DEV Community

Cover image for Summary of Amazon Inspector updates announced at re:Invent 2023
Yuji Oshima for AWS Community Builders

Posted on • Originally published at yuj1osm.hatenablog.com

Summary of Amazon Inspector updates announced at re:Invent 2023

At AWS re:Invent 2023, there were many updates regarding AWS security services.
In this article, I will introduce updates to Amazon Inspector.

Support for Lambda Code Scanning with Generative AI

Generative AI now provides code modification support based on scan results.

Code scanning for Lambda is a feature that was generally available at re:Inforce 2023, but at that time, only abstract fix suggestions were provided.

With this update, more specific code fix suggestions and patch files can be obtained.

Amazon Inspector expands AWS Lambda code scanning with generative AI powered remediation

Let's try to detect "Path traversal" from "Amazon CodeGuru, Detector Library".

Path traversal | Amazon CodeGuru, Detector Library

Prepare a Lambda function to detect it.

Image description

After a while, the Lambda function is detected by Inspector.

In the detail screen, a specific code fix is proposed and a patch file can be downloaded.

Image description

I think it will be easier to focus on secure code development since you can easily scan the Lambda code and provide suggested fixes and patch files.

Support for Agentless Vulnerability Assessment for EC2

Amazon Inscpctor can now perform EC2 vulnerability assessment without installing an agent.

Previously, the AWS System Manager agent had to be installed, but now it can automatically determine whether an agent is present and scan for it.

Scanning frequency is at 24-hour intervals.

Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview

This is accomplished by using EBS snapshots to obtain software inventory information.

Image description

To configure, press "Edit" from "Scan mode" in "EC2 scanning settings" on the console screen.

Image description

You can select either "Hybrid" or "Agent-based" mode.
Agent-based" mode is the traditional scanning method: scanning only those EC2s with the agent installed.

"Hybrid" mode is the mode in which agent-less works: agent-based scans are performed if an agent is installed, and agent-less scans are performed if no agent is installed.

Image description

We understand that there may be cases where it is difficult to install an agent due to company rules or network configuration.

With this update, you can now manage vulnerabilities with Inspector even if you do not have an agent installed.

However, since the frequency of agent-less scans is every 24 hours, it is better to install an agent whenever possible and then switch to "Hybrid" mode for real-time detection.

Support for scanning container images within CI/CD tools

Amazon Inspector now integrates with developer tools to scan container images.

It is compatible with Jenkins, TeamCity, etc. and works seamlessly with traditional developer tools.

Amazon Inspector enhances container image security by integrating with developer tools

There were two types of container image scans: ECR's basic scanning and Inspector's enhanced scanning.

While basic scans could be integrated into the CI/CD pipeline, enhanced scanning were not supported.

With this update, enhanced scanning can also be integrated into the CI/CD pipeline, allowing for more security assurance at an earlier stage of development.

Image description

It is a welcome update to be able to integrate Inspector with developers' familiar tools and integrate it into the CI/CD pipeline.

Summary

There have been many updates to Inspector in 2023, and we have also seen features that integrateed into generative AI.

Not only security personnel, but also developers can easily manage vulnerabilities, and I believe that the user experience will change dramatically in the future.

We will keep an eye on the future of Inspector and Generative AI.

Top comments (0)