The document provides an overview of the Amazon Inspector security assessment service. It discusses how Amazon Inspector can automate vulnerability assessments for DevSecOps workflows, complementing AWS's shared security model. The session demonstrates how to quickly assess an entire Amazon EC2 fleet using Amazon Inspector, tailor assessments by tuning rules and schedules, and scale assessments using CloudFormation templates.

1. Catherine Dodge – Technical Program Manager
Session TitleAmazon Inspector
Automating the Sec in DevSecOps

2. What to Expect from the Session
• Overview of Amazon Inspector
• Demo: How to assess your whole
fleet quickly
• Demo: Tailoring your workflow
• Demo: Scaling vulnerability
assessments in the cloud
• Wrap up
What are we going to do?

3. Shared Security Model

4. Why launch Amazon Inspector?
Our customers asked us to:
• Complement Shared Security Model
• Automatable for DevSecOps
• Provide Recommendations

5. Am I Secure?
• Are my instances exposed to the latest
vulnerabilities?
• Are my instances hardened for security?
• Are my instances password policies in
line with best practices?
• Does my application use insecure
protocols?

6. What is Amazon Inspector?
Simple
Vulnerability Assessment
for your Compute
Pay as you Go Integrate Security
into DevOps +
Production

7. Key Concepts for Inspector
Inspector Agent
Assessment Targets Rules PackagesAssessment Template
Triggers & Runs Findings & Reports

8. Amazon Inspector Rules Packages
• Common Vulnerabilities and Exposures (CVE)
• Center for Internet Security (CIS) benchmarks
• Security Best Practices
• Runtime Behavior Analysis

9. Am I Secure?
Common Vulnerabilities and
Exposures (CVE)
Center for Internet Security
(CIS) benchmarks
Security Best Practices
Runtime Behavior Analysis
• Are my instances exposed
to the latest vulnerabilities?
• Are my instances hardened
for security?
• Are my password policies
in line with best practices?
• Does my application use
insecure protocols?

10. Simple AND Customizable

11. Demo 1: How to assess your whole fleet quickly
• Run against all instances with zero configuration
• Simple scheduling
• Agent installation via Systems Manager

12. Demo 2: Tailoring your workflow
• Tune the set of instances and rules
• Configuring a complex schedule
• Configuring notifications to apps
• Send any high severity findings to Chime
Blog post: https://aws.amazon.com/blogs/aws/scale-your-security-vulnerability-
testing-with-amazon-inspector/

13. Inspector -> SNS -> Chime

14. Demo 3: Scaling vulnerability assessments
• Use CloudFormation templates
• Auto-populate the Systems Manager Inventory
• Fleet Management Solution available at:
https://docs.aws.amazon.com/solutions/latest/server-fleet-
management-at-scale/overview.html

15. Inspector Scales as you Grow
• Get started doing weekly
assessments in minutes
• Tailor the workflow to your
use cases
• Build into infrastructure as
you grow

16. Supported Regions
Asia Pacific (Mumbai)
Asia Pacific (Seoul)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
EU (Frankfurt)
US East (Northern Virginia)
US East (Ohio)
US West (Northern California)
US West (Oregon)
EU (Ireland)
AWS GovCloud (US) - launched June 20th
Learn more: https://aws.amazon.com/govcloud-us/getting-started/

17. Thank You!

18. Assessment Target

19. Assessment Template

20. Preview Target

21. Assessment Templates - Run

22. Assessment Runs

23. Assessment Runs

24. Customized Workflow