Amazon Inspector

概要

脆弱性管理サービス。

AWSワークロードとコードリポジトリを継続的にスキャンして、ソフトウェアの脆弱性や意図しないネットワーク露出を検出する

Amazon Inspector is a vulnerability management service that automatically discovers workloads and continually scans them for software vulnerabilities and unintended network exposure.

スキャン対象

出典: What is Amazon Inspector?

Amazon Inspector discovers and scans Amazon EC2 instances, container images in Amazon ECR, and Lambda functions.

出典: Amazon Inspector Code Security

With Code Security, Amazon Inspector scans first-party application source code, third-party application dependencies, and Infrastructure as Code for vulnerabilities.

対象リソース	説明
Amazon EC2 インスタンス	OS・インストール済みソフトウェアの脆弱性検出
Amazon ECR コンテナイメージ	コンテナイメージ内の脆弱性検出
AWS Lambda 関数	関数コードと依存関係の脆弱性検出
コードリポジトリ	GitHub/GitLab連携によるソースコードスキャン

検出結果タイプ (Finding Types)

公式ドキュメントで3種類が定義されている

出典: Amazon Inspector finding types

API Referenceでも type フィールドの有効値として定義:

出典: Finding - Inspector API Reference

Valid Values: NETWORK_REACHABILITY | PACKAGE_VULNERABILITY | CODE_VULNERABILITY

1. Package vulnerability (パッケージ脆弱性)

ソフトウェアパッケージに存在するCVE(共通脆弱性識別子)を検出

出典: Amazon Inspector finding types

Package vulnerability findings identify software packages in your AWS environment that are exposed to Common Vulnerabilities and Exposures (CVEs).

Amazon Inspector can generate package vulnerability findings for EC2 instances, ECR container images, and Lambda functions.

対象: EC2 / ECR / Lambda

2. Code vulnerability (コード脆弱性)

アプリケーションコード内の脆弱性を検出

出典: Amazon Inspector finding types

Code vulnerability findings help identify lines of code that can be exploited. Code vulnerabilities include missing encryption, data leaks, injection flaws, and weak cryptography.

Amazon Inspector generates code vulnerability findings through Lambda function scanning and its Code Security feature.

対象: Lambda / コードリポジトリ(Code Security)

3. Network reachability (ネットワーク到達性)

EC2インスタンスへのオープンなネットワークパスを検出

出典: Amazon Inspector finding types

Network reachability findings indicate that there are open network paths to Amazon EC2 instances in your environment.

Amazon Inspector only generates network reachability findings for Amazon EC2 instances. Amazon Inspector performs scans for network reachability findings every 12 hours once Amazon Inspector is enabled.

対象: EC2のみスキャン頻度: 12時間ごと

重大度レベル

出典: Understanding severity levels for your Amazon Inspector findings

The NVD/CVSS score ranges from 0 to 10, and the corresponding severity ratings are Informational (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

重大度	CVSSスコア
Critical	9.0 - 10.0
High	7.0 - 8.9
Medium	4.0 - 6.9
Low	0.1 - 3.9
Informational	0

スキャンタイプ詳細

1. Amazon EC2 スキャン

EC2インスタンスのパッケージ脆弱性とネットワーク到達性を検出

出典: Scanning Amazon EC2 instances with Amazon Inspector

Amazon Inspector scans instances for package vulnerabilities and network reachability issues to produce findings. Amazon Inspector performs network reachability scans once every 12 hours and package vulnerability scans on a variable cadence that depends on the scan method associated with the EC2 instance.

スキャン方式

出典: Scanning Amazon EC2 instances with Amazon Inspector

Agent-based scanning collects software inventory using the SSM agent, and agentless scanning collects software inventory using on Amazon EBS snapshots.

方式	説明
エージェントベース	SSM Agentを使用してソフトウェアインベントリを収集
エージェントレス	EBSスナップショットからデータを抽出して評価

出典: Scanning Amazon EC2 instances with Amazon Inspector

When you activate Amazon Inspector for the first time, your account is automatically enrolled in hybrid scanning, which uses both scan methods.

デフォルトは両方を使用する「ハイブリッドスキャン」モード

スキャンタイミング

出典: Scanning Amazon EC2 instances with Amazon Inspector

When using the agent-based scan method, Amazon Inspector initiates new vulnerability scans of EC2 instances in the following situations: When you launch a new EC2 instance. When you install new software on an existing EC2 instance (Linux and Mac). When Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your EC2 instance (Linux and Mac).

新しいEC2インスタンス起動時
既存インスタンスへのソフトウェアインストール時
新しいCVEがデータベースに追加された時
ネットワーク到達性: 12時間ごと

検出タイプ

Package vulnerability
Network reachability

2. Amazon ECR スキャン

ECRに保存されたコンテナイメージのパッケージ脆弱性を検出

出典: Scanning Amazon Elastic Container Registry container images with Amazon Inspector

Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate package vulnerability findings.

スキャンモード

出典: Scanning Amazon Elastic Container Registry container images with Amazon Inspector

With basic scanning, you can configure your repositories to scan on push or perform manual scans. With enhanced scanning, you scan for operating system and programming language package vulnerabilities at the registry level.

Basic scanning is provided and billed through Amazon ECR. Enhanced scanning is provided and billed through Amazon Inspector.

モード	説明
Basic scanning	プッシュ時または手動スキャン。ECR側で課金
Enhanced scanning	継続的スキャン。OS・言語パッケージ両方を検出。Inspector側で課金

スキャンタイミング

出典: Scanning Amazon Elastic Container Registry container images with Amazon Inspector

For continuous scanning, Amazon Inspector initiates new vulnerability scans of container images in the following situations: Whenever a new container image is pushed. Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to that container image (continuous scanning only).

新しいコンテナイメージのプッシュ時
新しいCVEがデータベースに追加された時(継続スキャンのみ)

監視期間

出典: Scanning Amazon Elastic Container Registry container images with Amazon Inspector

If continuous scanning is enabled, Amazon Inspector monitors images as long as they were pushed within 14 days (by default), the last-in-use date is within 14 days (by default), or the images are scanned within the configured re-scan duration. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days.

プッシュから14日以内、または最終使用日から14日以内(デフォルト)
2025年5月16日以前に作成されたアカウントは90日がデフォルト

検出タイプ

Package vulnerability

3. Lambda スキャン

Lambda関数と関連レイヤーの脆弱性を検出

出典: Scanning AWS Lambda functions with Amazon Inspector

Amazon Inspector support for AWS Lambda functions and layers provides continuous automated security vulnerability assessments.

スキャンタイプ

出典: Scanning AWS Lambda functions with Amazon Inspector

Lambda standard scanning: This scan type is the default Lambda scan type. It scans application dependencies in Lambda functions and layers for package vulnerabilities.

Lambda code scanning: This scan type scans custom application code in your Lambda functions and layers for code vulnerabilities. You can activate Lambda standard scanning or Lambda standard scanning with Lambda code scanning.

タイプ	説明
Lambda standard scanning	アプリケーション依存関係のパッケージ脆弱性を検出
Lambda code scanning	カスタムアプリケーションコードのコード脆弱性を検出

出典: Scanning AWS Lambda functions with Amazon Inspector

If you want to activate Lambda code scanning, you must activate Lambda standard scanning first.

Lambda code scanningを有効化するには、Lambda standard scanningも有効化する必要がある

スキャンタイミング

出典: Scanning AWS Lambda functions with Amazon Inspector

Upon activation, Amazon Inspector scans all Lambda functions invoked or updated in the last 90 days in your account. Amazon Inspector initiates vulnerability scans of Lambda functions in the following situations: As soon as Amazon Inspector discovers an existing Lambda function. When you deploy a new Lambda function to the Lambda service. When you deploy an update to the application code or dependencies of an existing Lambda function or its layers. Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to your function.

既存Lambda関数の検出時
新しいLambda関数のデプロイ時
関数コードまたは依存関係の更新時
新しいCVEがデータベースに追加された時

対象条件

出典: Scanning AWS Lambda functions with Amazon Inspector

In addition to having a supported runtime, a Lambda function needs to meet the following criteria to be eligible for Amazon Inspector scans: The function has been invoked or updated in the last 90 days. The function is marked $LATEST. The function isn’t excluded from scans by tags.

過去90日以内に呼び出しまたは更新された関数
$LATESTバージョン
除外タグが付いていない関数

検出タイプ

Package vulnerability (standard scanning)
Code vulnerability (code scanning)

制限事項

出典: Scanning AWS Lambda functions with Amazon Inspector

Amazon Inspector does not support scanning Lambda functions encrypted with customer managed keys.

カスタマーマネージドキーで暗号化されたLambda関数はスキャン対象外

4. Code Security (コードリポジトリスキャン)

GitHub/GitLabと連携し、ソースコード・依存関係・IaCの脆弱性を検出

出典: Amazon Inspector Code Security

With Code Security, Amazon Inspector scans first-party application source code, third-party application dependencies, and Infrastructure as Code for vulnerabilities.

対応プロバイダー

出典: Creating an integration between Amazon Inspector your code repository

Integrations with GitHub SaaS, GitHub Enterprise Cloud, and GitHub Enterprise Server require public internet access.

出典: Creating an integration between Amazon Inspector and GitLab Self Managed

GitHub SaaS
GitHub Enterprise Cloud
GitHub Enterprise Server
GitLab Self Managed

スキャン機能

出典: Beyond compute: Shifting vulnerability detection left with Amazon Inspector code security capabilities | AWS Security Blog

The service includes three additional security analysis capabilities: static application security testing (SAST), software composition analysis (SCA), and infrastructure as code (IaC) scanning.

Amazon Inspector SAST scans source code to identify potential security vulnerabilities, including hardcoded secrets, cross-site scripting, and injection attacks, across various programming languages. SCA helps users understand and manage risks related to software dependencies by automatically analyzing dependencies to identify known vulnerabilities and their impact. IaC scanning identifies potential security misconfigurations in IaC templates, such as the use of AWS Identity and Access Management (IAM) wildcards in action statements or disabled Glue Data Catalog encryption.

機能	説明
SAST	ソースコードの静的解析
SCA	サードパーティ依存関係の脆弱性検出
IaC scanning	CloudFormation等のインフラ定義の検証

検出タイプ

Code vulnerability
Package vulnerability

スキャンタイプと検出タイプの対応表

出典: Automated scan types in Amazon Inspector の各スキャンタイプ説明より

スキャンタイプ	Package vulnerability	Code vulnerability	Network reachability
EC2 scanning	✓	-	✓
ECR scanning	✓	-	-
Lambda standard	✓	-	-
Lambda code	-	✓	-
Code Security	✓	✓	-

主要機能

自動検出と継続スキャン

有効化すると対象リソースを自動検出し、即座にスキャンを開始。新しいCVEが公開されると自動で再スキャン

出典: Amazon Inspector features

Once started, Amazon Inspector automatically discovers all Amazon EC2 instances, Lambda functions, container images within Amazon ECR, and code repositories. It promptly initiates scans for software vulnerabilities and unintended network exposure. All resources are continually rescanned when new CVEs are published or when changes occur, including new software installation in an EC2 instance or updates to code repositories.