← Back to all briefings

Infrastructure · Credibility 88/100 · · 1 min read

AWS Re-architects Amazon Inspector for Continuous Vulnerability Management

At re:Invent 2021 AWS introduced a redesigned Amazon Inspector on November 29, 2021, adding continuous EC2 and container image scanning, ECR integration, and risk-based prioritization managed through AWS Organizations.

Executive briefing: During AWS re:Invent on Amazon launched the new Amazon Inspector, a fully re-architected service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. The relaunch unifies agent-based EC2 assessments and agentless ECR image scanning with automated activation, multi-account management, and risk-based findings.

Key enhancements

  • Continuous scanning. Inspector now evaluates EC2 instances on startup and every 24 hours, while integrating directly with Amazon ECR for container image scanning.
  • Automated coverage. One-click enrollment discovers eligible accounts and resources via AWS Organizations, eliminating manual agent rollouts.
  • Risk scoring. Findings prioritize CVEs using exploitability data, network exposure, and AWS Systems Manager patch states.

Implementation guidance

  • Use delegated administrator accounts to enable Inspector across all AWS Organizations units and configure SNS or EventBridge targets for vulnerability alerts.
  • Map Inspector findings to remediation automation by integrating with AWS Systems Manager Patch Manager or third-party ticketing connectors.
  • Leverage the new coverage reporting to verify agent deployment, container registry scanning, and network reachability baselines during compliance audits.
  • Amazon Inspector
  • AWS vulnerability management
  • Cloud security
  • Container security
Back to curated briefings