Amazon Inspector offers automated vulnerability detection, scanning AWS workloads and recommending remediation, ensuring enhanced security without constant supervision.
| Product | Mindshare (%) |
|---|---|
| Amazon Inspector | 1.2% |
| Wiz | 4.5% |
| Qualys VMDR | 3.9% |
| Other | 90.4% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Vulnerability Management | Jun 23, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 23, 2026 | Download |
| Comparison | Amazon Inspector vs Wiz | Jun 23, 2026 | Download |
| Comparison | Amazon Inspector vs Tenable Nessus | Jun 23, 2026 | Download |
| Comparison | Amazon Inspector vs Qualys VMDR | Jun 23, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| Wiz | 4.4 | 4.5% | 97% | 48 interviewsAdd to research |
| SentinelOne Singularity Cloud Security | 4.4 | 2.5% | 99% | 129 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 2 |
| Midsize Enterprise | 2 |
| Large Enterprise | 5 |
| Company Size | Count |
|---|---|
| Small Business | 133 |
| Midsize Enterprise | 67 |
| Large Enterprise | 254 |
Amazon Inspector provides advanced automated vulnerability assessments, specifically designed for AWS environments. It scans EC2 instances, ECR, and container images for vulnerabilities, ranking them by priority. With capabilities like integration with CloudTrail and CloudWatch, adherence to compliance benchmarks, and a comprehensive view for diverse resources, it supports continuous detection and detailed reporting. Users can schedule regular scans, maintaining strong security oversight. Current feedback highlights a need for improved scanning of EBS, S3, and EFS, as well as expanded databases and better patch integration.
What features make Amazon Inspector stand out?Amazon Inspector is utilized across industries, including finance, healthcare, and tech, assisting with robust security management in cloud-native environments. By integrating with services like Security Hub and SIEM, businesses maintain compliance and streamline alert management. This solution supports broader security frameworks, often paired with third-party tools to enhance protection strategies.
| Author info | Rating | Review Summary |
|---|---|---|
| AWS DevOps SRE/Infrastructure Engineer at Capgemini | 4.5 | I've used Amazon Inspector for three years to identify security vulnerabilities across EC2 and Docker images, improving compliance. It’s effective, though automating remediation is essential for scale. I rate it 9 out of 10. |
| Principal Security Architect at Nagarro | 3.5 | I've used Amazon Inspector for 6-7 years mainly for AWS-native applications; it's well-integrated with CloudTrail and CloudWatch, but lacks hybrid support and has high false positives, so I’d rate it a six out of ten. |
| Co-Founder, Professional AWS Cloud Architect at a tech services company with 1-10 employees | 4.5 | I use Amazon Inspector for automated vulnerability assessments, which continuously scans resources for vulnerabilities. While it's beneficial for identifying security issues, I'd like more flexibility in custom checks and better reporting features to handle large datasets effectively. |
| DevOps Engineer at Vitrana | 4.5 | I use Amazon Inspector to automate vulnerability scanning for EC2 instances, typically running reports weekly or monthly. It integrates with Security Hub, providing comprehensive dashboards, though improvements are needed in AWS service interdependencies and storage options. |
| MS AWS expert at Bespin Global | 4.5 | I use Amazon Inspector on AWS for vulnerability assessments, appreciating its categorization of findings by instance, container image, repository, and Lambda function. However, improving automation and better integration with CloudWatch for alarms could enhance its functionality. |
| Lead Solution Advisor (Cyber Security) at Deloitte | 3.0 | I primarily use Amazon Inspector for automated vulnerability detection, continually scanning AWS workloads. While it excels in this area, its limited scope and dependency on agents, coupled with the absence of real-time protection, are significant drawbacks. |
| Director Of Engineering at E Source Companies LLC | 4.0 | I use this AWS ECR solution for automatic, hourly container vulnerability scanning, valuing its discovery and ranking capabilities. It enhances my DevSecOps and SOC 2 compliance effectively, proving solid and scalable. While I'd prefer on-demand scanning, I rate it an 8/10 for meeting my needs. |
| Information Security Engineer at a financial services firm with 10,001+ employees | 3.5 | We use Amazon Inspector for vulnerability management within AWS, appreciating its consolidated view of vulnerabilities across resources. However, we find its coverage limited compared to third-party tools and rely on Security Hub for comprehensive compliance and auto-remediation features. |
| Developer at a sports company with 501-1,000 employees | 5.0 | Amazon Inspector effectively pulls all vulnerability details into our environment, with its vulnerability scan and CIS benchmark support being particularly valuable. However, easier integration with Amazon's patching services for remediation would significantly enhance its utility. |
I am still currently working with the Amazon Inspector solution, but not directly right now as I'm working on other things on AWS. It's based on the business requirements and what it currently needs to be implemented.
My experience with Amazon Inspector is actually recent, as I worked with it hands-on six months ago, and I was using it alongside the Security Hub, which is a part of AWS.
The assessment reports provided by Amazon Inspector have helped me in identifying security vulnerabilities in my cloud applications by giving us a nicely designed dashboard that provides all the security information we need to work on remediation. This is a valuable service from AWS.
Regarding the compliance aspect, Amazon Inspector's automated security assessments have improved the organization's compliance with industry security benchmarks. It undeniably improves compliance requirements and the CIS score by avoiding many security concerns that could lead to higher failures in the future, which is really important.
For Amazon Inspector, we have many EC2 or virtual machines deployed inside our AWS environment, and the problem is that the existing package deployed inside this EC2 instance has already outdated packages. As we progress with time, this package needs to be updated for security enhancement, which requires us to uninstall the package, install the new version, and then we should be fine. However, the challenge comes with how to scan all our EC2 instances for security vulnerabilities, which is currently managed by Amazon Inspector. Amazon Inspector can scan EC2 instances or ECR, which is the ECR registry where we can save artifacts Docker images. Amazon Inspector can also scan Docker images uploaded to ECR for Elastic Registry service, and it can scan databases and S3 based on the latest updates. I noticed this from a couple of months ago, and it provides huge benefits for security.
Regarding the best features of Amazon Inspector, it gives us a list of all existing outdated packages as part of a deployed package on EC2 instances or specific Python packages that are part of the Docker file and the Docker image itself, which are causing security concerns. Amazon Inspector can list these security concerns and offer guidance on how we can remediate it by updating the package to a specific upper version or something similar.
I would like to see improvements in Amazon Inspector, specifically the support for scanning attached EBS storage for existing malware or viruses, and I hope that they can include support for S3 and EFS. I think it would be beneficial, but I need to review this information since I'm not sure if this has already been deployed or if I'm updated on it.
I have been working with Amazon Inspector for around three years.
The most challenging aspect I faced with Amazon Inspector during integration was automating the remediation process. Amazon Inspector gives us a nice list of all existing vulnerabilities needing our attention, and while we can connect to an existing EC2 instance suffering from security vulnerabilities reported by Inspector, we can't manage that for 1,000 EC2 instances without wasting time. Thus, we need to automate the process from end to end to avoid wasting the DevOps team's time. AWS published a helpful article about this issue, clarifying steps on how we could integrate Amazon Inspector with the Security Hub, and a CloudFormation template already exists for deployment using Terraform, with the ability to run everything using Python. What I did was look at this AWS article and work on converting the manual process into an automated one using Python.
I rely on some specific metrics or data points during the evaluation process, including other tools such as SonarQube, which is a third-party tool that we can integrate with our CI/CD pipeline to scan deployed packages before pushing them to Docker images. However, SonarQube does not support scanning for EC2 instances. There may be other tools that can perform that function, but I'm not sure. I know that SonarQube provides benefits for scanning Docker images, which is also supported by Amazon Inspector for security scanning.
I advise other users looking into implementing Amazon Inspector to avoid just enabling it and looking at the nice list of security vulnerabilities. They would need to implement an automation solution to remediate the actual security vulnerabilities. Without this automation, Amazon Inspector only looks a nice dashboard providing a lot of information regarding security concerns that can't be resolved until action is taken, such as implementing a remediation solution. It should be automated, especially since you might have 1,000 EC2 instances, each with different security vulnerabilities or outdated packages that need remediation. Thus, implementing this process only once using infrastructure as code, perhaps with Python what I did, is worth it; this allows you to monitor the results and only intervene if necessary.
On a scale of 1-10, I rate Amazon Inspector a 9.
I mostly use Amazon Inspector for vulnerability scanning on AWS native applications. For hybrid applications, we have different security scanners.
I assess that the integration part with CloudTrail and CloudWatch is good for application monitoring. CloudTrail basically creates the trail. CloudWatch is mostly for native application monitoring, but it's not something we can use as a centralized monitoring tool. It's not a tool that can be used as a security incident event management SIEM solution. It's a monitoring tool for native applications.
They might launch support for third-party environments in the next version regarding the best features in Amazon Inspector from my perspective.
The false positive rate of Amazon Inspector is a little high, and it is not covering all different applications and scanning. It mostly covers specific native applications, and I think as per my understanding, it doesn't cover third-party environments or hybrid environments.
I have been working with Amazon Inspector for approximately six to seven years.
My experience with AWS technical support is very good. I didn't face any specific challenges, and even the documentation of AWS is good for both Microsoft, which is Azure, and AWS.
Positive
The setup of Amazon Inspector is straightforward. It's not a very simple implementation.
I am not honestly sure about the pricing side of Amazon Inspector, but that is taken care of by a separate team. I believe it's cheaper than the other third-party solutions.
My advice is that Amazon Inspector is a good tool for covering the cloud environment, but if organizations want to go with a hybrid environment, there are other solutions that are much better than Inspector.
On a scale from one to ten, I rate this solution a six.
I can access Amazon Inspector from my own account. Even though I have this delegated admin security account that gathers from all member accounts, if I go into my account, I just see my findings there. I do it the same way in the security account, but from my own account. This would be the same for small and medium-sized enterprises as well, since they would typically just have a few accounts, and they can go into the accounts and see their findings directly.
The most valuable features probably are the ability to do automated vulnerability assessments, which it does with Amazon Inspector version two. It operates continuously, so as soon as resources are created, it scans them for vulnerabilities. This allows me to pinpoint potential security vulnerabilities and provide actionable recommendations relatively quickly. Larger enterprises usually use Inspector to gather all the vulnerabilities, the CVEs, across all accounts in an AWS organization.
The enterprises I work for typically have many accounts in their organization, such as thousands of accounts where I am at the moment. It is a way to gather the vulnerabilities that are present on EC2 instances, container images, and Lambda functions.
It has automated vulnerability assessment, yet I seek more flexibility in defining custom vulnerability checks tailored to my needs, which is more difficult. The other point is that the reporting features of Inspector need improvement. For example, I am in an organization with millions of CVEs, and getting an overview of all this is challenging. There are export features, however, they are at a very basic level, resulting in files that are very large and hard to manage. Better dashboarding or reporting features would significantly enhance the product.
I have used the solution for about ten years now since the very beginning, as a consultant.
Especially if it's a critical vulnerability that's found, where a bad actor can come in and take over a machine or something like that, the continuous scanning it does, introduced in Inspector version two, is really important. This ensures that operations teams can find and manage these alerts quickly and handle them while they close down the instance or perform necessary patches.
I would rate scalability a ten out of ten as it runs on AWS, which is built for scalability. The only issue with scalability is that having a lot of CVEs can affect the reporting feature.
However, the scalability of the solution itself is unparalleled. I have worked in some very large infrastructures, and it hasn't been a problem. Some customers, when they exceed 500 or 600 accounts, require scalability more critically. It is usually a decentralized setup, funneling findings to the people responsible for accounts. Again, when discussing scalability, Inspector consistently performs well, often outperforming Microsoft Defender and other tools.
I would probably rate support a seven or eight out of ten. I have had some experience with managing vulnerabilities, and the support itself was good. There were some issues because the body responsible for creating these CVEs had a backlog in the US, and when they managed it, many new CVEs came out quickly. Amazon found them swiftly, yet notifying users in advance about the increased number of CVEs would have been helpful. Overall, it's working well.
Neutral
It's easy to set up. You enable it on your organization, and you can define a delegated administrator, which is what we do with most organizations. We create a specific security account where all the data from the thousands of accounts can go into. That's the setup process. It's very straightforward; you just enable that when creating your organization.
The good thing about the pricing is that it's calculated per use, so it's quite good. I would give it a six out of ten. It is a little more expensive than some other options, but for what you get, you can scale with the amount of usage.
It varies greatly, as it depends on the number of accounts. The lowest cost would be around $10 for a few small accounts, however, for thousands of accounts, it could be around $5000 to $6000 dollars per month.
There is so much to consider. I had an issue recently with a critical vulnerability in a program called OrSync, and I needed to determine how many EC2 instances were affected. I could quickly provide the security operation center with a list of the EC2 instances, their accounts, and who was responsible for them, enabling responsible parties to patch the vulnerabilities.
New vulnerabilities emerge constantly. There is a dashboard in Inspector listing critical vulnerabilities found across the estate. I have used it to educate users, emphasizing the need to monitor this dashboard for their accounts seriously.
We have set up SLAs specifying how long critical, high, and medium CVEs should be present. For critical resources, immediate action is required. It's automatically integrated when enabled in the organization, and any new account added is scanned by Inspector, so it is very easy and almost automatic.
The overall product rating is nine out of ten.
I use Amazon Inspector for scanning EC2 instances. I typically run it weekly or monthly, based on the environment, to get reports on vulnerabilities. In addition, I integrate it with EC2 and ECR services.
With Amazon Inspector, I can automate vulnerability management. When enabled with Security Hub, it also provides a comprehensive dashboard. The service detects software vulnerabilities and provides solutions to address them. After scheduling scans, it gives detailed reports that help prioritize issues. This automation means I don't need constant manual supervision.
There are challenges associated with the interdependencies in AWS services, like requiring an Active Directory for other services, resulting in additional charges. Also, there is no option to buy reserved capacity for EBS volumes, which would be helpful. Support for storing snapshots in S3 could also improve.
I have been using Amazon Inspector for almost one and a half years.
Amazon Inspector is very stable. I have not encountered any issues related to its stability.
I am using Amazon Inspector with less than twenty instances for production and validation, and it is working fine for me. However, I haven't had the experience of scaling it up to a larger number of instances.
I would rate the technical support team six to seven because they are sometimes available and sometimes not.
Neutral
Setting up Amazon Inspector requires knowledge of IAM policies, roles, and EC2 instances. Following AWS blogs aids in setup, and someone familiar with AWS services can do it easily.
I manage pricing and purchase reserved instances, yet face challenges due to dependencies and lack of options for reserved capacity for EBS volumes. Some services create extensive costs upon launch.
There are many third-party tools in the market, but they do not match Amazon Inspector's performance. With Amazon Inspector, I can automate processes.
I recommend Amazon Inspector because it allows the automation of processes and requires less manual monitoring. Overall, I rate Amazon Inspector nine on a scale of one to ten.
Amazon Inspector is used for vulnerability assessment and provides detailed reports for infrastructure security. It's primarily used for vulnerability assessments and scans multiple types of resources, providing a report with findings and CVEs.
Amazon Inspector impacts operations primarily from a security perspective, assisting with vulnerability management and improving the security score for the organization.
The most valuable feature of Amazon Inspector is the categorization of findings, which filters vulnerabilities by instance, container image, container repository, and Lambda function. It's also significant that the service scans container repositories.
One area for improvement in Amazon Inspector is the automation aspect. Automation for scheduling 'turn on' and 'turn off' operations and better integration with CloudWatch for alarms could enhance the service's functionality.
I have been working with Amazon Inspector for not less than four years.
Amazon Inspector is highly stable, rated ten out of ten, and this stability impacts business security and administration positively.
Scalability is not an issue with Amazon Inspector as it is scalable to the maximum, covering any business scale effectively. It’s rated ten out of ten for scalability.
I have not needed to use AWS support for Inspector, which indicates that the service is almost perfect. The support quality is assumed to be excellent.
Positive
The initial setup of Amazon Inspector is very easy, and I would rate this process as a nine out of ten.
The pricing for Amazon Inspector is very fair, and I would rate it as two out of ten, with ten being the most expensive. It's on the cheaper side.
The advice for new users is to purchase Amazon Inspector, implement it, keep it running, and review it at least once a month, especially if they have infrastructure as a service or platform as a service in use.
I'd rate the solution nine out of ten.
Initially, we used it for client performance for four months; we completed the automation.
It's primarily used for automated vulnerability detection. It continuously scans your AWS workloads for software vulnerabilities, helping us maintain an overall security posture. Think of it as an automated vulnerability management service for our cloud environment.
The automated vulnerability detection aspect is most valuable. It continuously scans AWS workloads for software vulnerabilities and unintended network exposure.
It has a limited scope. So, AWS Inspector primarily focuses on the security of the EC2 instance. So, if your architecture includes other AWS services, then you may need to use additional tools for your comprehensive security assessment. So that is one con. Another is, like, we have a dependency on agents.
So other is dependency on agents, like, Inspector relies on agents installed on instances for deeper assessment. So managing these agents can be additional overhead. So these kinds of things.
It does not even provide real-time protection. So, Inspector provides point-in-time assessment rather than continuous monitoring. So these are all cons.
When it comes to false positives, it is there for most security tools as of now. I would not consider false positives a major concern.
So, these are the major concerns that I found: dependency on agents, limited scope, and no real-time protection.
I have been using it for a year.
It is a stable product. Our organization has an alliance with AWS. If we get stuck somewhere, we get good support from AWS.
In my company, I actually did a client POC for the client. But that was the POC for the Amazon subsidiary company. So, that was for an Amazon subsidiary only. They had a very large production.
We are happy with the support.
I have experience with Cybersixgill as well.
The initial setup is easy. It depends on the initial environment you're using.
It's priced according to market standards for its services.
I would recommend to go for a third-party tool. Not unless you have restrictions on using only native services.
The main thing is, with a single third-party tool, we get even threat assessment, runtime assessment, and vulnerability assessment, which Amazon Inspector only provides with GuardDuty on top.
So, it's an all-in-one package in a third-party tool. In AWS, you need to leverage multiple services like GuardDuty for threat detection, which makes the whole thing cumbersome. That's why I suggest looking at third-party options.
Even in the future, if we're shifting from AWS to SDR, for example, we can stick with those third-party services because the knowledge gained would apply to other clouds as well. So, in most cases, I'd recommend considering third-party tools.
Overall, I would rate the solution a six out of ten.
The use case is that any deployable container we have in our infrastructure should get scanned for vulnerabilities.
It is on a public cloud, and as soon as the containers get deployed to ECR, it automatically scans for vulnerability. It scans every hour on the hour.
Its version is out of the box with Amazon.
It is scanning the whole repository for any sort of vulnerabilities. So, it allows us to be more confident in our DevSecOps and not put a lot of folks or attention to it. We can trust the solution.
Before anything gets out to deployment, we have to be SOC 2 compliant. It gives us the ability to pretty much approach and implement a solution before anything gets out to our staging or production environment. We check in our code very frequently, and we're able to discover and get rid of any vulnerabilities before they make it to our cloud platform.
The vulnerability discovery is valuable, and they also rank those vulnerabilities for you. So, you could rapidly attack some of the higher, severe vulnerabilities as they pop up, if they do pop up.
There isn't too much to improve right now. Scanning on demand or as a part of the pipeline versus a post pipeline solution would be good, but it is not a deal breaker by any means.
Other than that, it is really about them just keeping up the pace with all the vulnerabilities out there. The vulnerability databases are growing on a daily basis. So, just making sure that they are on top of that is the key thing that I'm looking for.
I have been using this solution for about a year and a half.
It is solid.
It is solid in terms of scalability. We have a microservice shop where we're deploying dozens and dozens of solutions a day, and it scans it every hour on the hour and provides us continuous feedback.
Everybody on the engineering development team is using it. There are 10 to 12 folks. We have a DevOps mindset, and we continuously monitor this. We're all responsible for any vulnerabilities that come up. Obviously, there are subject matter experts, but we try to continuously learn and cross-pollinate to address these things as they come up.
It is used for all our Amazon ECR pipelines. It'll be used more because we are pivoting from using JFrog to Amazon more regularly. So, it would be a standard part of our practice going forward.
It is decent. If you pay for it, it is great. They'll get back to you with common questions and based on your tier of support level, but you can jack it up if you want instantaneous support.
We used JFrog and JFrog Xray as part of our solution. We switched for data locality. We're pretty much an Amazon shop now. We're trying to limit all the third-party solutions that we're utilizing.
It involves a couple of clicks. Amazon really helps out with it. We just have to use ECR and enable it.
We have continuous deployment for staging and push-button deployment for our production clusters.
It was all done in-house. It requires minimal staff for deployment and maintenance purposes. Some of the setups to automate your pipelines and provide you with continuous monitoring and continuous feedback is a little bit of effort, but once you have everything set up, the effort is very minimal.
I don't have anything available on that at this time. We do know the time we spent, and it is just minimal time. We don't have to dedicate full security folks to this. It is just a part of our pipeline. So, it is very hard to get that chunk out of day-to-day activities.
It is scaled as you go. There are probably a certain number of scans per month, and there are tiers. If you're under a certain tier, it is free. The second level is pennies, and then all the way up to like a million. So, it has a tiered pricing program. They're pretty good with your initial scanning, and there is room to scale based on being affordable, but it is fairly cheap.
There are no additional costs. They pretty much think about it as a pay-per-scan type model.
We didn’t really evaluate other options. We just needed to make sure that we had a handle on vulnerabilities.
Security is very critical to maintain. If you don't have a dedicated security team, it allows you to be more productive and confident in your solutions at scale, without having a dedicated team scanning and focusing on security.
I would rate it an eight out of ten. It does its job in what we're looking for. Any software or any product always has room to improve. That's the only reason why I'm not giving it a ten.
We use AWS services for a variety of clients, including banking and healthcare. We leverage GuardDuty for continuous threat detection, Inspector for vulnerability management, and Security Hub for CSPM (Cloud Security Posture Management).
For compliance, we primarily use Security Hub for our CSPM needs. Currently, both Inspector and GuardDuty are integrated with our SIEM tool, Sumo Logic.
Any logs or data relevant to compliance are ingested into Sumo Logic. From there, we've configured alerts to be sent via email or Jira tickets.
We don't rely completely on Inspector for vulnerability identification. It's partially used, as we find third-party security tools to be more mature for that specific purpose.
The integration of Amazon Inspector with other AWS services has enhanced our security.
Security Hub is a major asset because it allows us to centralize data from various AWS services. We can integrate third-party tools as well. It is just a single-click option.
If you're using AWS Organizations, it simplifies the process by allowing you to send logs from multiple accounts to a single designated AWS account. You can then monitor everything using a centralized dashboard within that account. This seamless integration of Inspector, GuardDuty, and other security services definitely improves our overall security posture.
I appreciate that Inspector presents vulnerabilities across different resources, like containers and servers, in a single consolidated view.
The most effective for automated security assessment is Security Hub. It encompasses multiple compliance standards – HIPAA, PCI, and CIS AWS Foundations Benchmark.
One drawback is that we can't define custom compliance rules. So, we lean on Security Hub for both compliance management and, in some cases, it offers auto-remediation for certain controls.
There is room for improvement in the scanning capabilities. I'd like to see broader coverage in terms of the vulnerabilities detected. Right now, it's not as comprehensive as some of the third-party tools we use.
I have been using it for more than four years.
I never had an issue with stability. I would rate the stability a ten out of ten.
I would rate the scalability a seven out of ten. Inspector's scalability is primarily determined by the resources available in your AWS environment.
It is mainly utilized by development and security teams. We preferred tools like Qualys for more robust vulnerability management.
We wouldn't give the development team full console access to Inspector. The security team would generally manage it, generate reports, and share those with the development team.
The customer service and support depend on the account. Whatever you have subscribed for. For example, if you have a premium account, the turn-around time will be quick.
But even for a non-premium user, we got good support.
Positive
The setup itself is very easy. It's essentially a one-click process at the account level. Anyone can do it.
But the deployment time depends on your use case. For a single account, it's a matter of minutes. If you're managing multiple accounts and want centralized visibility, there's an additional setup to send data to a single, designated AWS account.
Overall, I would rate the solution a seven out of ten. I would recommend it, but that depends on the size of the account, their specific use cases, and overall requirements.
Amazon Inspector is configured by a team member to pull all vulnerability details into our environment, allowing us to access all the vulnerability findings.
We're in the initial phase and don't have any regulatory obligations yet. We're still building up the environment. However, we can run the CIS Benchmark scan across the entire environment.
Security best practices were another reason I looked into Inspector, as it also performs CIS compliance for configuration. We're just getting started with the compliance aspect.
Amazon Inspector simplifies our vulnerability assessment process. It is one key feature I was looking for. Amazon Inspector supports the CIS Benchmarks. We had a homegrown tool to do that earlier, and now we are looking forward to using Amazon Inspector for it.
So, the automated scanning feature has positively impacted our security posture.
It offers capabilities around compliance and vulnerability management for EC2 instances, including OS compliance checks and vulnerabilities within EC2 OS images.
The findings dashboards are neat and easy to understand, offering clear demarcations for different types of findings and detailed insights into specific vulnerabilities and their associated instances. It is not a place where everything is dumped together. It is easy to understand the layout. It very precisely does what it talks about. When a vulnerability is identified, it tells me which instance has it and what operating system image it's using. This helps me correlate and understand, "Okay, this vulnerability is likely due to the OS I'm running. Maybe switching to a more secure option will help remediate these issues."
Overall, the dashboards effectively convey what they're designed to do. They tell you about vulnerabilities within your runtime environment, whether it's containers, EC2 instances, or even Lambdas (though I don't have experience with those). For EC2 instances, that's how we primarily use it.
The vulnerability scan feature is crucial for identifying vulnerabilities on my EC2 instances. Additionally, Amazon Inspector supports the CIS benchmark, which is a significant advantage.
One major area for improvement is remediation. My team works on remediating findings over time, likely using available patches. However, easier integration with Amazon's patching services would be very helpful. I'm sure there's a way to automate patching within the platform. While patching capabilities might exist, directly from Inspector, as a user, I don't have upfront information on how to remediate findings.
However, suppression rules are a valuable feature. They allow me to suppress false positives and exceptions. That aspect is handled very well. The next step would be a clear path to addressing identified findings.
We have been using Amazon Inspector for almost six months.
It's stable. I haven't experienced any downtime; the service is always available.
It is scalable.
The customer service and support are very good, overall.
Positive
I would rate my experience with the initial setup a ten out of ten, with ten being easy to deploy.
It's incredibly easy. There's practically one button. You just enable Amazon Inspector, and that's it.
It's very easy to maintain. There's no operational overhead. It's a limited service from Amazon, so the experience is similar to using other native Amazon services. They do a great job of keeping the user experience consistent across all services. It's a very smooth experience.
The pricing is very transparent and clear, so I don't have any challenges with it. It's good.
Just try it once and find your path forward because it's very easy to set up. If you're just starting, the native tools are the best way to start. Only when there are some advanced use cases should you look for anything beyond AWS.
So, if you're already starting something in AWS, it's best to get started with the native tools.
Overall, I would rate the solution a ten out of ten.
