Learn how to leverage Amazon Inspector’s integrations for real-time alerts and automated responses.
In this part of our Amazon Inspector series, we’ll explore how to integrate Inspector with AWS Security Hub and EventBridge to enhance your cloud security strategy. By connecting these services, you can centralize vulnerability alerts and automate responses across your AWS environment. If you missed the earlier parts, check out Part 1: Introduction to Amazon Inspector and Part 2: ECR Scanning, CIS Scans, and SBOM for a complete understanding. Now, let’s dive into the power of integration!
We are going to see how we can integrate Inspector with
- AWS SecurityHub
- Event Bridge
SecurityHub Integration
AWS Security Hub gives you a centralized view of your AWS security posture, allowing you to assess your environment against industry standards and best practices. It gathers security data from multiple AWS accounts, services, and third-party tools, helping you analyze trends and focus on the most critical security issues. It can be integration with Amazon GuardDuty, Audit, Macie etc. You can view complete list here.
By default, inspector sends finding to SecurityHub. If you don't have SecurityHub enabled, you can enable it easily. SecurityHub offers 30 days of trial period.
- Sign into Console, search for SecuritHub → Activate.
- Under SecurityHub, in navigation → Integrations
In below screenshot, you can see by default it accepts findings.
If you don't want findings in security hub, you can stop it.
Since SecurityHub can have integration with lot of services, in order to filter findings for inspector, you can try below filter.
With inspector findings in SecurityHub, you will have complete security posture of you Cloud. 🚀🚀
EventBridge Integration.
One of my favorite service. It is like salt we need in each dish if we want to make some recipe. So in any type architecture you cannot forgot this service.
- We can create event rule, that can get triggered on initial scan, trigger if there is critical vulnerability.
- In this demo, I will be creating rule that gets triggered when initial scan is getting completed for EC2 instance and send summary over an email. But if you would like explore can find more patterns, explore here.
In below diagram, you can find possibilities to have alert in place.
For this blog, let's keep it simple. Create an rule for initial_scan and send it to SNS as target.
- Sign-in into Console → Go to EventBridge → EvenBus → Rules → Create Rule
- Enter details like name and description, keep default eventbus and Rule with event pattern.
- Click Next, select Custom Pattern and paste below JSON:
{
"source": ["aws.inspector2"],
"detail-type": ["Inspector2 Scan"],
"detail": {
"scan-status": ["INITIAL_SCAN_COMPLETE"]
}
}
Click Next → Select target as a SNS topic. In my case, I have SNS topic created with Email as subscription.
Click Next, review rule setting → finished.
Now we have rule created, create an EC2 instance. Inspector will do scan as soon as EC2 instance created. Once scan is done, you should get an alert on your preferred communication channel.
In my case, I have an email configured, I get summary over an email.
Based on your need, you can also try transforming event message with the help of lambda and send that message to channel.
Integrating Amazon Inspector with AWS Security Hub and EventBridge strengthens your security by centralizing alerts and automating responses. With these tools working together, you can monitor, prioritize, and act on vulnerabilities efficiently across your AWS environment.
Thank you for reading this blog, appreciate your time and passion.
Top comments (1)
Nice post Vikas!