Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Introduction

Amazon EC2 is one of the most widely used services on AWS for deploying applications in the cloud. However, as applications grow, so does the responsibility of keeping them secure.

That’s where Amazon Inspector comes in — an automated security assessment service that identifies vulnerabilities and deviations from best practices. It helps developers and security teams strengthen their application’s security posture before issues turn into real threats.

Architecture Overview

Here’s the high-level architecture of the setup we’ll build in this lab:

In this hands-on lab, we’ll use Amazon Inspector to detect and fix vulnerabilities in an EC2 instance. You’ll:

1. Launch an EC2 instance with a custom IAM role and security group
2. Install an outdated version of Node.js (to simulate a vulnerability)
3. Enable Amazon Inspector and analyze its findings
4. Apply remediations by closing an open port and updating Node.js
5. Re-run Inspector to validate the fixes

By the end, you’ll have practical experience identifying and resolving vulnerabilities on AWS — an essential skill for cloud engineers, developers, and anyone serious about cloud security.

---

Getting Started

Amazon Inspector is a built-in AWS security assessment service that automatically scans workloads such as EC2 instances, container images, and Lambda functions for known vulnerabilities and network exposures.

It continuously monitors your environment and provides actionable findings categorized by severity — allowing you to prioritize and mitigate risks efficiently.

---

Create a Role and a Security Group

Before launching an EC2 instance, we’ll create:

• An IAM role for SSM access, allowing the instance to communicate with AWS Systems Manager.
• A security group with an intentionally open port (port 21) to simulate a network vulnerability.

Create the IAM Role

1. In the AWS Console, search for IAM and open the service.
2. From the sidebar, select Roles → Create role.
3. Under Trusted entity type, choose AWS service, and under Use case, select EC2.
4. Attach the policy AmazonSSMManagedInstanceCore.
5. Name the role ec2-ssm-role, scroll down, and click Create role.

Create the Security Group

1. In the AWS Console, search for Security groups under the EC2 service.
2. Click Create security group.
3. Name it ec2-sg and add a short description.
4. Leave the default VPC selected.
5. Under Inbound rules, add:
   • Type: SSH — Port: 22 — Source: Anywhere (IPv4)
   • Type: Custom TCP — Port: 21 — Source: Anywhere (IPv4)
6. Click Create security group.

⚠️ Note: Port 21 is used for FTP, which transmits credentials and data unencrypted. Leaving it open to “Anywhere” exposes your instance to significant security risks. Amazon Inspector will flag this later.

---

Create an EC2 Instance

We’ll now create an EC2 instance, attach the role and security group, and install an outdated version of Node.js.

Steps to Launch the Instance

1. In the AWS Console, open EC2 → Instances → Launch instances.
2. Name and tags: Set the instance name as ec2_inspect.
3. AMI: Choose Amazon Linux 2023 (kernel 6.1) (64-bit x86).
4. Instance type: Select t2.micro (Free Tier).
5. Key pair: Choose Proceed without a key pair (for this lab).
6. Network settings:
   • Select Existing security group
   • Choose ec2-sg
7. Storage: Keep the default 8 GiB gp3 volume.
8. Advanced details:
   • Under IAM instance profile, choose ec2-ssm-role
9. Click Launch instance, then View all instances and wait until the instance state is Running.

Install Node.js 14.x (Vulnerable Version)

Once the instance is running:

1. Select your instance → click Connect → Connect again.
2. Run the following commands:

curl -O https://rpm.nodesource.com/pub_14.x/el/7/x86_64/nodejs-14.21.3-1nodesource.x86_64.rpm
sudo yum install -y nodejs-14.21.3-1nodesource.x86_64.rpm

This installs Node.js v14.x, which is outdated and contains known vulnerabilities — perfect for testing Amazon Inspector.

You now have a running EC2 instance with:

• An open port (21)
• An outdated Node.js installation Both of which Amazon Inspector should detect as vulnerabilities.

---

Enable Amazon Inspector

Amazon Inspector continuously scans EC2 instances, ECR repositories, and Lambda functions for vulnerabilities. Let’s enable it for our environment.

Steps to Enable Inspector

1. Search for Amazon Inspector in the AWS Console and open it.
2. Click Get Started → Activate Inspector.
   • This automatically creates a Service-Linked Role with permissions to scan AWS resources.
3. Wait 3–5 minutes for activation.
4. On the left sidebar, click Account management.
   • You’ll see scanning statuses for EC2, ECR, and Lambda.
5. Since we only need EC2 scanning, deactivate the others:
   • Click Actions → Amazon ECR scanning → Deactivate
   • Click Actions → AWS Lambda scanning → Deactivate

Viewing the Findings

1. In the left menu, click Instances — Amazon Inspector should automatically detect your EC2 instance (ec2_inspect).
2. Click the Instance ID to open its findings.

You’ll see results categorized by severity:

• Critical
• High
• Medium

Examples from this lab:

• High: “Port 21 is reachable from an Internet Gateway - TCP”
• Critical: “CVE-2023-26136 - tough-cookie” (from outdated Node.js 14.x)

Each finding includes a Remediation section — Inspector recommends removing open ports or updating vulnerable packages.

We’ll follow those recommendations next.

Viewing Amazon Inspector Findings

Detailed Finding Analysis

---

Apply Remediation

Now, let’s fix the vulnerabilities Amazon Inspector identified.

Delete the Open Port (21)

1. Go to EC2 → Security Groups and open ec2-sg.
2. Under the Inbound rules tab, click Edit inbound rules.
3. Click Delete beside the rule for Port 21.
4. Click Save rules.

This immediately removes external FTP access and mitigates the “Network Reachability” issue.

---

Update Node.js to the Latest Version

1. Return to the EC2 → Instances → ec2_inspect dashboard.
2. Click Connect → Connect again.
3. Run the following commands:

sudo rm -rf /etc/yum.repos.d/nodesource*
sudo yum remove -y nodejs
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
. ~/.nvm/nvm.sh
nvm install 16

1. Verify the version:

node -v

You should now see v16.x, which resolves the vulnerability found earlier.

---

Refresh Amazon Inspector

Inspector may take time to detect the changes, but you can speed this up:

1. Go to the Amazon Inspector dashboard.
2. Click General settings → Deactivate Inspector.
   • Type deactivate in the confirmation box.
3. After 5–7 minutes, refresh and Activate it again.
4. Once reactivated, go to Instances → [your EC2 instance ID].

You’ll see that the vulnerabilities “Port 21 is reachable” and “CVE-2023-26136 - tough-cookie” are no longer present.

Your EC2 instance is now significantly more secure.

---

Validation and Results

After re-running Amazon Inspector:

• The High and Critical findings have disappeared.
• The security posture of your instance has improved.
• Any remaining minor findings can be further remediated as needed.

This confirms that Amazon Inspector successfully detected and verified the fixes — exactly how it functions in real-world AWS environments.

---

Conclusion

Through this lab, we explored how Amazon Inspector strengthens cloud security by automatically detecting vulnerabilities in EC2 instances and providing actionable remediation guidance.

We learned how to:

• Create IAM roles and security groups safely
• Simulate vulnerabilities using outdated software and open ports
• Use Amazon Inspector to detect risks
• Apply fixes and validate improvements

Key takeaway: Cloud security isn’t a one-time setup — it’s a continuous process.

By integrating Amazon Inspector into your workflows, you can proactively identify and patch vulnerabilities before they escalate.

---

Thanks for reading!

If you found this guide useful, drop a ❤️ or share your experience with Amazon Inspector in the comments below.