← Back to all briefings
Infrastructure 5 min read Published Updated Credibility 88/100

AWS Re-architects Amazon Inspector for Continuous Vulnerability Management

AWS’s November 2021 relaunch of Amazon Inspector delivers continuous EC2, ECR, and Lambda vulnerability scanning with risk-based prioritisation and multi-account automation, requiring governance updates, Systems Manager readiness, and integration with remediation workflows.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive summary. At AWS re:Invent on 29 November 2021 Amazon launched a redesigned Amazon Inspector that provides continuous vulnerability management for Amazon EC2, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions with container packaging, replacing the previous assessment scheduling model with automated discovery, risk-based prioritisation, and native multi-account support through AWS Organizations.[1] The relaunch integrates with AWS Security Hub, Amazon EventBridge, and AWS Systems Manager to streamline remediation workflows.

Key capabilities.

  • Automated coverage: Inspector auto-discovers EC2 instances and container workloads across accounts/regions once enabled, removing manual target management.[2]
  • Risk scoring: Findings use a novel risk score combining Common Vulnerability Scoring System (CVSS) data with exploitability and network exposure context, prioritising remediation on internet-facing assets.
  • Continuous scanning: EC2 scanning occurs when the AWS Systems Manager agent reports package inventory changes; ECR image scanning happens on push and daily, and Lambda functions packaged as container images are scanned on deployment.
  • Integration ecosystem: Findings route to AWS Security Hub, EventBridge, and SNS for automation, with remediation playbooks through Systems Manager Automation documents.
  • Tag-based targeting: Administrators can scope scanning by resource tags, enabling phased rollouts and cost control.

Operational benefits. Continuous scanning reduces blind spots caused by periodic assessments, improves time-to-detect for high-severity vulnerabilities, and provides unified dashboards across environments. The new console features coverage statistics, vulnerability trends, and suppression controls to manage known exceptions.

Implementation roadmap.

  1. Account onboarding: Enable Inspector in the management account, delegate an administrator account, and auto-enable member accounts via AWS Organizations. Verify necessary IAM permissions and service-linked roles.
  2. Agent readiness: Ensure EC2 instances run the latest AWS Systems Manager agent with patching and inventory features enabled. Configure VPC endpoints or internet access for agent communications.
  3. Tag strategy: Define resource tags for business units, environments, and criticality to control scanning scope and reporting segmentation.
  4. Integration setup: Connect Inspector findings to AWS Security Hub, EventBridge rules, ticketing systems (ServiceNow, Jira), and chat ops channels via AWS Lambda or Step Functions.
  5. Remediation automation: Develop Systems Manager Automation runbooks to patch EC2 packages, trigger container rebuilds, or roll out updated Lambda images. Implement approval workflows for production environments.
  6. Governance: Document policies covering finding triage, suppression criteria, remediation SLAs, and exception management. Align with existing vulnerability management frameworks.

Controls and monitoring.

  • Coverage metrics: Track percentage of EC2 instances, ECR repositories, and Lambda functions enrolled. Monitor non-compliant resources lacking Systems Manager connectivity.
  • Finding management: Measure time-to-triage, time-to-remediate, and backlog of critical/high findings. Use dashboards to highlight trends by team or application.
  • Cost oversight: Review Inspector usage reports and cost allocation tags. Optimise by disabling scanning on ephemeral development accounts when appropriate.
  • Security integration: Correlate Inspector findings with AWS Config rules, GuardDuty alerts, and patch management status to prioritise actions.
  • Compliance evidence: Archive finding reports, remediation logs, and approval records for audits (SOC 2, ISO 27001, PCI DSS).

Pricing and coverage planning. The redesigned Inspector bills per resource scan-hour with tiered rates for EC2 instances and per-image fees for ECR repositories, with volume discounts applied automatically across an organisation.[3] Budgeting teams should model expected usage by analysing EC2 fleet size, container build frequency, and Lambda deployment cadence. Apply cost allocation tags to Inspector usage reports and integrate them into chargeback processes.

Security operations integration. Align Inspector with vulnerability management frameworks such as CIS Controls (Control 7) and NIST CSF (Detect). Define severity-based SLAs (e.g., remediate critical findings within 48 hours) and configure Security Hub insights or EventBridge rules to escalate breaches automatically. Use AWS Chatbot or Slack integrations to surface high-risk findings to on-call engineers.

Compliance and evidence management. Generate periodic reports summarising coverage, outstanding findings, suppression justifications, and remediation actions. Store evidence in GRC platforms (ServiceNow GRC, Archer) to support audits for PCI DSS Requirement 6, ISO 27001 A.12.6, or SOC 2 CC7.

Advanced automation patterns.

  • Patch orchestration: Combine Inspector with Systems Manager Patch Manager to auto-approve patches when corresponding vulnerabilities are detected, using maintenance windows to govern rollout.
  • Container pipeline enforcement: Integrate Inspector scanning results with AWS CodeBuild/CodePipeline, failing builds if critical vulnerabilities exceed thresholds.
  • Quarantine workflows: Use EventBridge to trigger Lambda functions that isolate compromised instances by modifying security groups or stopping instances when high-risk findings remain unresolved beyond SLA.

Delegated administration. Designate a central security account as the delegated administrator for Inspector and document onboarding runbooks for new member accounts.[2] Enforce guardrails through AWS Service Control Policies to ensure Inspector cannot be disabled without change approval.

Governance and policy alignment. Update corporate vulnerability management policies to reference Inspector’s continuous assessment model, specifying onboarding procedures for new accounts, asset discovery cadence, and exception handling workflows. Align tagging standards with configuration management databases so governance teams can reconcile Inspector coverage against asset inventories and accelerate remediation reporting.

Metrics and continuous improvement. Expand dashboards to track vulnerability density (findings per asset), mean time to remediate, recurring vulnerability patterns, and compliance with SLA targets. Perform quarterly effectiveness reviews comparing Inspector findings with results from third-party scanners to ensure coverage completeness, documenting remediation outcomes and lessons learned.

Stakeholder engagement. Coordinate regular briefings with application owners, infrastructure teams, and compliance officers to review Inspector metrics, agree on remediation priorities, and capture feedback on noise or workflow friction. Document decisions and improvement actions to demonstrate governance maturity.

Future roadmap considerations. Monitor AWS updates for additional resource types (Amazon ECS Fargate tasks, AWS Outposts) and new detection packages. Evaluate how Inspector findings can feed into enterprise vulnerability management systems (Qualys, Tenable) via API integrations, ensuring centralised reporting across multi-cloud environments.

Best practices. Combine Inspector with Infrastructure as Code pipelines to block deployments of vulnerable container images, enforce patch baselines using Systems Manager Patch Manager, and integrate with AWS CodePipeline or GitHub Actions for automated rebuilds. Provide development teams with self-service dashboards and alerting to foster shared responsibility, and incorporate Inspector workflows into onboarding training for engineers and security analysts.

Strategic outlook. AWS plans to extend Inspector coverage and integrate with additional services (e.g., Amazon ECS tasks on Fargate). Organisations should evaluate how Inspector complements third-party vulnerability tools, ensuring consistent policy enforcement across hybrid and multi-cloud environments.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Amazon Inspector relaunch
  • AWS vulnerability management
  • Continuous scanning automation
  • Risk scoring and remediation
  • Multi-account security operations
  • DevSecOps integration
Back to curated briefings