC2 instances ECR container images and Lambda functions.

Network reachability

Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges, such as an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, ACLs, or IGWs, or that may allow for potentially malicious access.

Network reachability findings are generated only for Amazon EC2 resources. Amazon Inspector preforms scans for Network Reachability findings every 24 hours.

Amazon Inspector evaluates the following configurations when scanning for network paths: