blog

CVE Scan using AWS Inspector

Posted on April 8, 2025 by Shree Vishnu P


About AWS Inspector

AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities and deviations from best practices. After performing an assessment, it produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. These rules are regularly updated by AWS security researchers.

What are the different Assessment Types?

The Network Assessment evaluates the EC2 instance protections for Internet ‘visible’ ports, i.e. for ingress from points outside the VPC. This type of assessment cannot examine the EC2 instance by itself, unless the optional agent is installed. The Host Assessment is significantly more thorough as it evaluates the EC2 instances for vulnerable software (CVE), systems hardening (CIS) and security best practices. The agent can be installed using the AWS Systems Manager for enterprise-scale (formerly EC2 Systems Manager or SSM), or manually on each instance.

The Amazon Inspector Nomenclature

Amazon Inspector agent: Inspector agents are installed on the EC2 instances. These agents collect the data associated with installed software and send it to AWS Inspector services. Note: This will not find any vulnerable codes if your application is infected. Assessment target: A set of EC2 instances that you want to assess for vulnerability. Targets can be identified by unique tags. Rules and Rules package: Checks are performed on the IT resources based on certain rules. In the context of Amazon Inspector, a rule is a security check that Amazon Inspector performs during the assessment run.

  • Network Reachability
  • Common vulnerabilities and exposures
  • Centre for Internet Security (CIS) Benchmarks
  • Security best practices for Amazon Inspector

Findings: Findings are the potential security issues discovered by the Inspector. Findings are displayed on the Amazon Inspector console or fetched through the API.

How to install the Inspector Agent

Agents collect the data(behavioral and configurational), and pass them on to Amazon Inspector for further analysis. Installation of an agent in Linux is a very simple process. As of this writing, agent installation using the Systems Manager Run Command is not currently supported for the Debian operating system. To use this option, make sure that your EC2 instance has the SSM Agent installed and has an IAM role that allows Run Command. The SSM Agent is installed by default on Amazon EC2 Windows instances and Amazon Linux instances. Amazon EC2 Systems Manager requires an IAM role for EC2 instances that process commands and a separate role for users executing commands. Download agent from the following paths: Linux based:

Or

Windows based: https://inspector-agent.amazonaws.com/windows/installer/latest/AWSAgentInstall.exe To install, run: $ sudo bash install

Configure Amazon Inspector

Step 1: Click on Get started

Step 2: You can leave the default options checked and click on any run options from below as per your requirement. For this walkthrough, we have opted for Advanced setup.

Step 3: Here, Amazon Inspector has an option to run on all the Instances that are present in your account and region. If you want to run for a standalone instance or a specific set of instances, use EC2 tags to segregate them. We can also install Inspector agents using SSM from this window for all instances. As a prerequisite, make sure that SSM agents are already installed and EC2 has the appropriate IAM rights for the same.

For Standalone/tag based assessment, run:

Step 4: Define Rules packages. By default, certain packages are selected. If needed, you can remove the rules by clicking the ‘X’ mark. This window also gives a provision to set a schedule for further recurring scans.

Step 5: Once verified, click on Create to start the first assessment run. Once done, you will get a success message as shown below.

Success Message:

Step 6: You can verify the assessment run by clicking Assessment templates from the navigation option.

Step 7: After about an hour, you should be able to see the findings under the Findings option. You can also segregate findings based on severity.

Dashboard View

You can also get a consolidated view from the Dashboard option.

Pricing

Amazon Inspector is a “pay for what you use” service like the vast majority of those provided by AWS. Amazon Inspector is free for up to 250 agents for the first 90 days. After 90 days, the pricing changes. Please refer here for details. Possible scenario: Suppose you have 10 Amazon EC2 instances in your assessment target with the Inspector Agent installed on each instance In this example, you would be billed for 10 host agent-assessments and 10 network reachability instance-assessments. The Amazon Inspector charges for your account, for this billing period would be: For host assessment rules packages: 10 agent-assessments @ $0.30 per agent-assessment For network reachability rules package: 10 instance-assessments @ $0.15 per instance-assessment When you add them up, the Amazon Inspector bill would be $3.00 for host agent-assessments and $1.50 for network reachability instance-assessments for a total of $4.50.

Conclusion

AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities and deviations from best practices. After performing an assessment, it produces a detailed list of security findings prioritized by level of severity. Click the link to know more about AWS Inspector.

Share post on

Subscribe to Our Blogs

Subscribe to our blogs and be the first to know about innovations in the field of cloud storage

Related Posts

Running NBFC Workload on AWS   
Digital Transformation ChallengesDigital transformation in Financial Services is impossible without modernizing your core system. Amazon Web Services (AWS) is built to handle the complexity, rigor, and regulatory requirements unique to the Financial Services industry. By running your core system on AWS, you can access the agility and speed you need at any time, break down the siloes that hold your data hostage, and drive innovation at the enterprise level – all while reducing IT costs. Integrate your most valuable data with the cloud to automate manual processes, improve customer experiences, and launch new market-facing applications more quickly. AXESS.IO, an AWS Advanced partner has deep industry expertise, solutions that align to AWS best practices, and AWS-certified staff.AWS as the Trusted Choice for FSI IndustryWhat is AWS?Amazon Web Services (AWS) is a cloud platform that provides a secure and resilient cloud infrastructure that financial services can use to innovate, build and safely handle, process and analyze sensitive financial information.AWS is Highly AvailableGlobally, AWS has 76 availability zones with three availability zones in India.Also, AWS delivers the highest network availability with 7 times fewer downtime hours than the next largest cloud provider.AWS is Easily ScalableWith AWS, companies don’t have to provision resources to handle peak levels of activity. They, in turn, can just scale up or down based on their business needs and also pay only for what they use.AWS is Highly SecureThe AWS infrastructure is built to satisfy the security requirements for global banks and other high-sensitivity organizations and is monitored 24/7 to ensure confidentiality, integrity and availability of your data.AWS Security Hub comprises of solutions like Amazon Macie, Amazon Inspector and Amazon GaurdDuty that not only protect your infrastructure and data but also perform compliance monitoring.Effective and Efficient InfrastructureThe AWS cloud infrastructure is equipped to cater to the increasing mark of customer satisfaction, contain, process and analyze massive amounts of financial data without technical glitches while being highly secure and easily adaptable.Managing Compliance on AWSHaving said that, though operating on the cloud has immense opportunities in terms of business growth while being able to process and analyze hundreds of terabytes of financial data in very little time, it has its own list of setbacks. Migrating into a cloud infrastructure that doesn’t address these setbacks could turn the whole finance sector into a disaster.In addition, NBFCs are highly regulated. RBI has published guidelines in regards to the outsourcing of IT Infrastructure. These requirements are very stringent and have been designed to ensure business continuity in the event of a disaster or geopolitical problem.But the good news is that AWS with its local legal entity named Amazon Internet Services Private Limited (AISPL), meets all the compliance requirement from the RBI. We have published a couple of whitepapers in this regard:Whitepaper - Running NBFC Workload on AWSPlease do not hesitate to reach us at ciso@axcess.io to discuss how we can help you with your cloud journey.

Ready to discuss your cloud project?
Have questions?

Get In Touch

Only a competent AWS Consulting Partner will understand your unique needs and goals. The smart, enterprise-ready cloud solutions from Axcess.io can make life easier for your organization.



© 2025 All rights reserved

Terms of Service|Privacy Policies