Amazon Inspector is configured by a team member to pull all vulnerability details into our environment, allowing us to access all the vulnerability findings.
We're in the initial phase and don't have any regulatory obligations yet. We're still building up the environment. However, we can run the CIS Benchmark scan across the entire environment.
Security best practices were another reason I looked into Inspector, as it also performs CIS compliance for configuration. We're just getting started with the compliance aspect.
Amazon Inspector simplifies our vulnerability assessment process. It is one key feature I was looking for. Amazon Inspector supports the CIS Benchmarks. We had a homegrown tool to do that earlier, and now we are looking forward to using Amazon Inspector for it.
So, the automated scanning feature has positively impacted our security posture.
It offers capabilities around compliance and vulnerability management for EC2 instances, including OS compliance checks and vulnerabilities within EC2 OS images.
The findings dashboards are neat and easy to understand, offering clear demarcations for different types of findings and detailed insights into specific vulnerabilities and their associated instances. It is not a place where everything is dumped together. It is easy to understand the layout. It very precisely does what it talks about. When a vulnerability is identified, it tells me which instance has it and what operating system image it's using. This helps me correlate and understand, "Okay, this vulnerability is likely due to the OS I'm running. Maybe switching to a more secure option will help remediate these issues."
Overall, the dashboards effectively convey what they're designed to do. They tell you about vulnerabilities within your runtime environment, whether it's containers, EC2 instances, or even Lambdas (though I don't have experience with those). For EC2 instances, that's how we primarily use it.
The vulnerability scan feature is crucial for identifying vulnerabilities on my EC2 instances. Additionally, Amazon Inspector supports the CIS benchmark, which is a significant advantage.
One major area for improvement is remediation. My team works on remediating findings over time, likely using available patches. However, easier integration with Amazon's patching services would be very helpful. I'm sure there's a way to automate patching within the platform. While patching capabilities might exist, directly from Inspector, as a user, I don't have upfront information on how to remediate findings.
However, suppression rules are a valuable feature. They allow me to suppress false positives and exceptions. That aspect is handled very well. The next step would be a clear path to addressing identified findings.
We have been using Amazon Inspector for almost six months.
It's stable. I haven't experienced any downtime; the service is always available.
The customer service and support are very good, overall.
I would rate my experience with the initial setup a ten out of ten, with ten being easy to deploy.
It's incredibly easy. There's practically one button. You just enable Amazon Inspector, and that's it.
It's very easy to maintain. There's no operational overhead. It's a limited service from Amazon, so the experience is similar to using other native Amazon services. They do a great job of keeping the user experience consistent across all services. It's a very smooth experience.
The pricing is very transparent and clear, so I don't have any challenges with it. It's good.
Just try it once and find your path forward because it's very easy to set up. If you're just starting, the native tools are the best way to start. Only when there are some advanced use cases should you look for anything beyond AWS.
So, if you're already starting something in AWS, it's best to get started with the native tools.
Overall, I would rate the solution a ten out of ten.