Overview

HAQM Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. With a few steps in the AWS Management Console, you can use HAQM Inspector across all accounts in your organization. Once started, it automatically discovers HAQM Elastic Compute Cloud (EC2) instances, container images residing in HAQM Elastic Container Registry (ECR) and within continuous integration and continuous delivery (CI/CD) tools, and AWS Lambda functions, at scale, and immediately starts assessing them for known vulnerabilities.

HAQM Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to improve remediation response efficiency. All findings are aggregated in the HAQM Inspector console and pushed to AWS Security Hub and HAQM EventBridge to automate workflows. Vulnerabilities found in container images are also sent to HAQM ECR for resource owners to view and remediate. HAQM Inspector empowers security teams and developers of any size to achieve comprehensive infrastructure workload security and compliance across their AWS environments.

Page Topics

Key Features

Key Features

Open all
HAQM Inspector is a comprehensive vulnerability management service that spans various resources, such as HAQM EC2, Lambda functions, and container workloads. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure that can be used to compromise workloads, repurpose resources for malicious use, or facilitate data exfiltration.
Start HAQM Inspector across multiple accounts with one step in the HAQM Inspector console or a single API call. HAQM Inspector allows you to assign an Inspector Delegated Administrator (DA) account for your organization, which can seamlessly start and configure all member accounts, as well as consolidate all findings.
Once started, HAQM Inspector automatically discovers all HAQM EC2 instances, Lambda functions, and container images in HAQM ECR. It promptly initiates scans for software vulnerabilities and unintended network exposure. All workloads are continually rescanned when a new CVE is published or when there are changes in the workloads, including installation of new software in an EC2 instance.
HAQM Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent) to collect the software inventory and configurations from your HAQM EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.

HAQM Inspector offers continuous monitoring of your HAQM EC2 instances for software vulnerabilities without installing an agent or additional software. HAQM Inspector takes a snapshot of the EBS volume to extract data about the system and configuration of the instances to perform vulnerability assessments. With this capability, you can expand your vulnerability assessment coverage across your EC2 infrastructure with HAQM Inspector agentless scanning for EC2 instances that do not have SSM Agents installed or configured.
HAQM Inspector supports suppression of findings based on criteria you define. You can create these suppression rules to suppress findings that your organization deems an acceptable risk.
HAQM Inspector generates a highly contextualized HAQM Inspector risk score for each finding by correlating CVE information with environmental factors such as network reachability results and exploitability data. This helps prioritize the findings and highlights the most critical findings and vulnerable resources. The HAQM Inspector score calculation (and which factors influenced the score) can be viewed in the HAQM Inspector Score tab within the Findings Details side panel.
HAQM Inspector automatically detects if a vulnerability has been patched or remediated. Once detected, it automatically changes the state of the finding to “Closed” without manual intervention.
HAQM Inspector provides a comprehensive, near real-time overview of organization-wide environment coverage, so you can avoid gaps in coverage. It provides metrics and detailed information on accounts, as well as HAQM EC2 instances, HAQM ECR repositories, and container images that are actively being scanned by HAQM Inspector. Additionally, it highlights the resources not being actively monitored and provides guidance on how to include them.
All findings are aggregated in the HAQM Inspector console, routed to AWS Security Hub, and pushed through HAQM EventBridge to automate workflows such as ticketing.

HAQM Inspector scans the custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices. Upon detecting code vulnerabilities within the Lambda function or layer, HAQM Inspector generates actionable security findings that provide several details, such as security detector name, impacted code snippets, and remediation suggestions to address vulnerabilities. Using generative AI and automated reasoning, HAQM Inspector provides in-context code patches for multiples classes of vulnerabilities, reducing the effort required to fix code vulnerabilities. By addressing vulnerabilities at the foundational layers, you can help improve security of all downstream Lambda functions.  
HAQM Inspector offers automated and centralized management of software bill of materials (SBOM) exports. It enables the easy export of a consolidated SBOM for all monitored resources to a preconfigured HAQM S3 bucket, supporting industry-standard formats. You can download the SBOM artifact, perform HAQM Athena queries, or create HAQM QuickSight dashboards to gain valuable insights and visualize trends.

HAQM Inspector integrates with developer tools like Jenkins and TeamCity for container image assessments. It allows developers to assess their container images within these CI/CD tools, pushing security earlier in the software development lifecycle. The findings are available in the CI/CD tool’s dashboard, allowing you to take immediate automated actions in response to critical security issues, such as blocking builds or image pushes to container registries. Your CI/CD tools can be hosted anywhere, in AWS, on-premises, or hybrid clouds, providing consistency for developers to use a single solution across all your development pipelines.

HAQM Inspector supports the Center for Internet Security's CIS Benchmarks. You can run HAQM Inspector to perform on-demand and targeted assessments against OS-level CIS configuration benchmarks for HAQM EC2 instances across your AWS Organization. HAQM Inspector CIS assessments support both level 1 and 2 configuration benchmark checks across operating systems, including HAQM Linux 2, Windows 2019, and Windows 2022.