logo
Summary of Amazon Inspector updates announced at re:Invent 2023

Summary of Amazon Inspector updates announced at re:Invent 2023

In this article, I will introduce the Amazon Inspector updates announced at re:Invent 2023.

Published Jan 27, 2024
At AWS re:Invent 2023, there were many updates regarding AWS security services.
In this article, I will introduce Amazon Inspector updates announced at re:Invent 2023.

Generative AI now provides code modification support based on scan results.
Code scanning for Lambda is a feature that was generally available at re:Inforce 2023, but at that time, only abstract fix suggestions were provided.
With this update, more specific code fix suggestions and patch files can be obtained.
Let's try to detect "Path traversal" from "Amazon CodeGuru, Detector Library".
Prepare a Lambda function to detect it.
After a while, the Lambda function is detected by Inspector.
In the detail screen, a specific code fix is proposed and a patch file can be downloaded.
I think it will be easier to focus on secure code development since you can easily scan the Lambda code and provide suggested fixes and patch files.

Amazon Inscpctor can now perform EC2 vulnerability assessment without installing an agent.
Previously, the AWS System Manager agent had to be installed, but now it can automatically determine whether an agent is present and scan for it.
Scanning frequency is at 24-hour intervals.
This is accomplished by using EBS snapshots to obtain software inventory information.
To configure, press "Edit" from "Scan mode" in "EC2 scanning settings" on the console screen.
You can select either "Hybrid" or "Agent-based" mode.
Agent-based" mode is the traditional scanning method: scanning only those EC2s with the agent installed.
"Hybrid" mode is the mode in which agent-less works: agent-based scans are performed if an agent is installed, and agent-less scans are performed if no agent is installed.
We understand that there may be cases where it is difficult to install an agent due to company rules or network configuration.
With this update, you can now manage vulnerabilities with Inspector even if you do not have an agent installed.
However, since the frequency of agent-less scans is every 24 hours, it is better to install an agent whenever possible and then switch to "Hybrid" mode for real-time detection.

Amazon Inspector now integrates with developer tools to scan container images.
It is compatible with Jenkins, TeamCity, etc. and works seamlessly with traditional developer tools.
There were two types of container image scans: ECR's basic scanning and Inspector's enhanced scanning.
While basic scans could be integrated into the CI/CD pipeline, enhanced scanning were not supported.
With this update, enhanced scanning can also be integrated into the CI/CD pipeline, allowing for more security assurance at an earlier stage of development.
It is a welcome update to be able to integrate Inspector with developers' familiar tools and integrate it into the CI/CD pipeline.

There have been many updates to Inspector in 2023, and we have also seen features that integrateed into generative AI.
Not only security personnel, but also developers can easily manage vulnerabilities, and I believe that the user experience will change dramatically in the future.
We will keep an eye on the future of Inspector and Generative AI.