3 Mins Read

New capabilities of Amazon Inspector

Voiced by Amazon Polly

Introduction:

Amazon Inspector is a vulnerability management service that continually scans your AWS workloads for known software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR) and within your CI/CD tools, and Lambda functions. 

 

Today, Amazon Inspector adds three new capabilities to increase the realm of possibilities when scanning your workloads for software vulnerabilities: 

  • Amazon Inspector introduces a new set of open-source plugins and an API allowing you to assess your container images for software vulnerabilities at build time directly from your continuous integration and continuous delivery (CI/CD) pipelines wherever they are running. 
  • Amazon Inspector can now continuously monitor your Amazon Elastic Compute Cloud (Amazon EC2) instances without installing an agent or additional software (in preview). 
  • Amazon Inspector uses generative artificial intelligence (AI) and automated reasoning to provide assisted code remediation for your AWS Lambda functions. 

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Capabilities:

1. Detecting vulnerabilities in your AWS Lambda functions code 

Amazon Inspector may now deliver in-context code fixes for a variety of vulnerability classes discovered during security scans. Amazon Inspector examines your code for security weaknesses such as injection holes, data breaches, inadequate cryptography, or missing encryption. Amazon Inspector now offers ideas for how to solve it thanks to generative AI. It displays impacted code fragments in context, along with proposed fixes. 

After deploying the code. This triggers the assessment. When we open the AWS Management Console and navigate to the Amazon Inspector page. In the Findings section, we find the vulnerability. It gives us the Vulnerability location and the Suggested remediation in a plain natural language explanation.

2. Detecting vulnerabilities in your container CI/CD pipeline 

 Amazon Inspector can detect security issues much sooner in the development process by assessing container images during their build within CI/CD tools. Assessment results are returned in near real-time directly to the CI/CD tool’s dashboard. There is no need to enable Amazon Inspector to use this new capability. 

AWS offers pre-built CI/CD plugins for Jenkins and JetBrains’ TeamCity, with more on the way. A new API (inspector-scan) and command (inspector-sbomgen) are also accessible through our AWS SDKs and the AWS Command Line Interface (AWS CLI). This new API allows you to incorporate Amazon Inspector into your preferred CI/CD tool. 

When the plugin is launched, it runs a container extraction engine on the defined resource and creates a CycloneDX-compatible software bill of materials (SBOM). The SBOM is then sent to Amazon Inspector for examination by the plugin. The plugin gets the scan results in near real-time. It parses the answer and creates outputs that Jenkins or TeamCity may use to pass or fail pipeline execution. 

We initially had to install the plugin before we could utilise it with Jenkins. 

we configure the step with the IAM Role we created (or an AWS access key and secret access key when running on premises), ourDocker Credentials, the AWS Region, and the Image Id. 

When Amazon Inspector detects vulnerabilities, it reports them to the plugin. The build fails, and we can view the details directly in Jenkins. 

3. Detecting vulnerabilities on Amazon EC2 without installing agents (in preview)  

Amazon Inspector uses AWS Systems Manager and the AWS Systems Manager Agent (SSM Agent) to collect information about the inventory of your EC2 instances. To ensure Amazon Inspector can communicate with your instances, you have to ensure three conditions. First, a recent version of the SSM Agent is installed on the instance. Second, the SSM Agent is started. And third, you attached an IAM role to the instance to allow the SSM Agent to communicate back to the SSM service. This seems fair and simple. But it is not when considering large deployments across multiple OS versions, AWS Regions, and accounts, or when you manage legacy applications. Each instance launched that doesn’t satisfy these three conditions is a potential security gap in your infrastructure. 

Amazon Inspector does not require the SSM Agent to scan your instances using agentless scanning (in preview). It identifies current and new instances automatically and schedules a vulnerability evaluation for them. It accomplishes this by capturing and analysing a snapshot of the instance’s EBS volumes. This strategy has the added benefit of not spending any CPU cycles or memory on your instances, allowing you to use the entire (virtual) hardware for your workloads. Amazon Inspector deletes the photo after the analysis. 

 

Under Account management, we can verify the list of scanned instances. we can see which instances are scanned with the SSM Agent and which are not. 

Under Findings, we can filter by vulnerability, by account, by instance, and so on. we select by instance and select the agentless instance we want to review. 

For that specific instance, Amazon Inspector lists more than 150 findings, sorted by severity. 

As usual, we can see the details of a finding to understand what the risk is and how to mitigate it. 

 

Conclusion:

Vulnerability scanning lets you take a proactive approach to close any gaps and maintain strong security for your systems, data, employees, and customers. Data breaches are often the result of unpatched vulnerabilities, so identifying and eliminating these security gaps, removes that attack vector. 

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

FAQs

1. In how many regions Inspector code remediation for lambda is available?

ANS: – Amazon Inspector code remediation for Lambda functions is available in ten Regions: US East (Ohio, N. Virginia), US West (Oregon), Asia Pacific (Singapore, Sydney, Tokyo), and Europe (Frankfurt, Ireland, London, Stockholm).  

2. In how many regions Amazon Inspector agentless vulnerability scanning for Amazon EC2 is available?

ANS: – It is available in three AWS Regions: US East (N. Virginia), US West (Oregon), and Europe (Ireland). 

3. What will be the subscription cost?

ANS: – There are no upfront or subscription costs. AWS charge on-demand based on the volume of activity. There is a price per EC2 instance or container image scan. As usual, the Amazon Inspector pricing page has the details. 
 

WRITTEN BY Ayush Agarwal

Ayush Agarwal works as a Research Associate at CloudThat. He has excellent analytical thinking and carries an optimistic approach toward his life. He is having sound Knowledge of AWS Cloud Services, Infra setup, Security, WAR, and Migration. He is always keen to learn and adopt new technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!