AWS Re-launches Amazon Inspector To Find Software Vulnerabilities

4 minute read | Last updated 2-Aug-2022 | An icon depicting a retail tag with a heart for 'favourite' AWS Cloud Security

AWS re-launches a dramatically improved Amazon Inspector, a software vulnerability discovery/management service.

The idea behind these types of services is to scan your servers and containers before they reach production to identify known vulnerabilities so that you are aware of them and can mitigate them appropriately.

Notice I said “mitigate” not “patch”. Patching is just one of many possible mitigations.

Amazon Inspector launched in 2015 and a lot has changed since then. This is a much needed upgrade to the service that should help builders identify these issues with the minimal amount of effort possible.

This Twitter thread highlights some of the details of the launch…

Tweet 1/11 Next tweet

at #reinvent, @awscloud has just re-launched Amazon Inspector

this is HUGE!

https://www.youtube.com/watch?v=wi1PDr9n67Y&feature=youtu.be

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 2/11 Next tweet Start

re-launches are hard. @awscloud Macie is way, way better now but still doesn’t have the traction it should (a/k/a everyone using it) because of a few years of brutal costs & #ux

Inspector has always been better, but now it’s a lot more user friendly

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 3/11 Next tweet Start

1: assessments are now continual & automated

<< no more set time period assessments & super delayed results…if you remembered to scan at all

the service now just bubbles up findings == awesome

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 4/11 Next tweet Start

2: Inspector uses “the” @awscloud agent (I think there’s only one now) which means it’s already there on AWS managed AMIs

the service leverages that to find EC2 instances as well as ECR repos

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 5/11 Next tweet Start

3: containers!

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 6/11 Next tweet Start

4: @awscloud Organizations support << about f–king time!

enabling Inspector was a pain. I ❤️ to be able to say that, “was”

critical improvement for adoption

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 7/11 Next tweet Start

5: see no. 2 … the custom Inspector agent is out the door. the @awscloud Systems Manager agent—the one agent to rule them all—is now used

<< again, that greatly simplifies adoption

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 8/11 Next tweet Start

6: better risk scoring << we’ll see about this one. assigning risk scores is tricky as there are layers involved

most vulnerability discovery/management services use the CVE/CVSS score to assess risk but that lacks context

it’s a start…but only a start

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 9/11 Next tweet Start

7: integrates directly with @awscloud EventBridge

<< no more routing events through another service. I mean, it still happens behind the scenes but if it’s behind the scenes, I can safely ignore

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 10/11 Next tweet Start

8: AWS Security Hub integration << need to dive into this one more. it’s unclear what’s changed here as there was some level of integration…at least if you consider dumping findings in the Hub “integrating”

☁️ #cloud #security

marknca @marknca tweeted at 29-Nov-2021, 20:52

Tweet 11/11 Next tweet Start

overall, this is a huge improvement to @awscloud Inspector. I’ll take some time next week to dive in but so far, this is a big win for #cloud #security

this is GA now

the launch blog is up at https://aws.amazon.com/blogs/aws/improved-automated-vulnerability-management-for-cloud-workloads-with-a-new-amazon-inspector/

/ ☁️

marknca @marknca tweeted at 29-Nov-2021, 20:52

Start