Amazon Inspector is an AWS software tool that automatically assesses a customer's AWS cloud deployment for security vulnerabilities and deficiencies. Amazon Inspector evaluates cloud applications for weak points or deviations from best practices before and after they are deployed, validating that proper security measures are in place. The service then provides and prioritizes a list of security findings, including detailed descriptions of issues and recommendations to fix problems.
Amazon Inspector is available through the AWS Management Console and is installed as an agent on the operating system of Elastic Compute Cloud instances. Amazon Inspector requires an AWS Identity and Access Management (IAM) role, which grants the service permission to itemize instances as well as tags to assess before evaluating the security of a cloud deployment. The service can create an AWS IAM role, if needed.
An IT administrator defines an assessment template, which includes the rules packages to follow, the duration of the assessment run, the topics that result in notifications from Amazon Simple Notification Service and other attributes. The analysis of the target environment is called the assessment run, which analyzes behavioral data within a target, including network traffic on running processes and communication between cloud services.
Amazon Inspector pulls best practices from a knowledge base consisting of hundreds of rules (individual security practices or tests) that are updated by AWS security researchers. Amazon Inspector provides public-facing APIs that allow a user to incorporate the service on non-cloud technologies, such as email or security dashboards.
Amazon Inspector is billed based on the number of assessment runs and systems assessed, combining those elements into a metric called agent-assessments. Amazon provides a free trial before billing a customer per agent-assessment.