AWS INSPECTOR | Finding Vulnerabilities On EC2 Instance Using Amazon Inspector

AWS INSPECTOR | Finding Vulnerabilities On EC2 Instance Using Amazon Inspector

Play this article


Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.


Table of contents

  • Benefits of AWS Inspector
  • Amazon Inspector supported operating systems and Regions
  • AWS Inspector service limits
  • AWS Inspector Agent Rearchitected
  • AWS Inspector Pricing
  • Finding vulnerabilities on EC2 instance using Amazon Inspector

Benefits of AWS Inspector

IDENTIFY APPLICATION SECURITY ISSUES :- Amazon Inspector helps you to identify security vulnerabilities as well as deviations from security best practices in applications, both before they are deployed, and while they are running in a production environment. This helps improve the overall security posture of your applications deployed on AWS.

INTEGRATE SECURITY INTO DEVOPS :- Amazon Inspector is an API-driven service that analyzes network configurations in your AWS account and uses an optional agent for visibility into your Amazon EC2 instances. This makes it easy for you to build Inspector assessments right into your existing DevOps process, decentralizing and automating vulnerability assessments, and empowering your development and operations teams to make security assessments an integral part of the deployment process

INCREASE DEVELOPMENT AGILITY :- Amazon Inspector helps you reduce the risk of introducing security issues during development and deployment by automating the security assessment of your applications and proactively identifying vulnerabilities. This allows you to develop and iterate on new applications quickly and assess compliance with best practices and policies.

LEVERAGE AWS SECURITY EXPERTISE :- The AWS security organization is continuously assessing the AWS environment and updating a knowledge base of security best practices and rules. Amazon Inspector makes this expertise available to you in the form of a service that simplifies the process of establishing and enforcing best practices within your AWS environment.

STREAMLINE SECURITY COMPLIANCE :- Amazon Inspector gives security teams and auditors visibility into the security testing that is being performed during development of applications on AWS. This streamlines the process of validating and demonstrating that security and compliance standards and best practices are being followed throughout the development process.

ENFORCE SECURITY STANDARDS :- Amazon Inspector allows you to define standards and best practices for your applications and validate adherence to these standards. This simplifies enforcement of your organization’s security standards and best practices, and helps to proactively manage security issues before they impact your production application.

Amazon Inspector supported operating systems and Regions

Before moving towards Amazon inspector agent first we should know which are aws supported operating systems and Regions to utilize this service. Below I have mentioned the current supported stack but make sure to check official documentation here

You can use the Amazon Inspector agent on 64-bit x86 and Arm EC2 instances. The agent is compatible with the following versions of Linux-based operating systems:

64-bit x86 instances

  • Amazon Linux 2
  • Amazon Linux (2018.03, 2017.09, 2017.03, 2016.09, 2016.03, 2015.09, 2015.03, 2014.09, 2014.03, 2013.09, 2013.03, 2012.09, 2012.03)
  • Ubuntu (20.04 LTS, 18.04 LTS, 16.04 LTS, 14.04 LTS)
  • Debian (10.x, 9.0 - 9.5, 8.0 - 8.7)
  • Red Hat Enterprise Linux (8.x, 7.2 - 7.x, 6.2 - 6.9)
  • CentOS (7.2 - 7.x, 6.2 - 6.9)

Arm instances

  • Amazon Linux 2
  • Red Hat Enterprise Linux (7.6 - 7.x)
  • Ubuntu (18.04 LTS, 16.04 LTS)

Supported Windows-based operating systems for the Amazon Inspector agent :- You can use the Amazon Inspector agent only on EC2 instances that run the 64-bit version of the following Windows-based operating systems:

  • Windows Server 2019 Base
  • Windows Server 2016 Base
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

Supported AWS Regions :- Amazon Inspector is supported in the following AWS Regions:

  • US East (Ohio) us-east-2
  • US East (N. Virginia) us-east-1
  • US West (N. California) us-west-1
  • US West (Oregon) us-west-2
  • Asia Pacific (Mumbai) ap-south-1
  • Asia Pacific (Seoul) ap-northeast-2
  • Asia Pacific (Sydney) ap-southeast-2
  • Asia Pacific (Tokyo) ap-northeast-1
  • Europe (Frankfurt) eu-central-1
  • Europe (Ireland) eu-west-1
  • Europe (London) eu-west-2
  • Europe (Stockholm) eu-north-1
  • AWS GovCloud (US-East) gov-us-east-1
  • AWS GovCloud (US-West) gov-us-east-2

AWS Inspector service limits

AWS Inspector has a predefined service limits for different resource you can use. AWS inspector provides these four major categories for resources.

  • Number of instance running assessment.
  • Number of assessment running.
  • Number of various assessment template in every assessment.
  • Number of assessment targets

Below table shows the Amazon Inspector limits for an AWS account. These limits can be increased upon request by contacting the AWS Support Center

Note these limit might get changed by AWS time to time so make sure to always check the offical document here


AWS Inspector Agent Classic

AWS inspector is a service provided by AWS, which helps you in two ways

  • Finding security vulnerabilities in your software.
  • Checking the network accessibility of the VPCs. AWS inspector gives findings for the checks done, on which you can act on. You can use the findings and corrects the weakness in your application or the network.

You can install the Amazon Inspector agent using the Systems Manager Run Command on multiple instances (including both Linux-based and Windows-based instances). Alternatively, you can install the agent individually by signing in to each EC2 instance.

As another option, you can quickly install the agent on all Amazon EC2 instances included in an assessment target by selecting the Install Agents check box on the Define an Assessment target page on the console.

When agent is installed, AWS inspector agent monitors

  • Behavior of the EC2 instance.
  • checks the network file system
  • process activity
  • collects a lot of behavior and configuration data

There are multiple ways defined below by using which you can install AWS Inspector Agent.

  • Amazon Linux 2 AMI with the Amazon Inspector Agent
  • Installing the agent on multiple EC2 instances using the Systems Manager Run Command
  • Installing the agent on a Linux-based EC2 instance
  • Installing the agent on a Windows-based EC2 instance

You can choose any of the above methods to using AWS Inspector, detailed steps for above steps implmentation can be found here

AWS Inspector Agent Rearchitected

Amazon Inspector has been rearchitected and rebuilt to create a new vulnerability management service. Here are the key enhancements over Amazon Inspector Classic:

  • Built for scale: The new Amazon Inspector is built for scale and the dynamic cloud environment. There’s no limit to the number of instances or images that can be scanned at a time.
  • Support for container images: The new Amazon Inspector also scans container images residing in Amazon ECR for software vulnerabilities. Container-related findings are also pushed to the ECR console.
  • Support for multi-account management: The new Amazon Inspector is integrated with AWS Organizations, allowing you to delegate an administrator account for Amazon Inspector for your organization. This Delegated Administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
  • AWS Systems Manager Agent: With the new Amazon Inspector, you no longer need to install and maintain a standalone Amazon Inspector agent on all of your Amazon EC2 instances. The new Amazon Inspector uses the widely deployed AWS Systems Manager Agent (SSM Agent), which removes that need.
  • Automated and continual scanning: The new Amazon Inspector automatically detects all newly launched Amazon EC2 instances and eligible container images pushed to Amazon ECR and immediately scans them for software vulnerabilities and unintended network exposure. When an event occurs that may introduce a new vulnerability, the involved resources are automatically rescanned. Events that initiate rescanning a resource include installing a new package in an EC2 instance, installing a patch, and when a new common vulnerabilities and exposures (CVE) that impacts the resource is published.
  • Inspector risk score: The new Amazon Inspector calculates an Inspector risk score by correlating up-to-date CVE information with temporal and environmental factors such as network accessibility and exploitability information to add context to help prioritize your findings.

AWS Inspector Pricing

Amazon Inspector is a security assessment service for your Amazon EC2 instances and the applications running on those instances. Pricing is based on two dimensions

  1. Number of EC2 instances included in each assessment
  2. The type(s) of rules package

An Inspector assessment can have any combination of two rules package types - host assessment rules packages and/or the network reachability rules package

Host assessment rules packages include

  • Common Vulnerabilities and Exposures (CVE)
  • Center for Internet Security (CIS) benchmarks
  • Security Best Practices
  • Runtime Behavior Analysis.

If your assessments include both host rules packages and the network reachability rules package, you will be billed for both separately.

Note for pricing of the network reachability rules package and host assessment rules packages make sure to check pricing based on the region you would be implementing it here

With Amazon Inspector, there are no upfront investments required, no additional software licenses or maintenance fees, and no need to purchase expensive hardware. Flexible pricing based on assessment type and the number of instances included in each assessment is ideal for applications deployed in the cloud. You only pay for what you use, and it provides the flexibility to support popular dynamic use cases like continuous deployment or auto scaling, where per-host or per-IP licensing models can be difficult to manage due to dynamic changes in your cloud environment.

Pricing details are as below. Make sure to always check latest updates for pricing here

  • Pricing for the network reachability rules package


  • Pricing for host assessment rules packages


Finding vulnerabilities on EC2 instance using Amazon Inspector

Launch the EC2 instance and configure an Inspector with an Assessment target and template. Using Amazon Inspector target as EC2 Instance having AWS Agent installed. Once the Assessment target and template are created, you will run the template to find the vulnerabilities on the configured instance.

Step 1 :- Launching EC2 instances and installing aws agent using python script AWS_Agent_Install.png To add below requirements lets separate code in 2 parts

  • Choose AMI
  • Add Tags
  • Create Security Group
  • Install Inspector Agent

Part 1 :- In this we will write script to first create our security group and add ingress rules to it.

# Create a security group and allow SSH inbound rule through the VPC
security_resp = client.create_security_group(GroupName='Inspector-SG',
                                             Description='Security group for aws Inspector',
                                             VpcId='<Your VPC ID>')
security_group_id = security_resp['GroupId']

sgrule_ingress = client.authorize_security_group_ingress(
            {'IpProtocol': 'tcp',
             'FromPort': 22,
             'ToPort': 22,
             'IpRanges': [{'CidrIp': ''}]},
            {'IpProtocol': 'tcp',
             'FromPort': 20,
             'ToPort': 20,
             'IpRanges': [{'CidrIp': ''}]},
            {'IpProtocol': 'tcp',
             'FromPort': 21,
             'ToPort': 21,
             'IpRanges': [{'CidrIp': ''}]}
            {'IpProtocol': 'tcp',
             'FromPort': 23,
             'ToPort': 23,
             'IpRanges': [{'CidrIp': ''}]}


Part 2:- Here we will define userdata to install AWS Inspector Agent and launch ec2 instances by using the same security group we created earlier.

# Script to install AWS Inspector agent on EC2 
user_data = '''#!/bin/bash
sudo wget
sudo curl -O
sudo bash install'''

# Launch EC2 instances
resp = client.run_instances(ImageId='ami-0742b4e673072066f',
                          KeyName=<Your KeyName>,
                                  'ResourceType': 'instance',
                                  'Tags': [{'Key': 'Name','Value': 'EC2-Inspector'},]
for i in resp['Instances']:
    print("Instance ID Created is :{} Instance Type Created is : {}" .format(i['InstanceId'],i['InstanceType']))

Now goto this github link download the entire code and run it.

Note:- Make sure to define your Key pair name and VPC ID in the code.

Once you run the code you will see below items would be launched

  1. Security Group :- Inspector-SG with 4 ingress rules image.png
  2. EC2 instances:- 2 linux instances with attached Inspector-SG security group. image.png

Step 2 :- Create Assesement Target Inspector_Assesement_Report.png

  • Navigate to Inspector by clicking on the Services menu in the top, then click on Inspector. image.png
  • On the home page, click on the Get started button. image.png
  • Click on the Cancel button present on the right bottom corner, to see the options. Run weekly, Run once and Advanced setup is for quick setup image.png
  • On the Leftside bar, click on the Assessment targets. image.png
  • Click on the Create button. image.png
  • Fill in the details, Name: Assessment_Targets_Demo , All instances: Select Include all EC2 instances in this AWS account and region , Install Agents: Selected by Default, - Click on the Save button, to create an Assessment Target. image.png
  • The assessment target is now created. image.png

Step 3 :- Create an assessment template

  • On the Leftside bar, click on the Assessment templates. image.png
  • Click on the create button. image.png
  • Fill in the details as below
    Name: Assessment_Template_Demo
    Target Name: Assessment_Targets_Demo Rules packages: Select ALL
    Duration: 15 Min Keep all other options as default, Click on the Create button. image.png
  • Assessment template Assessment_Template_Demo is now getting created.
  • In the next step. You will run the template to find the vulnerabilities on the created EC2 instance.

Step 4 :- Run the assessment template

  • Select Assessment templates Assessment_Template_Demo, and click on the Run button.(If any error pops up stating error, ignore it.) image.png
  • The assessment run has started.
  • To see the Assessment Run and its result, click on the Assessment runs present on the left sidebar. image.png
  • Click on the number of findings to know about the vulnerabilities found by Inspector on the EC2 instance. There are currently 364 findings. image.png image.png
  • Click on the expand button for the first finding, to see the details. The description field has details about the finding, while the Recommendation field has the message to solve the issue and avoid this finding. image.png

Step 5 :- Download the assessment run report

  • Click on the Assessment runs, present on the left sidebar.Choose the Download report button. image.png
  • After you click on the Download report option, you will be prompted with a screen to select the report type and format. Keep the option default, Report type as Findings report, and report format as PDF. Click on the Generate Report button. image.png
  • It would take a couple of seconds to generate the report. image.png Note: Vulnerabilities of Informational severity will not be shown in the report. To see that regenerate the report with the Full report option If there are more than 3 vulnerabilities found, it is recommended to generate the report and check the issue.

Stay tuned for my next blog.....

So, did you find my content helpful? If you did or like my other content, feel free to buy me a coffee. Thanks.

Did you find this article valuable?

Support Dheeraj Choudhary by becoming a sponsor. Any amount is appreciated!