Improvements to Amazon Inspector


Vulnerability Management at Scale with Amazon Inspector
Start course

In this course, we introduce the latest version of Amazon Inspector, now improved for automated and continuous vulnerability management at scale.

Learning Objectives

  • Learn about the new Amazon Inspector, its function, operation, and implementation

Intended Audience

  • Architects, developers, and system operators looking to understand the basic function and operation of Amazon Inspector
  • Those studying for the Solutions Architect Associate and SysOps Associate certification exams


  • To get the most out of this course, you will need to meet the requirements for the Cloud Practitioner level certification by AWS or have equivalent experience

Improvements to Amazon Inspector. One of the most significant improvements to Amazon Inspector is that it now relies on the AWS Systems Manager agent instead of its own dedicated agent as Inspector Classic used to do. Consolidated agents means simply provisioning and much better performance. The AWS assistant manager agent is conveniently pre-installed by default on some AWS AMIs for the systems shown. The agent is open source and available in GitHub, and some of the systems that are supported are Amazon Linux, Amazon Linux 2, Amazon Linux 2 ECS-Optimized Base AMIs, Mac OS 10.14 and 10.15, Ubuntu Server 16, 18, and 20, Windows Servers 2008-2012 released two AMIs, and Windows Server 2016 and 2019. Amazon inspector automatically checks the operating system and all the installed applications. It includes a knowledge base with hundreds of rules about security compliance, standards, and vulnerability definitions. It provides severity scores, checking with the security metrics that compose the national vulnerability database and adjust them to your environment.

The score is in CVSS format, and it's compatible with the common vulnerability scoring system provided by NVD. You can always check if vulnerable software versions are installed on your fleet and take the required mitigation steps. If you mitigate a finding, inspector detects the finding, the fix and closes the finding. There are some automation improvements in that Inspector Classic required you to manually schedule and configure assessment scans. That is no longer required. You also needed to select the resources that needed to be evaluated. Amazon Inspector now performs automatic discovery and continuous scanning of your resources. 

Inspector continues to examine your environment when you make changes. This automation simplifies the use of Amazon Inspector even more. In terms of integration, Amazon Inspector integrates with AWS organizations to centrally manage multiple inspector vulnerability accounts. It also includes near real-time integration with Amazon Event Bridge and security hub to automate response to findings which can trigger remediation workflows and resolve issues faster, even using third-party products. A single click can enable Amazon Inspector for the organization and also enable the service for new members when they join the organization.


About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).

Covered Topics