Amazon Inspector
User Guide (Version Latest)

What is Amazon Inspector?

Amazon Inspector is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on those instances.

Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions.

Amazon Inspector consists of a technology that analyzes your network configurations, an Amazon-developed agent that is installed in the operating system of your EC2 instances, and a security assessment service that uses telemetry from the agent and AWS configurations to assess instances for security exposures and vulnerabilities.

Important

AWS does not guarantee that following the provided recommendations will resolve every potential security issue. The findings generated by Amazon Inspector depend on your choice of rules packages included in each assessment template, the presence of non-AWS components in your system, and other factors. You are responsible for the security of applications, processes, and tools that run on AWS services. For more information, see the AWS Shared Responsibility Model for security.

Note

AWS is responsible for protecting the global infrastructure that runs all the services offered in the AWS cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS services. AWS provides several reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations. For more information, see AWS Cloud Compliance.

For more information, see Amazon Inspector Terminology and Concepts.

Benefits of Amazon Inspector

  • Amazon Inspector enables you to quickly and easily assess the security of your AWS resources for forensics, troubleshooting, or active auditing purposes at your own pace, either as you progress through the development of your infrastructures or on a regular basis in a stable production environment.

  • Amazon Inspector enables you to focus on more complex security problems by offloading the overall security assessment of your infrastructure to this automated service.

  • By using Amazon Inspector, you can gain deeper understanding of your AWS resources because Amazon Inspector findings are produced through the analysis of the real activity and configuration data of your AWS resources.

Features of Amazon Inspector

  • Configuration Scanning and Activity Monitoring Engine - Amazon Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.

  • Built-in Content Library - Amazon Inspector incorporates a built-in library of rules and reports. These include checks against best practices, common compliance standards and vulnerabilities. These checks include detailed recommended steps for resolving potential security issues.

  • Automatable via API - Amazon Inspector is fully automatable via an API. This allows organizations to incorporate security testing into the development and design process, including selecting, executing, and reporting the results of those tests.

Amazon Inspector Pricing

Amazon Inspector pricing is based on the number of Amazon EC2 instances included in each assessment and the rules packages used in those assessments. For detailed information about Amazon Inspector pricing, see Amazon Inspector Pricing.

Accessing Amazon Inspector

You can work with the Amazon Inspector service in any of the following ways.

Amazon Inspector Console

Sign in to the AWS Management Console and open the Amazon Inspector console at https://console.aws.amazon.com/inspector/.

The console is a browser-based interface to access and use the Amazon Inspector service.

AWS SDKs

AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to the Amazon Inspector service. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

Amazon Inspector HTTPS API

You can access Amazon Inspector and AWS programmatically by using the Amazon Inspector HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the Amazon Inspector API Reference.

AWS Command Line Tools

You can use the AWS command line tools to issue commands at your system's command line to perform Amazon Inspector tasks; this can be faster and more convenient than using the console. The command line tools are also useful if you want to build scripts that perform AWS tasks. For more information, see the Amazon Inspector's AWS Command Line Interface.