IT & Life Hacks Blog|Ideas for learning and practicing

Quick life hacks for every day Support by AI

system development

AWS Inspector Usage Guide: A Thorough Comparison with Security Hub & GuardDuty

By greeden #AWS, #system development
AWS Inspector、Security Hub、GuardDutyの連携イメージ
AWS Inspector、Security Hub、GuardDutyの連携イメージ

AWS Inspector Usage Guide: A Thorough Comparison with Security Hub & GuardDuty

Summary

  • What is AWS Inspector?
    An automated vulnerability assessment service that performs security checks on hosts, containers, and serverless environments.
  • Key Features
    • Scanning for OS and application vulnerabilities
    • Verifying software configuration against best practices
    • Creating and applying custom rules
  • Use Cases
    • Automating regular security assessments
    • Detecting vulnerabilities before deployment
    • Sample integration into CI/CD pipelines
  • Differences from Security Hub & GuardDuty
    • Inspector: Focused on vulnerability assessment
    • Security Hub: Centralized management of findings from multiple services
    • GuardDuty: Anomaly detection via log and flow analysis
  • Intended Audience
    Security engineers, DevOps engineers, SREs, and cloud administrators

1. Introduction: Why Vulnerability Assessment Matters

In modern cloud environments, servers can be spun up and code deployed in an instant. Yet even minor misconfigurations or unpatched instances can greatly increase cyber‐attack risk. AWS Inspector helps mitigate these risks by providing automated scans, enabling you to operate cloud resources with confidence.
Recommended for teams who want to:

  • Automate routine vulnerability assessments
  • Embed security checks before and after deployments
  • Empower less‐experienced members to manage security easily

2. What Is AWS Inspector?

2.1 Overview

AWS Inspector is a managed vulnerability assessment service from Amazon Web Services. It automatically runs security evaluations on EC2 instances, containers on ECS/EKS, and even Lambda functions.

2.2 Key Features

  1. Network Reachability Scans
    • Checks public/private IP accessibility
    • Detects unnecessarily open ports
  2. Vulnerability Scans (CVE‐Based)
    • Maps known OS and middleware vulnerabilities to CVE identifiers
    • Integrates with the latest vulnerability databases
  3. Security Best‐Practice Verification
    • Validates configurations against CIS benchmarks and AWS best practices
  4. Custom Rule Creation
    • Define custom security rules in YAML to meet your own requirements
  5. Detailed Reporting
    • Compare scan results over time
    • Integrate with Slack or email notifications

3. Getting Started with AWS Inspector

3.1 Setup Steps

  1. Install the Inspector Agent
    # On Amazon Linux
sudo yum install amazon-inspector
sudo systemctl start amazon-inspector
  2. Create an Assessment Template
    • Use the AWS Management Console or AWS CLI to define
    • Specify target instances by tag or security group
  3. Run a Scan
    aws inspector start-assessment-run \
  --assessment-template-arn arn:aws:inspector:... \
  --assessment-run-name "DailyScan-$(date +%Y%m%d)"
  4. View Results & Retrieve Reports
    aws inspector list-findings \
  --assessment-run-arns arn:aws:inspector:...
aws inspector get-findings --finding-arns <FINDING_ARN>

3.2 CI/CD Pipeline Integration Example

# GitHub Actions example
jobs:
  security_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Build Docker image
        run: docker build -t myapp:${{ github.sha }} .
      - name: Push image to ECR
        run: |
          aws ecr get-login-password --region ap-northeast-1 | \
            docker login --username AWS --password-stdin <ECR_URI>
          docker push <ECR_URI>/myapp:${{ github.sha }}
      - name: Trigger Inspector Scan
        run: |
          aws inspector start-assessment-run \
            --assessment-template-arn arn:aws:inspector:... \
            --assessment-run-name "CI-CD-Scan-${{ github.sha }}"
      - name: Check Findings
        run: |
          FINDINGS=$(aws inspector list-findings --assessment-run-arns arn:aws:inspector:...)
          if [ -n "$FINDINGS" ]; then
            echo "Vulnerabilities found"
            exit 1
          fi

4. How It Differs from Security Hub & GuardDuty

4.1 AWS Security Hub

  • Role: Aggregates and centralizes findings from multiple security services (Inspector, GuardDuty, Macie, etc.)
  • Features:
    • Automated security standard checks (e.g., CIS AWS Foundations)
    • Unified dashboard for findings
    • Automated remediation workflows to other services
  • Use Cases:
    • Managing security posture across multiple AWS accounts
    • Compliance checks against governance standards

4.2 Amazon GuardDuty

  • Role: Analyzes logs and flows (VPC Flow Logs, CloudTrail, DNS Logs) to detect anomalies
  • Features:
    • Suspicious API call detection
    • Indicators of malware communication
    • Detection of abnormal port scans and brute‐force attacks
  • Use Cases:
    • Real‐time intrusion detection (IDS)
    • Forensic analysis during incident response
Service Primary Focus Data Sources Output
Inspector Vulnerability Assessment Agent & host environment CVE lists, best‐practice violations
Security Hub Centralized Management Inspector, GuardDuty, Macie, etc. Unified dashboard
GuardDuty Anomaly Detection CloudTrail, VPC Flow Logs, DNS Logs Anomaly alerts

5. Practical Example: Scheduling Weekly Scans for a Web App

5.1 Scenario

  • Target: Web app running on ECS Fargate
  • Requirement: Run vulnerability assessment every Monday at 2 AM and send results to Slack

5.2 Implementation Example

  1. Lambda Function
    import boto3
import os
import requests

inspector = boto3.client('inspector')
SLACK_WEBHOOK = os.environ['SLACK_WEBHOOK']

def lambda_handler(event, context):
    run = inspector.start_assessment_run(
        assessmentTemplateArn=os.environ['TEMPLATE_ARN'],
        assessmentRunName='WeeklyScan'
    )
    findings = inspector.list_findings(
        assessmentRunArns=[run['assessmentRunArn']]
    )['findingArns']
    msg = f"[Inspector Results] Findings: {len(findings)}"
    requests.post(SLACK_WEBHOOK, json={'text': msg})
  2. EventBridge Rule
    • Cron expression: cron(0 2 ? * MON *)
    • Target: The above Lambda function

6. Conclusion & Future Outlook

AWS Inspector automates vulnerability assessment in cloud-native environments, reducing operational overhead. By combining Inspector with Security Hub and GuardDuty, you achieve a “vulnerability assessment + centralized management + anomaly detection” trifecta for a more robust security posture.

Key Takeaways

  1. Inspector: Specialized in vulnerability scanning
  2. Security Hub: Centralizes and visualizes findings
  3. GuardDuty: Detects anomalies via log analysis

Use this guide to automate comprehensive security checks in your AWS environment and ensure safe, reliable cloud operations.

By greeden

Related Post

system development

AWS GuardDuty Comprehensive Guide: Real-Time Threat Detection and Operational Automation

greeden
system development

[Class Report] Introduction to System Development Week 20 – OOP Mini Project: From UML Design to Implementation

greeden
system development

What Is ChatGPT’s “Learning Mode”? — A Thorough Guide to Usage and Benefits for Student, Language, and Programming Learning

greeden

Leave a Reply

Your email address will not be published. Required fields are marked *

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)

You Missed

Business

AWS Security Hub Deep Dive: Strengthening Security with Centralized Management

system development

AWS GuardDuty Comprehensive Guide: Real-Time Threat Detection and Operational Automation

system development

AWS Inspector Usage Guide: A Thorough Comparison with Security Hub & GuardDuty

system development

[Class Report] Introduction to System Development Week 20 – OOP Mini Project: From UML Design to Implementation