3.2.2.3. Amazon Inspector and Common Assessment Templates
3.2.2.3. Amazon Inspector and Common Assessment Templates
Amazon Inspector scans for vulnerabilities automatically — on EC2 instances, ECR container images, and Lambda functions.
Inspector v2 (current version) is agentless for ECR and Lambda. For EC2, it uses the SSM Agent (already installed on most modern AMIs).
What Inspector scans:
| Target | Vulnerability Type | Trigger |
|---|---|---|
| EC2 instances | CVEs in OS packages, network reachability | Continuous (event-driven) |
| ECR images | CVEs in OS and language packages | On push + continuous re-scan |
| Lambda functions | CVEs in language packages | On deploy + continuous |
Inspector findings include CVE ID, severity (Critical/High/Medium/Low), affected package, and fix recommendation. Findings are sent to Security Hub for centralized management.
Integration with CI/CD: Scan ECR images on push and block deployment if Critical/High vulnerabilities are found. Use EventBridge to trigger a Lambda function that checks Inspector findings before CodePipeline proceeds.
# Check Inspector findings for a specific ECR image
aws inspector2 list-findings \
--filter-criteria '{
"resourceType": [{"comparison": "EQUALS", "value": "AWS_ECR_CONTAINER_IMAGE"}],
"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}],
"ecrImageRepositoryName": [{"comparison": "EQUALS", "value": "my-app"}]
}'
Exam Trap: Inspector v2 replaced Inspector Classic (which used assessment templates and required a scheduled assessment run). The exam may reference "assessment templates" — that's Inspector Classic. Inspector v2 scans continuously and doesn't use templates. If the question mentions continuous scanning, the answer is Inspector v2. If it mentions scheduled assessments, it's Inspector Classic.
