Automated scan types in Amazon Inspector

Amazon Inspector uses a purpose-built scanning engine that monitors your resources for software vulnerabilities and unintended network exposure. When Amazon Inspector detects a software vulnerability or unintended network exposure, it creates a finding. When you activate Amazon Inspector for the first time, your account is automatically enrolled in all scan types, which include Amazon Amazon EC2 scanning, Amazon ECR Scanning, and Lambda standard scanning.

Note

Lambda code scanning is an optional layer of Lambda function scanning that you can activate at any time.

Topics

• Overview of Amazon Inspector scan types
• Activating a scan type
• Scanning Amazon EC2 instances with Amazon Inspector
• Scanning Amazon Elastic Container Registry container images with Amazon Inspector
• Scanning AWS Lambda functions with Amazon Inspector
• Deactivating a scan type in Amazon Inspector

Overview of Amazon Inspector scan types

Amazon Inspector offers different scan types that focus on specific resource types in your AWS environment.

Amazon EC2 scanning

When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances for the following:

• Common vulnerabilities and exposures

• Operating system and programming language package vulnerabilities

• Network reachability

• Network exposure issues

Amazon Inspector performs scans through the use of the SSM agent installed on your instance or through Amazon EBS snapshots of instances. For more information about scans for Amazon EC2, see Scanning Amazon EC2 instances with Amazon Inspector.

Note

By default, when you activate Amazon EC2 scanning, you automatically enable hybrid scanning mode. For more information, see Agentless scanning.

Amazon ECR scanning

When you activate Amazon ECR scanning, Amazon Inspector converts all Basic scanning container repositories in your private registry to Enhanced scanning with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through inclusion rules. All images pushed within the last 30 days, or pulled within the last 90 days are initially scanned. Amazon Inspector continues to monitor images for a 90 day duration by default, this setting can be changed at any time. For more information about scans for Amazon ECR, see Scanning Amazon Elastic Container Registry container images with Amazon Inspector.

Lambda standard scanning

When you activate Lambda standard scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they're deployed, and rescans them when they're updated or when new Common Vulnerabilities and Exposures (CVEs) are published. For more information about Lambda function scanning, see Scanning AWS Lambda functions with Amazon Inspector.

Lambda standard scanning + Lambda code scanning

This option combines Lambda standard scanning with Lambda code scanning. When Lambda code scanning is activated Amazon Inspector discovers the Lambda functions and layers in your account and scans for code vulnerabilities your application package dependencies. Lambda code scanning scans the custom application code in your Lambda functions for code vulnerabilities. These two scan types must be activated together. For more information see Amazon Inspector Lambda code scanning.