What is the difference between AWS Inspector v1 and v2?

Inspector v2 (Amazon Inspector) is a complete redesign launched in 2021. Key differences include automatic scanning without scheduling, native ECR container scanning, Lambda function scanning, and integration with AWS Organizations for multi-account management. V2 uses an agent-less approach for ECR scanning and the SSM Agent for EC2 instead of a dedicated Inspector agent. V2 is significantly easier to deploy and operates continuously rather than on schedules.

How much does AWS Inspector cost?

Inspector pricing is based on scan volume. EC2 instance scanning costs $1.258 per instance per month for the first 250 instances, decreasing for higher volumes. ECR container image scanning costs $0.09 per image for initial scan and $0.01 for re-scans. Lambda function scanning costs $0.30 per function per month. There is no charge for resources that Inspector cannot scan. Use the AWS pricing calculator with your actual workload for estimates.

How does Inspector scanning work without an agent?

For ECR images, Inspector analyzes container layers directly using image manifests without running containers. For EC2 instances, Inspector uses the SSM Agent (already installed on most AMIs) to inventory installed packages and compare against vulnerability databases. For Lambda, Inspector analyzes function packages and layers stored in S3. This approach minimizes performance impact and simplifies deployment compared to traditional vulnerability scanners.

AWS Inspector Vulnerability Scanning Guide

AWS Inspector is an automated vulnerability management service that continuously scans AWS workloads for software vulnerabilities and unintended network exposure. This guide covers enabling Inspector, configuring scanning for EC2, ECR, and Lambda, and managing findings effectively.

This article is part of our comprehensive Cloud Security Tips for 2026 guide covering essential practices for protecting your cloud environment.

What Inspector Scans

Resource Type	What's Scanned	Requirements
EC2 Instances	OS packages, application dependencies	SSM Agent, managed instance
ECR Images	Container packages, application libraries	Enhanced scanning enabled
Lambda Functions	Function code, layers, dependencies	Supported runtimes (Java, Node.js, Python)

Enable AWS Inspector

Using AWS Console

Open the Inspector Console
Click Get started
Select resource types to scan (EC2, ECR, Lambda)
Click Enable Inspector

Using AWS CLI

# Enable Inspector for all resource types
aws inspector2 enable \
  --resource-types EC2 ECR LAMBDA

# Enable for specific account (delegated admin)
aws inspector2 enable \
  --account-ids 123456789012 \
  --resource-types EC2 ECR LAMBDA

# Check enabled status
aws inspector2 batch-get-account-status \
  --account-ids 123456789012

Multi-Account Setup with AWS Organizations

For organizations, designate a delegated administrator:

# From management account: Enable delegated admin
aws inspector2 enable-delegated-admin-account \
  --delegated-admin-account-id 111122223333

# From delegated admin: Enable for member accounts
aws inspector2 enable \
  --account-ids 444455556666 777788889999 \
  --resource-types EC2 ECR LAMBDA

# Auto-enable for new accounts
aws inspector2 update-organization-configuration \
  --auto-enable '{
    "ec2": true,
    "ecr": true,
    "lambda": true
  }'

# List member accounts and status
aws inspector2 list-members

EC2 Instance Scanning

Prerequisites

EC2 scanning requires instances to be managed by SSM:

# Verify instance is managed by SSM
aws ssm describe-instance-information \
  --query 'InstanceInformationList[*].[InstanceId,PingStatus,PlatformType]' \
  --output table

# Check instance coverage
aws inspector2 list-coverage \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}]
  }' \
  --query 'coveredResources[*].[resourceId,scanStatus.statusCode]' \
  --output table

Troubleshoot EC2 Scanning Issues

# Check why instance isn't being scanned
aws inspector2 list-coverage \
  --filter-criteria '{
    "scanStatusCode": [{"comparison": "EQUALS", "value": "INACTIVE"}]
  }'

# Common issues:
# - SSM Agent not installed or not running
# - Missing IAM instance profile
# - No network path to SSM endpoints
# - Unsupported OS version

ECR Container Scanning

Enable Enhanced Scanning

ECR has two scanning modes. Enhanced scanning integrates with Inspector:

# Enable enhanced scanning for all repositories
aws ecr put-registry-scanning-configuration \
  --scan-type ENHANCED \
  --rules '[{
    "repositoryFilters": [{"filter": "*", "filterType": "WILDCARD"}],
    "scanFrequency": "CONTINUOUS_SCAN"
  }]'

# Enable for specific repository patterns
aws ecr put-registry-scanning-configuration \
  --scan-type ENHANCED \
  --rules '[
    {
      "repositoryFilters": [{"filter": "prod-*", "filterType": "WILDCARD"}],
      "scanFrequency": "CONTINUOUS_SCAN"
    },
    {
      "repositoryFilters": [{"filter": "dev-*", "filterType": "WILDCARD"}],
      "scanFrequency": "SCAN_ON_PUSH"
    }
  ]'

# Check scanning configuration
aws ecr get-registry-scanning-configuration

Scan Frequency Options

Option	Behavior	Use Case
CONTINUOUS_SCAN	Re-scans when CVE database updates	Production images
SCAN_ON_PUSH	Scans only when image is pushed	Development images
MANUAL	Only when explicitly triggered	Archived images

Trigger Manual Scan

# Start scan for specific image
aws ecr start-image-scan \
  --repository-name my-app \
  --image-id imageDigest=sha256:abc123...

# Check scan status
aws ecr describe-image-scan-findings \
  --repository-name my-app \
  --image-id imageDigest=sha256:abc123...

Lambda Function Scanning

Inspector automatically scans Lambda functions with supported runtimes:

Runtime	Supported Versions
Python	3.7, 3.8, 3.9, 3.10, 3.11, 3.12
Node.js	14.x, 16.x, 18.x, 20.x
Java	8, 11, 17, 21
Go	1.x
Ruby	2.7, 3.2
.NET	6, 8

# Check Lambda coverage
aws inspector2 list-coverage \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_LAMBDA_FUNCTION"}]
  }' \
  --query 'coveredResources[*].[resourceId,scanStatus.statusCode]' \
  --output table

# View Lambda findings
aws inspector2 list-findings \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_LAMBDA_FUNCTION"}]
  }'

View and Manage Findings

List Findings

# Get all critical findings
aws inspector2 list-findings \
  --filter-criteria '{
    "severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]
  }' \
  --sort-criteria '{
    "field": "SEVERITY",
    "sortOrder": "DESC"
  }'

# Get findings for specific resource
aws inspector2 list-findings \
  --filter-criteria '{
    "resourceId": [{"comparison": "EQUALS", "value": "i-1234567890abcdef0"}]
  }'

# Get findings by CVE
aws inspector2 list-findings \
  --filter-criteria '{
    "vulnerabilityId": [{"comparison": "EQUALS", "value": "CVE-2024-1234"}]
  }'

Finding Details

# Get detailed finding information
aws inspector2 get-findings-report-status \
  --report-id 

# Export findings to S3
aws inspector2 create-findings-report \
  --report-format CSV \
  --s3-destination '{
    "bucketName": "inspector-findings-export",
    "keyPrefix": "reports/",
    "kmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abc123"
  }'

Suppress Findings

Create suppression rules for accepted risks:

# Suppress findings for test environments
aws inspector2 create-filter \
  --name "suppress-dev-findings" \
  --description "Suppress findings in development environment" \
  --action SUPPRESS \
  --filter-criteria '{
    "resourceTags": [{"comparison": "EQUALS", "key": "Environment", "value": "dev"}]
  }'

# Suppress specific CVE (with justification in description)
aws inspector2 create-filter \
  --name "suppress-cve-2024-1234" \
  --description "Mitigated by WAF rule - ticket SEC-456" \
  --action SUPPRESS \
  --filter-criteria '{
    "vulnerabilityId": [{"comparison": "EQUALS", "value": "CVE-2024-1234"}]
  }'

# List suppression rules
aws inspector2 list-filters

Integrate with Security Hub

Inspector automatically sends findings to Security Hub when both are enabled:

# Verify Security Hub integration
aws securityhub get-enabled-standards

# View Inspector findings in Security Hub
aws securityhub get-findings \
  --filters '{
    "ProductName": [{"Value": "Inspector", "Comparison": "EQUALS"}]
  }'

Set Up Finding Notifications

# Create SNS topic
aws sns create-topic --name inspector-findings

# Create EventBridge rule for critical findings
aws events put-rule \
  --name "InspectorCriticalFindings" \
  --event-pattern '{
    "source": ["aws.inspector2"],
    "detail-type": ["Inspector2 Finding"],
    "detail": {
      "severity": ["CRITICAL"]
    }
  }'

# Add SNS target
aws events put-targets \
  --rule InspectorCriticalFindings \
  --targets Id=1,Arn=arn:aws:sns:us-east-1:123456789012:inspector-findings

# SNS access policy
aws sns set-topic-attributes \
  --topic-arn arn:aws:sns:us-east-1:123456789012:inspector-findings \
  --attribute-name Policy \
  --attribute-value '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "events.amazonaws.com"},
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789012:inspector-findings"
    }]
  }'

CI/CD Integration

Block deployments with critical vulnerabilities:

# Check ECR image before deployment
check_ecr_vulnerabilities() {
  IMAGE_DIGEST=$1
  REPO_NAME=$2

  # Wait for scan completion
  aws inspector2 list-coverage \
    --filter-criteria "{
      \"ecrImageHash\": [{\"comparison\": \"EQUALS\", \"value\": \"$IMAGE_DIGEST\"}]
    }"

  # Get critical findings count
  CRITICAL_COUNT=$(aws inspector2 list-findings \
    --filter-criteria "{
      \"ecrImageHash\": [{\"comparison\": \"EQUALS\", \"value\": \"$IMAGE_DIGEST\"}],
      \"severity\": [{\"comparison\": \"EQUALS\", \"value\": \"CRITICAL\"}]
    }" \
    --query 'length(findings)' \
    --output text)

  if [ "$CRITICAL_COUNT" -gt 0 ]; then
    echo "ERROR: Found $CRITICAL_COUNT critical vulnerabilities"
    exit 1
  fi
}

# Usage in CI/CD pipeline
check_ecr_vulnerabilities "sha256:abc123..." "my-app"

Dashboard and Reporting

# Get coverage statistics
aws inspector2 list-coverage-statistics \
  --filter-criteria '{
    "scanStatusCode": [{"comparison": "EQUALS", "value": "ACTIVE"}]
  }' \
  --group-by RESOURCE_TYPE

# Get finding aggregations by severity
aws inspector2 list-finding-aggregations \
  --aggregation-type SEVERITY

# Get finding aggregations by package
aws inspector2 list-finding-aggregations \
  --aggregation-type PACKAGE_NAME \
  --aggregation-request '{
    "packageAggregation": {
      "sortBy": "CRITICAL",
      "sortOrder": "DESC"
    }
  }'

Best Practices

Practice	Recommendation
Coverage	Enable all resource types (EC2, ECR, Lambda)
ECR Scanning	Use continuous scanning for production images
Prioritization	Focus on critical and high severity first
CI/CD	Gate deployments on vulnerability checks
Suppression	Document justification for all suppressions
Alerting	Set up notifications for critical findings
Remediation	Track remediation SLAs by severity

Remediation SLA Guidelines

Severity	CVSS Score	Recommended SLA
Critical	9.0 - 10.0	24-48 hours
High	7.0 - 8.9	7 days
Medium	4.0 - 6.9	30 days
Low	0.1 - 3.9	90 days

AWS Inspector Vulnerability Scanning Guide

What Inspector Scans

Enable AWS Inspector

Using AWS Console

Using AWS CLI

Multi-Account Setup with AWS Organizations

EC2 Instance Scanning

Prerequisites

Troubleshoot EC2 Scanning Issues

ECR Container Scanning

Enable Enhanced Scanning

Scan Frequency Options

Trigger Manual Scan

Lambda Function Scanning

View and Manage Findings

List Findings

Finding Details

Suppress Findings

Integrate with Security Hub

Set Up Finding Notifications

CI/CD Integration

Dashboard and Reporting

Best Practices

Remediation SLA Guidelines

Frequently Asked Questions

Need Professional Help?

How to Rotate IAM Access Keys in AWS

AWS Macie Data Discovery and Protection Guide

AWS Root Account Security Best Practices

AWS Inspector Vulnerability Scanning Guide

What Inspector Scans

Enable AWS Inspector

Using AWS Console

Using AWS CLI

Multi-Account Setup with AWS Organizations

EC2 Instance Scanning

Prerequisites

Troubleshoot EC2 Scanning Issues

ECR Container Scanning

Enable Enhanced Scanning

Scan Frequency Options

Trigger Manual Scan

Lambda Function Scanning

View and Manage Findings

List Findings

Finding Details

Suppress Findings

Integrate with Security Hub

Set Up Finding Notifications

CI/CD Integration

Dashboard and Reporting

Best Practices

Remediation SLA Guidelines

Related Articles

Frequently Asked Questions

Need Professional Help?

Related Articles

How to Rotate IAM Access Keys in AWS

AWS Macie Data Discovery and Protection Guide

AWS Root Account Security Best Practices