Cloud Computing

AWS Amazon Inspector and How to use Amazon Inspector

AWS Amazon Inspector

By linking Amazon ECR images to active containers, Amazon Inspector improves container security.

What is Amazon Inspector?

AWS workloads are automatically identified by AWS Amazon Inspector, a program that checks them for software flaws and unintentional network exposure. It offers continuous and automated vulnerability management on a large scale.

How to use Amazon Inspector​

Several AWS workloads are scanned by AWS Amazon Inspector, including:

  • Examples include Amazon EC2 instances, AWS Lambda functions, Amazon Elastic Container Registry (ECR) container images, and continuous integration and delivery (CI/CD) technologies.

It finds unintentional network exposure and software flaws in these resources.

Improvements to Container Security:

To increase container security, AWS Amazon Inspector has recently been improved. In particular, it now provides two more capabilities for container image management:

  • Linking Amazon ECR images to active containers: This function enables security teams to rank vulnerabilities according to whether your environment is currently hosting the Amazon ECR images. Detecting images running on Amazon ECS and EKS containers lets you see which images are running and where they are deployed. In order to aid in prioritization according to usage and severity, it furthermore displays the cluster Amazon Resource Name (ARN) and the quantity of EKS pods or ECS tasks where an image is installed.
  • Expanding support for vulnerability scanning: Scratch, distroless, and Chainguard images are among the minimal base images for which vulnerability scanning is now supported by Amazon Inspector. Additionally, it expands support for other ecosystems, including Puppeteer, WordPress (core, themes, and plugins), Amazon Corretto, Apache Tomcat, Apache httpd, Oracle JDK & JRE, and the Go toolchain. Through a single service, this offers consistent vulnerability assessments for minimum base images and conventional Linux distributions.

How the Container Mapping Feature Works:

Teams can use the container mapping capability to find out which container images are deployed and running in their environment. This is accomplished by continuously following and monitoring the images that are operating on containers.

You must activate advanced scanning in the Amazon ECR console to utilize this capability. You can set the image re-scan mode according to the last pull date or last in-use date in the AWS Amazon Inspector console settings. The Last in-use date is utilized by default. You can choose how long Inspector will keep an eye on photos, depending on when they were taken (for example, within the previous 14 days).

Aspects of the container image lifecycle that can serve as the basis for monitoring include:

  • The image push date (14, 30, 60, 90, 180, or lifetime days)
  • Date of image grab (14, 30, 60, 90, or 180 days)
  • Terminated duration (14, 30, 60, 90, or 180 days instead of never)
  • The image’s current state within the container

The default period for last in use, push, and pull for new customers in Amazon EKS and Amazon ECS workloads is 14 days. Because of this adaptability, businesses may adjust their monitoring approach to reflect real container image consumption as opposed to merely repository events.

Finding Details and Prioritization:

Image runtime-aware details are now included in every finding in AWS Amazon Inspector to facilitate cleanup. This comprises the InUseCount (the number of deployed EKS pods or ECS tasks that are presently utilising the image) and the lastInUseAt date (the date that an image was last running).

In the Details menu of the Inspector console, you can see details about images that are executing on containers, including the number of EKS pods or ECS tasks, as well as the last in-use and pull dates. When the count is selected, information about each image is displayed, including the cluster ARN, last use dates, and kind.

These facts are included into findings reports, and you may filter photos based on their last running date within specified timeframes (14, 30, 60, or 90 days) or filter results based on the lastInUseAt field using rolling window or fixed range choices. This aids in setting cleanup priorities according to actual usage.

Cross-Account Visibility:

AWS Organizations with delegated administrator privileges, cross-account scenarios, and single AWS accounts are all supported by AWS Amazon Inspector for security management. Within the same company, it exchanges data about images operating on containers. It offers thorough visibility across numerous AWS accounts by providing all ARNs for Amazon EKS and Amazon ECS clusters where images are operating. As accounts join or depart the company, the information about deployed EKS pods or ECS tasks is updated at least every day.

AWS Amazon Inspector Advantages:

Find software flaws

Use AWS workloads like Amazon EC2, AWS Lambda functions, and container images in Amazon ECR and within continuous integration and continuous delivery (CI/CD) technologies to identify software flaws and unintentional network exposure in almost real-time.

Centrally manage SBOM exports

Manage software bill of materials (SBOM) exports for all resources under observation centrally and include security early in the development cycles.

Give cleanup first priority

Reduce mean time to remediate (MTTR) by prioritising remediation using the AWS Amazon Inspector risk score.

Increase the coverage of vulnerability assessments

Switch between agent-based and agentless scanning for EC2 instances with ease.

AWS Amazon Inspector Use cases

Find zero-day vulnerabilities in computational workloads quickly

With more than 50 vulnerability intelligence sources, you can automate discovery, speed up vulnerability routing, and reduce MTTR.

Make patch remediation a top priority

Contextual risk ratings are generated using network accessibility and current common vulnerabilities and exposures (CVE) data to rank and fix susceptible resources.

Fulfil the standards for compliance

Use AWS Amazon Inspector scans to support NIST CSF, PCI DSS, and other regulatory compliance needs and best practices.

Earlier in the development cycle, change security

Export an aggregated SBOM for the resources under observation and include vulnerability scanning into your developer tools.

Amazon Inspector Pricing

All AWS regions where Amazon Inspector is accessible now have the new container mapping features. There is no extra charge for these new features. For accounts who are new to Amazon Inspector, there is a free 15-day trial available. Go to the Amazon Inspector pricing page for information on regional availability and prices.

To put it briefly, Amazon Inspector is an automated vulnerability management tool that checks a variety of AWS workloads. It has recently been improved to include container images in Amazon ECR, ECS, and EKS. It offers runtime awareness and cross-account visibility to help priorities remediation efforts.

Thank you for your Interest in Cloud Computing. Please Reply

Latest Posts

Discover more from Cloud Computing

Subscribe now to keep reading and get access to the full archive.

Continue reading