AWS Re-architects Amazon Inspector for Continuous Vulnerability Management

Executive summary. At AWS re:Invent on 29 November 2021 Amazon launched a redesigned Amazon Inspector that provides continuous vulnerability management for Amazon EC2, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions with container packaging, replacing the previous assessment scheduling model with automated discovery, risk-based prioritization, and native multi-account support through AWS Organizations. The relaunch integrates with AWS Security Hub, Amazon EventBridge, and AWS Systems Manager to simplify remediation workflows.

Key capabilities.

• Automated coverage: Inspector auto-discovers EC2 instances and container workloads across accounts/regions once enabled, removing manual target management.
• Risk scoring: Findings use a novel risk score combining Common Vulnerability Scoring System (CVSS) data with exploitability and network exposure context, prioritizing remediation on internet-facing assets.
• Continuous scanning: EC2 scanning occurs when the AWS Systems Manager agent reports package inventory changes; ECR image scanning happens on push and daily, and Lambda functions packaged as container images are scanned on deployment.
• Integration ecosystem: Findings route to AWS Security Hub, EventBridge, and SNS for automation, with remediation playbooks through Systems Manager Automation documents.
• Tag-based targeting: Administrators can scope scanning by resource tags, enabling phased rollouts and cost control.

Architecture considerations

Infrastructure architects and platform teams should evaluate the architectural implications of this development:

• Integration patterns: Assess how this component integrates with existing infrastructure services and data flows. Identify required API changes, protocol updates, or middleware modifications.
• Scalability impact: Evaluate whether this change affects horizontal or vertical scalability characteristics. Plan for capacity adjustments and update auto-scaling policies as needed.
• High availability: Review redundancy and failover configurations to ensure continued resilience. Update health check mechanisms and failover procedures to reflect new deployment characteristics.
• Data persistence: If applicable, assess data migration, backup compatibility, and storage requirements associated with this change. Validate data integrity across upgrade paths.

Document architectural decisions and update reference architectures to guide future deployments and ensure organizational consistency.

Operational benefits

Continuous scanning reduces blind spots caused by periodic assessments, improves time-to-detect for high-severity vulnerabilities, and provides unified dashboards across environments. The new console features coverage statistics, vulnerability trends, and suppression controls to manage known exceptions.

Implementation roadmap.

1. Account onboarding: Enable Inspector in the management account, delegate an administrator account, and auto-enable member accounts via AWS Organizations. Verify necessary IAM permissions and service-linked roles.
2. Agent readiness: Ensure EC2 instances run the latest AWS Systems Manager agent with patching and inventory features enabled. Configure VPC endpoints or internet access for agent communications.
3. Tag strategy: Define resource tags for business units, environments, and criticality to control scanning scope and reporting segmentation.
4. Integration setup: Connect Inspector findings to AWS Security Hub, EventBridge rules, ticketing systems (ServiceNow, Jira), and chat ops channels via AWS Lambda or Step Functions.
5. Remediation automation: Develop Systems Manager Automation runbooks to patch EC2 packages, trigger container rebuilds, or roll out updated Lambda images. Implement approval workflows for production environments.
6. Governance: Document policies covering finding triage, suppression criteria, remediation SLAs, and exception management. Align with existing vulnerability management frameworks.

Controls and monitoring.

• Coverage metrics: Track percentage of EC2 instances, ECR repositories, and Lambda functions enrolled. Monitor non-compliant resources lacking Systems Manager connectivity.
• Finding management: Measure time-to-triage, time-to-remediate, and backlog of critical/high findings. Use dashboards to highlight trends by team or application.
• Cost oversight: Review Inspector usage reports and cost allocation tags. optimize by disabling scanning on ephemeral development accounts when appropriate.
• Security integration: Correlate Inspector findings with AWS Config rules, GuardDuty alerts, and patch management status to prioritize actions.
• Compliance evidence: Archive finding reports, remediation logs, and approval records for audits (SOC 2, ISO 27001, PCI DSS).

Pricing and coverage planning

The redesigned Inspector bills per resource scan-hour with tiered rates for EC2 instances and per-image fees for ECR repositories, with volume discounts applied automatically across an organization. Budgeting teams should model expected usage by analyzing EC2 fleet size, container build frequency, and Lambda deployment cadence. Apply cost allocation tags to Inspector usage reports and integrate them into chargeback processes.

Security operations integration

Align Inspector with vulnerability management frameworks such as CIS Controls (Control 7) and NIST CSF (Detect). Define severity-based SLAs (for example, remediate critical findings within 48 hours) and configure Security Hub insights or EventBridge rules to escalate breaches automatically. Use AWS Chatbot or Slack integrations to surface high-risk findings to on-call engineers.

Compliance and evidence management

Generate periodic reports summarizing coverage, outstanding findings, suppression justifications, and remediation actions. Store evidence in GRC platforms (ServiceNow GRC, Archer) to support audits for PCI DSS Requirement 6, ISO 27001 A.12.6, or SOC 2 CC7.

Advanced automation patterns.

• Patch orchestration: Combine Inspector with Systems Manager Patch Manager to auto-approve patches when corresponding vulnerabilities are detected, using maintenance windows to govern rollout.
• Container pipeline enforcement: Integrate Inspector scanning results with AWS CodeBuild/CodePipeline, failing builds if critical vulnerabilities exceed thresholds.
• Quarantine workflows: Use EventBridge to trigger Lambda functions that isolate compromised instances by modifying security groups or stopping instances when high-risk findings remain unresolved beyond SLA.

Delegated administration

Designate a central security account as the delegated administrator for Inspector and document onboarding runbooks for new member accounts. Enforce guardrails through AWS Service Control Policies to ensure Inspector cannot be disabled without change approval.

Governance and policy alignment

Update corporate vulnerability management policies to reference Inspector’s continuous assessment model, specifying onboarding procedures for new accounts, asset discovery cadence, and exception handling workflows. Align tagging standards with configuration management databases so governance teams can reconcile Inspector coverage against asset inventories and accelerate remediation reporting.

Metrics and continuous improvement

Expand dashboards to track vulnerability density (findings per asset), mean time to remediate, recurring vulnerability patterns, and compliance with SLA targets. Perform quarterly effectiveness reviews comparing Inspector findings with results from third-party scanners to ensure coverage completeness, documenting remediation outcomes and lessons learned.

Stakeholder communication

Coordinate regular briefings with application owners, infrastructure teams, and compliance officers to review Inspector metrics, agree on remediation priorities, and capture feedback on noise or workflow friction. Document decisions and improvement actions to show governance maturity.

Future roadmap considerations

Monitor AWS updates for additional resource types (Amazon ECS Fargate tasks, AWS Outposts) and new detection packages. Evaluate how Inspector findings can feed into enterprise vulnerability management systems (Qualys, Tenable) via API integrations, ensuring centralized reporting across multi-cloud environments.

Best practices

Combine Inspector with Infrastructure as Code pipelines to block deployments of vulnerable container images, enforce patch baselines using Systems Manager Patch Manager, and integrate with AWS CodePipeline or GitHub Actions for automated rebuilds. Provide development teams with self-service dashboards and alerting to foster shared responsibility, and incorporate Inspector workflows into onboarding training for engineers and security analysts.

Strategic outlook

AWS plans to extend Inspector coverage and integrate with additional services (for example, Amazon ECS tasks on Fargate). Teams should evaluate how Inspector complements third-party vulnerability tools, ensuring consistent policy enforcement across hybrid and multi-cloud environments.

Similar analysis

Additional analysis covering similar themes.

Infrastructure · Credibility 91/100 · November 18, 2021

Infrastructure Resilience Retrospective — Critical infrastructure resilience

Pandemic-era essential worker designations, U.S. supply chain orders, TSA pipeline cybersecurity directives, and FERC cold weather standards from 2020–2021 now define infrastructure resilience programs, demanding…

Infrastructure · Credibility 90/100 · November 18, 2021

Infrastructure — OpenAI

OpenAI expanded enterprise API capabilities, introducing deployment options designed for production workloads requiring enhanced security, compliance, and operational controls. These capabilities enable organizations to…

Infrastructure · Credibility 71/100 · November 15, 2021

U.S. Infrastructure Investment and Jobs Act signed into law

President Biden signed the Infrastructure Investment and Jobs Act on 15 November 2021, allocating billions for broadband expansion, grid modernization, cybersecurity grants, and electric vehicle charging networks.

Infrastructure · Credibility 88/100 · October 5, 2021

Endpoint — Windows 11 General Availability

Microsoft began the Windows 11 rollout on October 5, 2021, introducing a redesigned interface, Windows Subsystem for Linux improvements, and stricter hardware security baselines for managed fleets.

Infrastructure · Credibility 91/100 · September 30, 2021

Let us Encrypt DST Root CA X3 expiration

On 30 September 2021 the DST Root CA X3 certificate used by Let us Encrypt expired, causing TLS failures on older devices and systems that did not trust the newer ISRG Root X1.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

November 29, 2021

Coverage pillar

Infrastructure

Source credibility

88/100 — high confidence

Topics

Amazon Inspector relaunch · AWS vulnerability management · Continuous scanning automation · Risk scoring and remediation · Multi-account security operations · DevSecOps integration

Sources cited

3 sources (aws.amazon.com, docs.aws.amazon.com)

Reading time

6 min

Further reading

1. AWS Security Blog — Introducing the new Amazon Inspector — aws.amazon.com
2. Amazon Inspector Documentation — What is Amazon Inspector? — docs.aws.amazon.com
3. Amazon Inspector Pricing — aws.amazon.com