At AWS re:Invent 2023, there were many updates regarding AWS security services.
In this article, I will introduce updates to Amazon Inspector.
Support for Lambda Code Scanning with Generative AI
Generative AI now provides code modification support based on scan results.
Code scanning for Lambda is a feature that was generally available at re:Inforce 2023, but at that time, only abstract fix suggestions were provided.
With this update, more specific code fix suggestions and patch files can be obtained.
Amazon Inspector expands AWS Lambda code scanning with generative AI powered remediation
Let's try to detect "Path traversal" from "Amazon CodeGuru, Detector Library".
Path traversal | Amazon CodeGuru, Detector Library
Prepare a Lambda function to detect it.
After a while, the Lambda function is detected by Inspector.
In the detail screen, a specific code fix is proposed and a patch file can be downloaded.
I think it will be easier to focus on secure code development since you can easily scan the Lambda code and provide suggested fixes and patch files.
Support for Agentless Vulnerability Assessment for EC2
Amazon Inscpctor can now perform EC2 vulnerability assessment without installing an agent.
Previously, the AWS System Manager agent had to be installed, but now it can automatically determine whether an agent is present and scan for it.
Scanning frequency is at 24-hour intervals.
Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview
This is accomplished by using EBS snapshots to obtain software inventory information.
To configure, press "Edit" from "Scan mode" in "EC2 scanning settings" on the console screen.
You can select either "Hybrid" or "Agent-based" mode.
Agent-based" mode is the traditional scanning method: scanning only those EC2s with the agent installed.
"Hybrid" mode is the mode in which agent-less works: agent-based scans are performed if an agent is installed, and agent-less scans are performed if no agent is installed.
We understand that there may be cases where it is difficult to install an agent due to company rules or network configuration.
With this update, you can now manage vulnerabilities with Inspector even if you do not have an agent installed.
However, since the frequency of agent-less scans is every 24 hours, it is better to install an agent whenever possible and then switch to "Hybrid" mode for real-time detection.
Support for scanning container images within CI/CD tools
Amazon Inspector now integrates with developer tools to scan container images.
It is compatible with Jenkins, TeamCity, etc. and works seamlessly with traditional developer tools.
Amazon Inspector enhances container image security by integrating with developer tools
There were two types of container image scans: ECR's basic scanning and Inspector's enhanced scanning.
While basic scans could be integrated into the CI/CD pipeline, enhanced scanning were not supported.
With this update, enhanced scanning can also be integrated into the CI/CD pipeline, allowing for more security assurance at an earlier stage of development.
It is a welcome update to be able to integrate Inspector with developers' familiar tools and integrate it into the CI/CD pipeline.
Summary
There have been many updates to Inspector in 2023, and we have also seen features that integrateed into generative AI.
Not only security personnel, but also developers can easily manage vulnerabilities, and I believe that the user experience will change dramatically in the future.
We will keep an eye on the future of Inspector and Generative AI.
Top comments (0)