Amazon Inspector V2 is the Amazon Web Services (AWS) vulnerability management and scanning service for AWS workloads. It captures vulnerabilities and unintended network exposures. It can scan Elastic Compute Cloud (EC2) instances, Amazon Elastic Container Registry images, and Lambda (serverless) functions. For more information about the AWS Inspector V2 release, see the readme.md.
For more information about toolkit connectors, see the Connector Toolkit.
Other AWS Inspectors versions
For information about other AWS Inspector versions, see the following readme.md files on GitHub:
Capabilities of this AWS Inspector V2 Release
The AWS Inspector V2 can do the following:
- Handle the EC2 instance and ECR container image asset types
- Use the EC2 ID and IP address locators
- Record the findings ARN as the scanner ID on the vulnerability
Limitations of this AWS Inspector V2 Release
The AWS Inspector V2 does not do the following:
- Handle ECR Repositories and Lambda Functions asset types
- Handle network reachability findings
Note: Fix/Recommendation data is not included.
Locator Ordering
For locator ordering, the following table states how the AWS Inspector V2 task maps the fields:
AWS Inspector v2 API |
Data Importer JSON |
---|---|
findingArn |
asset.vulns[].scanner_identifier, vuln_def.scanner_identifier |
firstObservedAt |
asset.vulns[].created_at |
lastObservedAt |
asset.vulns[].last_seen_at |
inspectorScore |
asset.vulns[].scanner_score (rounded to the nearest integer) |
severity |
asset.vulns[].scanner_score If no inspectorScore, mapped "INFORMATIONAL" => 0, "LOW" => 3, "MEDIUM" => 6, "HIGH" => 8, "CRITICAL" => 10, "UNTRIAGED" => 1 |
type |
Filter for “PACKAGE_VULNERABILITY” and ignore Network Reachability and Code Vulns (AWS Lambda) |
title |
asset.vulns[].vuln_def_name, vuln_def.name |
description |
vuln_def.description |
remediation.recommendation.text |
vuln_def.solution |
status |
asset.vulns[].status (“SUPPRESSED” => “open”) |
package_vulnerability_details. |
cve_identifiers, cwe_identifiers, or wasc_identifiers if it contains CVE, CWE, or WASC in the string |
resources.first.id |
asset.ec2 |
resources.first.details.aws_ec2_instance. |
asset.ip_address |
resources.first.details.aws_ec2_instance. |
asset.os |
resources.first.tags |
“Name” tag => asset.hostname or asset.fqdn depending on format; other tags => asset.tags |
resources.first.details.aws_ecr_ |
asset.tags << "registry-<<REGISTRY_NAME>>" |
resources.first.details.aws_ecr_ |
asset.tags << "repository-<<REPOSITORY_NAME>>" |
resources.first.details.aws_ecr_ |
asset.image_id |
resources.first.type |
asset.asset_type = “image” if “AWS_ECR_CONTAINER_IMAGE” |
"AWS Inspector V2" |
asset.scanner_type, vuln_def.scanner_type |
Note: If the asset type is a container image, it’s only locator is an image ID, so the run will fail. If it fails, contact Support for help updating the custom locator ordering to utilize image ID as a locator. For more information, see Understanding Locator Order.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 1992-2024 Cisco Systems, Inc. All rights reserved.
Comments
Please sign in to leave a comment.