4 Reasons Why You Should Use Inspector from Amazon Web Services

Inspector from Amazon Web Service is a cost effective, automated assessment that helps ensure the security and compliance of your cloud deployed applications. Here's how it can help your organization.     

What is AWS’s Inspector?

Amazon Inspector is another Amazon web service that helps improve the security and performance of cloud-based applications. When this service is run, it automatically performs a search for security weaknesses or failures in applications and compares them with a set of rules that have been created based on the best security practices recommended in the market. The results of the analysis are presented in a detailed list and ordered by level of severity and can be viewed through the web console of the Amazon Inspector.


Why use the Amazon Inspector?

  1. Optimize costs to implement securities
    Applying security in an IT infrastructure requires the hiring of experts who perform good analysis and follow-up, which is often costly and difficult to do effectively. Amazon inspector automatically takes care of evaluating and reporting the security vulnerabilities of the instance where the agent is installed. It should be noted that AWS security researchers regularly update security rules.
  2. Strengthens IT infrastructure
    Using the knowledge of the Amazon Inspector makes it possible to strengthen IT servers, services and infrastructures.
  3. Facilitates the resolution of vulnerabilities
    The A.I. makes a delivery of actionable findings that are carefully explained and help in resolving the vulnerabilities encountered.
  4. Helps improve the performance of business applications during the development stage 
    Using the AI, you can test an application in development with respect to security issues before implementation, allowing you to make the necessary corrections before launching the finished product in a production environment.

Amazon Inspector Package Rules


Amazon Inspector offers many rules that can be used to evaluate applications the same ones that are grouped in different packages of rules by category, gravity or price. This gives you options to choose the type of analysis you can perform. The rule packs available in the Amazon Inspector are detailed below:

CVE (Common Vulnerabilities and Exposures)

  1. This rule pack helps to verify if EC2 instances are exposed to common vulnerabilities and exposures. CVE is a dictionary of common names (CVE identifiers) for publicly known cyber security vulnerabilities. These CVE identifiers facilitate the exchange of vulnerability data encountered and provide a baseline for assessing the coverage of an organization's security tools.
  2. If a CVE appears in a find created by an Amazon Inspector evaluation, you can search the CVE identifier (Example: CVE-2009-0021) at the Common Vulnerabilities and Exposures websitewhich is sponsored by the U.S. Department of Homeland Security. The search results can provide detailed information about this CVE, its severity and how to mitigate it


References for the Center for Internet Security (CIS)

  1. Amazon Web Services is a member company of CIS Benchmarks, which provides well-defined industry best practices for improving security.
  2. Currently, Amazon Inspector offers the following CIS-certified rule packs to help establish secure configurations for the following operating systems:
    • Amazon Linux 2015.03 (CIS reference for Amazon Linux 2014.09-2015.03, v1.1.0, level 1 profile).
    • Windows Server 2012 R2 (CIS reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 member server profile).
    • Windows Server 2012 R2 (CIS Reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 Domain Controller Profile).
    • Windows Server 2012 (CIS reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 member server profile).
    • Windows Server 2012 (CIS reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 domain controller profile).
    • Windows Server 2008 (CIS reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 member server profile).
    • Windows Server 2008 (CIS reference for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 domain controller profile).

If a particular CIS reference appears in a find created by an Amazon Inspector evaluation run, you can download a detailed description of the PDF reference from the CIS Benchmarks site (a free registration is required). The reference document provides detailed information about this CIS reference, its severity and how to mitigate it.

Best Practices of security

The rules in this package will help determine if your systems are configured securely. In this version of Amazon Inspector, you can include EC2 instances running Linux or Windows-based operating systems in your evaluation objectives.

Among the rules found in this package are:

  • Disable Root Login over SSH
  • Support SSH Version 2 Only
  • Disable Password Authentication Over SSH
  • Configure Password Maximum Age
  • Configure Password Minimum Length
  • Configure Password Complexity
  • Enable DEP
  • Disable Root Login over SSH
  • Enable DEP
  • Configure Permissions for System Directories

Runtime performance analysis

The rules that are analyzed are the following:

  • Unsafe client protocols
  • Unsafe client protocols (general)
  • Unused TCP listening ports
  • Unsafe server protocols
  • Software without DEP
  • Software without stack cookies
  • Root process with unsafe permissions

 How Does The Amazon Inspector Work?

  • The A.I. is installed as a service on an EC2 instance.
  • The instances must be tagged with information specific to the applications it contains.
  • The AWS agent is installed in every instance you wish to evaluate. The agent monitors and collects a wide range of configuration and behavior data (network, archives system and process activity) and sends the data to Amazon Inspector service.
  • You must define the application that we want to monitor and evaluate and the rules package to evaluate.
  • The inspection is performed.
  • We can see the results of the execution in the A.I. console.


Image: Results displayed on the A.I console.
After the agent performed the analysis in the instance


Using the Amazon Inspector service presents companies an economic saving in view of the need to hire personnel to carry out the analysis, implementation and proper monitoring of security in an IT infrastructure. When we say that the Amazon Inspector automatically performs this work, we are ensuring that the selected security rule packets are executed in the instances by performing valuations in accordance with the best security practices recommended. This guarantees an optimum operation of the applications in production, which are a great support tool in the development of business processes.