4.2.3. Vulnerability Scanning for Compute Resources
First Principle: Vulnerabilities are discovered continuously — a secure image today may have critical CVEs tomorrow. Continuous vulnerability scanning detects new weaknesses as they're published, not just at build time.
Amazon Inspector provides automated vulnerability management:
- EC2 scanning: Agent-based scanning using SSM Agent (no separate agent needed)
- ECR container scanning: Scans images when pushed and rescans when new CVEs are published
- Lambda function scanning: Scans function code and layers for known vulnerabilities
- Findings: Prioritized by severity with CVSS scores and affected packages
GuardDuty Runtime Monitoring:
- Detects threats in running containers (ECS, EKS, EC2)
- Identifies cryptocurrency mining, reverse shells, privilege escalation attempts
- Monitors process execution, file access, and network connections inside containers
- Complements Inspector (which scans for known CVEs) with runtime threat detection
Inspector vs. GuardDuty:
| Capability | Inspector | GuardDuty |
|---|---|---|
| What it finds | Known CVEs, software vulnerabilities | Active threats, behavioral anomalies |
| When it scans | On push, on schedule, on new CVE publication | Continuously in real-time |
| What it scans | Images, functions, EC2 software inventory | Running processes, network, API activity |
| Output | Vulnerability findings with remediation guidance | Threat findings with severity levels |
⚠️ Exam Trap: Inspector finds vulnerabilities (CVEs). GuardDuty finds threats (active attacks). A question about "detecting a cryptocurrency miner running on ECS" is GuardDuty Runtime Monitoring. A question about "identifying unpatched libraries in a container image" is Inspector.
Scenario: A container image passes Inspector scanning with zero critical vulnerabilities at build time. One week later, a new critical CVE is published affecting a library in the image. Inspector automatically rescans and generates a finding, triggering an automated rebuild pipeline.
Reflection Question: Why does continuous scanning (Inspector's rescan-on-CVE feature) provide fundamentally better security than point-in-time scanning during CI/CD?
