Finding types in Amazon Inspector
Amazon Inspector generates findings for Amazon Elastic Compute Cloud (Amazon EC2) instances, container images in Amazon Elastic Container Registry (Amazon ECR) repositories, and AWS Lambda functions. Amazon Inspector can generate the following types of findings.
Package vulnerability
Package vulnerability findings identify software packages in your AWS environment
that are exposed to Common Vulnerabilities and Exposures (CVEs). Attackers can exploit
these unpatched vulnerabilities to compromise the confidentiality, integrity, or
availability of data, or to access other systems. The CVE system is a reference method
for publicly known information security vulnerabilities and exposures. For more
information, see https://cve.mitre.org/
Package vulnerability findings are generated for EC2 instances ECR container images and Lambda functions.
Network reachability
Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges, such as an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, ACLs, or IGWs, or that may allow for potentially malicious access.
Network reachability findings are generated only for Amazon EC2 resources. Amazon Inspector preforms scans for Network Reachability findings every 24 hours.
Amazon Inspector evaluates the following configurations when scanning for network paths: