Amazon Updates Inspector Vulnerability Management


By: Andrew Braunberg

Amazon Web Services (AWS) this week at the re:Invent conference announced a significant update to Inspector, its vulnerability management solution. Traditional vulnerability management is challenging in cloud environments for several reasons. These include the dynamic nature of workload life cycles, the need for immense scale, and the fact that traditional vulnerability scoring systems, such as Common Vulnerability Scoring System (CVSS), do not always capture the complete risk posture of software deployed in the cloud.

Amazon clearly had all these concerns in mind as it updated the Inspector service, which was first introduced in 2015. Important new features include:

  • Continual, automated assessment scanning, which replaces manual, ad hoc scanning
  • Automated resource discovery of all Amazon EC2 and Amazon Elastic Container Registry repositories
  • Support for container-based workloads
  • Use of the widely deployed AWS Systems Manager agent, eliminating the need for the additional dedicated Inspector agent
  • Integration with EventBridge, Amazon’s serverless event bus
  • Integration with AWS Security Hub
  • Improved risk scoring

Risk Scoring Feature a Plus

Support for more comprehensive risk scores is particularly welcome. Amazon Inspector now collects events from over 50 vulnerability intelligence sources, including CVE, the National Vulnerability Database (NVD), and MITRE. By prioritizing vulnerability findings, the new Inspector creates a risk score by correlating vulnerability information with numerous environmental factors. So, for example, the risk assessment could consider factors such as ease of exploitability in cloud environments to create more meaningful scores.

Many AWS Security Partners have integrated their products with the new version of Inspector, including Axonius, Cavirin, FireEye, IBM Security, Palo Alto Networks, Rezilion, Sophos, SumoLogic, Vulcan Cyber, Wiz and XM Cyber. Amazon Inspector has also partnered with Snyk to receive additional vulnerability intelligence for its vulnerability database.

Improve Remediation Prioritization

Several of these integrations are designed to help customers better prioritize remediation actions. For example, the integration with XM Cyber allows customers to map possible attack paths enabled by compromised critical assets. The integration with Vulcan Cyber allows customers to analyze vulnerabilities across multiple AWS services and create a consolidated, prioritized view into workload risk posture. The integration with Rezilion allows customers to scan for vulnerabilities, confirm their exploitability, and prioritize remediation efforts according to a more data driven risk score. For example, with Rezilion, customers can determine which vulnerabilities are exploitable in a customer-specific runtime environment.

As mentioned, Inspector is now better integrated with the broader AWS management environment. This includes integration with Amazon EventBridge, which allows enhanced visibility and remediation through automated workflows. For example, workflows can be automatically created to isolate instances, trigger system patching, and software image rebuilds.

Inspector is now also fully integrated into Amazon Security Hub, which delivers a host of security services. In addition to Inspector, Security Hub includes Amazon GuardDuty, a threat detection service; Amazon Macie, a data loss prevention service; AWS Firewall Manager; IAM (Identity and Access Management) Access Analyzer, and AWS Systems Manager, the operations hub for AWS applications and resources.

AWS has begun describing Security Hub as a cloud security posture management (CSPM) service. That is not stopping the company from continuing to integrate with CSPM partners. For example, Sophos announced this week that its Cloud Optix CSPM solution is now integrated with not just Inspector but with the broader Security Hub services as well as AWS CloudTrail, an account activity monitoring service, and Amazon Detective, a security incident investigative tool.

Cloud configuration vulnerabilities and tools for finding and avoiding them have understandably garnered a lot of attention the last few years, but it is good to see Amazon also focused on the perennial concern of software vulnerability management.