Share your experience using Amazon Inspector

The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.

Use our online form to submit your review. It's quick and you can post anonymously.

Your review helps others learn about this solution
The PeerSpot community is built upon trust and sharing with peers.
It's good for your career
In today's digital world, your review shows you have valuable expertise.
You can influence the market
Vendors read their reviews and make improvements based on your feedback.
Examples of the 83,000+ reviews on PeerSpot:

Nikhil Sehgal - PeerSpot reviewer
Lead Solution Advisor (Cyber Security) at Deloitte
Real User
Top 5Leaderboard
Primarily focuses on security of EC2 instances, provides point-in-time assessments rather than real time protection but provides automated vulnerability detection
Pros and Cons
  • "The automated vulnerability detection aspect is most valuable."
  • "It has a limited scope. So, AWS Inspector primarily focuses on the security of the EC2 instance. So, if your architecture includes other AWS services, then you may need to use additional tools for your comprehensive security assessment. So that is one con. Another is, like, we have a dependency on agents."

What is our primary use case?

Initially, we used it for client performance for four months; we completed the automation. 

It's primarily used for automated vulnerability detection. It continuously scans your AWS workloads for software vulnerabilities, helping us maintain an overall security posture. Think of it as an automated vulnerability management service for our cloud environment.

What is most valuable?

The automated vulnerability detection aspect is most valuable. It continuously scans AWS workloads for software vulnerabilities and unintended network exposure. 

What needs improvement?

It has a limited scope. So, AWS Inspector primarily focuses on the security of the EC2 instance. So, if your architecture includes other AWS services, then you may need to use additional tools for your comprehensive security assessment. So that is one con. Another is, like, we have a dependency on agents.

So other is dependency on agents, like, Inspector relies on agents installed on instances for deeper assessment. So managing these agents can be additional overhead. So these kinds of things.

It does not even provide real-time protection. So, Inspector provides point-in-time assessment rather than continuous monitoring. So these are all cons.

When it comes to false positives, it is there for most security tools as of now. I would not consider false positives a major concern. 

So, these are the major concerns that I found: dependency on agents, limited scope, and no real-time protection.

For how long have I used the solution?

I have been using it for a year. 

What do I think about the stability of the solution?

It is a stable product. Our organization has an alliance with AWS. If we get stuck somewhere, we get good support from AWS.

What do I think about the scalability of the solution?

In my company, I actually did a client POC for the client. But that was the POC for the Amazon subsidiary company. So, that was for an Amazon subsidiary only. They had a very large production.

How are customer service and support?

We are happy with the support. 

Which solution did I use previously and why did I switch?

I have experience with Cybersixgill as well. 

How was the initial setup?

The initial setup is easy. It depends on the initial environment you're using.

What's my experience with pricing, setup cost, and licensing?

It's priced according to market standards for its services. 

What other advice do I have?

I would recommend to go for a third-party tool. Not unless you have restrictions on using only native services.

The main thing is, with a single third-party tool, we get even threat assessment, runtime assessment, and vulnerability assessment, which Amazon Inspector only provides with GuardDuty on top.

So, it's an all-in-one package in a third-party tool. In AWS, you need to leverage multiple services like GuardDuty for threat detection, which makes the whole thing cumbersome. That's why I suggest looking at third-party options.

Even in the future, if we're shifting from AWS to SDR, for example, we can stick with those third-party services because the knowledge gained would apply to other clouds as well. So, in most cases, I'd recommend considering third-party tools.

Overall, I would rate the solution a six out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: customer/partner
Flag as inappropriate
Derek Justinger - PeerSpot reviewer
Director Of Engineering at E Source Companies LLC
Real User
Top 10
Ranks vulnerabilities so that you can efficiently prioritize them, and helps you to be more productive and confident with your solutions without having a dedicated team
Pros and Cons
  • "The vulnerability discovery is valuable, and they also rank those vulnerabilities for you. So, you could rapidly attack some of the higher, severe vulnerabilities as they pop up, if they do pop up."
  • "There isn't too much to improve right now. Scanning on demand or as a part of the pipeline versus a post pipeline solution would be good, but it is not a deal breaker by any means."

What is our primary use case?

The use case is that any deployable container we have in our infrastructure should get scanned for vulnerabilities.  

It is on a public cloud, and as soon as the containers get deployed to ECR, it automatically scans for vulnerability. It scans every hour on the hour. 

Its version is out of the box with Amazon.

How has it helped my organization?

It is scanning the whole repository for any sort of vulnerabilities. So, it allows us to be more confident in our DevSecOps and not put a lot of folks or attention to it. We can trust the solution.

Before anything gets out to deployment, we have to be SOC 2 compliant. It gives us the ability to pretty much approach and implement a solution before anything gets out to our staging or production environment. We check in our code very frequently, and we're able to discover and get rid of any vulnerabilities before they make it to our cloud platform.

What is most valuable?

The vulnerability discovery is valuable, and they also rank those vulnerabilities for you. So, you could rapidly attack some of the higher, severe vulnerabilities as they pop up, if they do pop up.

What needs improvement?

There isn't too much to improve right now. Scanning on demand or as a part of the pipeline versus a post pipeline solution would be good, but it is not a deal breaker by any means.

Other than that, it is really about them just keeping up the pace with all the vulnerabilities out there. The vulnerability databases are growing on a daily basis. So, just making sure that they are on top of that is the key thing that I'm looking for.

For how long have I used the solution?

I have been using this solution for about a year and a half.

What do I think about the stability of the solution?

It is solid.

What do I think about the scalability of the solution?

It is solid in terms of scalability. We have a microservice shop where we're deploying dozens and dozens of solutions a day, and it scans it every hour on the hour and provides us continuous feedback.

Everybody on the engineering development team is using it. There are 10 to 12 folks. We have a DevOps mindset, and we continuously monitor this. We're all responsible for any vulnerabilities that come up. Obviously, there are subject matter experts, but we try to continuously learn and cross-pollinate to address these things as they come up.

It is used for all our Amazon ECR pipelines. It'll be used more because we are pivoting from using JFrog to Amazon more regularly. So, it would be a standard part of our practice going forward.

How are customer service and support?

It is decent. If you pay for it, it is great. They'll get back to you with common questions and based on your tier of support level, but you can jack it up if you want instantaneous support.

Which solution did I use previously and why did I switch?

We used JFrog and JFrog Xray as part of our solution. We switched for data locality. We're pretty much an Amazon shop now. We're trying to limit all the third-party solutions that we're utilizing.

How was the initial setup?

It involves a couple of clicks. Amazon really helps out with it. We just have to use ECR and enable it.

We have continuous deployment for staging and push-button deployment for our production clusters.

What about the implementation team?

It was all done in-house. It requires minimal staff for deployment and maintenance purposes. Some of the setups to automate your pipelines and provide you with continuous monitoring and continuous feedback is a little bit of effort, but once you have everything set up, the effort is very minimal.

What was our ROI?

I don't have anything available on that at this time. We do know the time we spent, and it is just minimal time. We don't have to dedicate full security folks to this. It is just a part of our pipeline. So, it is very hard to get that chunk out of day-to-day activities.

What's my experience with pricing, setup cost, and licensing?

It is scaled as you go. There are probably a certain number of scans per month,  and there are tiers. If you're under a certain tier, it is free. The second level is pennies, and then all the way up to like a million. So, it has a tiered pricing program. They're pretty good with your initial scanning, and there is room to scale based on being affordable, but it is fairly cheap.

There are no additional costs. They pretty much think about it as a pay-per-scan type model.

Which other solutions did I evaluate?

We didn’t really evaluate other options. We just needed to make sure that we had a handle on vulnerabilities.

What other advice do I have?

Security is very critical to maintain. If you don't have a dedicated security team, it allows you to be more productive and confident in your solutions at scale, without having a dedicated team scanning and focusing on security.

I would rate it an eight out of ten. It does its job in what we're looking for. Any software or any product always has room to improve. That's the only reason why I'm not giving it a ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.