> ## Documentation Index
> Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Inspector

> Automated security assessment service for vulnerabilities and security best practices

## Overview

AWS Inspector is an **automated security assessment service** that helps you improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities, exposure, and deviations from best practices. Think of Inspector as a continuous vulnerability scanner that knows your infrastructure context. Unlike generic CVE scanners, Inspector combines vulnerability data with network reachability analysis -- a critical CVE on an instance that has no internet-facing ports is lower priority than the same CVE on a publicly accessible web server. This context-aware scoring is what makes Inspector more actionable than raw CVE feeds.

<svg viewBox="0 0 800 450" className="w-full h-auto my-8 rounded-lg">
  <defs>
    <linearGradient id="inspectorGrad" x1="0%" y1="0%" x2="100%" y2="100%">
      <stop offset="0%" style={{stopColor:"#232F3E",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#1a2332",stopOpacity:1}} />
    </linearGradient>

    <linearGradient id="vulnGrad" x1="0%" y1="0%" x2="100%" y2="0%">
      <stop offset="0%" style={{stopColor:"#DC2626",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#EF4444",stopOpacity:1}} />
    </linearGradient>
  </defs>

  <rect width="800" height="450" fill="url(#inspectorGrad)" rx="8" />

  <text x="400" y="35" textAnchor="middle" fill="#FF9900" fontSize="20" fontWeight="bold">AWS Inspector - Vulnerability Assessment</text>

  <text x="120" y="75" textAnchor="middle" fill="#A0AEC0" fontSize="12" fontWeight="bold">SCAN TARGETS</text>

  <g transform="translate(30, 90)">
    <rect x="0" y="0" width="100" height="60" fill="#FF9900" rx="4" opacity="0.2" />

    <rect x="0" y="0" width="100" height="60" fill="none" stroke="#FF9900" strokeWidth="2" rx="4" />

    <text x="50" y="30" textAnchor="middle" fill="#FF9900" fontSize="10" fontWeight="bold">EC2 Instances</text>
    <text x="50" y="45" textAnchor="middle" fill="#E2E8F0" fontSize="8">OS & Apps</text>
  </g>

  <g transform="translate(30, 160)">
    <rect x="0" y="0" width="100" height="60" fill="#63B3ED" rx="4" opacity="0.2" />

    <rect x="0" y="0" width="100" height="60" fill="none" stroke="#63B3ED" strokeWidth="2" rx="4" />

    <text x="50" y="25" textAnchor="middle" fill="#63B3ED" fontSize="10" fontWeight="bold">Container</text>
    <text x="50" y="37" textAnchor="middle" fill="#63B3ED" fontSize="10" fontWeight="bold">Images</text>
    <text x="50" y="52" textAnchor="middle" fill="#E2E8F0" fontSize="8">ECR</text>
  </g>

  <g transform="translate(30, 230)">
    <rect x="0" y="0" width="100" height="60" fill="#F6AD55" rx="4" opacity="0.2" />

    <rect x="0" y="0" width="100" height="60" fill="none" stroke="#F6AD55" strokeWidth="2" rx="4" />

    <text x="50" y="25" textAnchor="middle" fill="#F6AD55" fontSize="10" fontWeight="bold">Lambda</text>
    <text x="50" y="37" textAnchor="middle" fill="#F6AD55" fontSize="10" fontWeight="bold">Functions</text>
    <text x="50" y="52" textAnchor="middle" fill="#E2E8F0" fontSize="8">Code & Deps</text>
  </g>

  <path d="M140 120 L210 225" stroke="#FF9900" strokeWidth="2" />

  <path d="M140 190 L210 225" stroke="#63B3ED" strokeWidth="2" />

  <path d="M140 260 L210 225" stroke="#F6AD55" strokeWidth="2" />

  <g transform="translate(220, 160)">
    <rect x="0" y="0" width="200" height="130" fill="#FF9900" rx="8" opacity="0.3" />

    <rect x="0" y="0" width="200" height="130" fill="none" stroke="#FF9900" strokeWidth="3" rx="8" />

    <text x="100" y="25" textAnchor="middle" fill="#FF9900" fontSize="13" fontWeight="bold">Inspector Engine</text>

    <rect x="20" y="40" width="160" height="23" fill="#232F3E" rx="4" />

    <text x="100" y="57" textAnchor="middle" fill="#E2E8F0" fontSize="9">CVE Database</text>

    <rect x="20" y="68" width="160" height="23" fill="#232F3E" rx="4" />

    <text x="100" y="85" textAnchor="middle" fill="#E2E8F0" fontSize="9">Package Scanning</text>

    <rect x="20" y="96" width="160" height="23" fill="#232F3E" rx="4" />

    <text x="100" y="113" textAnchor="middle" fill="#E2E8F0" fontSize="9">SBOM Analysis</text>
  </g>

  <path d="M430 225 L490 120" stroke="#FF9900" strokeWidth="2" markerEnd="url(#arrowInsp)" />

  <path d="M430 225 L490 225" stroke="#FF9900" strokeWidth="2" markerEnd="url(#arrowInsp)" />

  <path d="M430 225 L490 330" stroke="#FF9900" strokeWidth="2" markerEnd="url(#arrowInsp)" />

  <defs>
    <marker id="arrowInsp" markerWidth="10" markerHeight="7" refX="9" refY="3.5" orient="auto">
      <polygon points="0 0, 10 3.5, 0 7" fill="#FF9900" />
    </marker>
  </defs>

  <g transform="translate(500, 60)">
    <rect x="0" y="0" width="260" height="280" fill="#2D3748" rx="6" stroke="#4A5568" strokeWidth="1" />

    <text x="130" y="25" textAnchor="middle" fill="#A0AEC0" fontSize="13" fontWeight="bold">VULNERABILITY FINDINGS</text>

    {/* Critical */}

    <g transform="translate(15, 40)">
      <rect x="0" y="0" width="230" height="50" fill="#1a202c" rx="4" />

      <rect x="5" y="5" width="50" height="40" fill="url(#vulnGrad)" rx="3" />

      <text x="30" y="30" textAnchor="middle" fill="white" fontSize="10" fontWeight="bold">CRITICAL</text>

      <text x="70" y="20" fill="#E2E8F0" fontSize="9" fontWeight="bold">CVE-2024-12345</text>
      <text x="70" y="35" fill="#A0AEC0" fontSize="8">Remote Code Execution</text>
    </g>

    {/* High */}

    <g transform="translate(15, 95)">
      <rect x="0" y="0" width="230" height="50" fill="#1a202c" rx="4" />

      <rect x="5" y="5" width="50" height="40" fill="#EF4444" rx="3" />

      <text x="30" y="30" textAnchor="middle" fill="white" fontSize="10" fontWeight="bold">HIGH</text>

      <text x="70" y="20" fill="#E2E8F0" fontSize="9" fontWeight="bold">CVE-2024-67890</text>
      <text x="70" y="35" fill="#A0AEC0" fontSize="8">SQL Injection</text>
    </g>

    {/* Medium */}

    <g transform="translate(15, 150)">
      <rect x="0" y="0" width="230" height="50" fill="#1a202c" rx="4" />

      <rect x="5" y="5" width="50" height="40" fill="#FBBF24" rx="3" />

      <text x="30" y="30" textAnchor="middle" fill="#1a202c" fontSize="10" fontWeight="bold">MEDIUM</text>

      <text x="70" y="20" fill="#E2E8F0" fontSize="9" fontWeight="bold">CVE-2024-11111</text>
      <text x="70" y="35" fill="#A0AEC0" fontSize="8">XSS Vulnerability</text>
    </g>

    {/* Low */}

    <g transform="translate(15, 205)">
      <rect x="0" y="0" width="230" height="50" fill="#1a202c" rx="4" />

      <rect x="5" y="5" width="50" height="40" fill="#10B981" rx="3" />

      <text x="30" y="30" textAnchor="middle" fill="white" fontSize="10" fontWeight="bold">LOW</text>

      <text x="70" y="20" fill="#E2E8F0" fontSize="9" fontWeight="bold">CVE-2024-22222</text>
      <text x="70" y="35" fill="#A0AEC0" fontSize="8">Info Disclosure</text>
    </g>
  </g>

  <g transform="translate(50, 330)">
    <text x="350" y="0" textAnchor="middle" fill="#A0AEC0" fontSize="13" fontWeight="bold">INTEGRATION & RESPONSE</text>

    <g transform="translate(0, 15)">
      <rect x="0" y="0" width="120" height="35" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="1" />

      <text x="60" y="22" textAnchor="middle" fill="#1DB954" fontSize="10" fontWeight="bold">Security Hub</text>
    </g>

    <g transform="translate(135, 15)">
      <rect x="0" y="0" width="120" height="35" fill="#2D3748" rx="4" stroke="#E91E63" strokeWidth="1" />

      <text x="60" y="22" textAnchor="middle" fill="#E91E63" fontSize="10" fontWeight="bold">EventBridge</text>
    </g>

    <g transform="translate(270, 15)">
      <rect x="0" y="0" width="120" height="35" fill="#2D3748" rx="4" stroke="#63B3ED" strokeWidth="1" />

      <text x="60" y="22" textAnchor="middle" fill="#63B3ED" fontSize="10" fontWeight="bold">SNS</text>
    </g>

    <g transform="translate(405, 15)">
      <rect x="0" y="0" width="120" height="35" fill="#2D3748" rx="4" stroke="#F6AD55" strokeWidth="1" />

      <text x="60" y="22" textAnchor="middle" fill="#F6AD55" fontSize="10" fontWeight="bold">Systems Manager</text>
    </g>

    <g transform="translate(540, 15)">
      <rect x="0" y="0" width="120" height="35" fill="#2D3748" rx="4" stroke="#9333EA" strokeWidth="1" />

      <text x="60" y="22" textAnchor="middle" fill="#9333EA" fontSize="10" fontWeight="bold">Lambda</text>
    </g>
  </g>

  <g transform="translate(50, 410)">
    <circle cx="5" cy="5" r="4" fill="#FF9900" />

    <text x="15" y="9" fill="#A0AEC0" fontSize="10">Continuous scanning</text>

    <circle cx="200" cy="5" r="4" fill="#DC2626" />

    <text x="210" y="9" fill="#A0AEC0" fontSize="10">CVE database integration</text>

    <circle cx="430" cy="5" r="4" fill="#1DB954" />

    <text x="440" y="9" fill="#A0AEC0" fontSize="10">Automated remediation</text>
  </g>
</svg>

## Core Concepts

### Scan Types

<Tabs items={['EC2 Scanning', 'ECR Scanning', 'Lambda Scanning']}>
  <Tabs.Tab>
    **EC2 Instance Scanning**

    ```yaml theme={null}
    What Gets Scanned:
      - Operating system packages (RPM, DEB)
      - Application dependencies
      - Network reachability
      - File paths
      
    CVE Detection:
      - Package vulnerabilities
      - Known software vulnerabilities
      - Common Vulnerabilities and Exposures
      
    Requirements:
      - SSM Agent installed
      - Instance has SSM permissions
      - Network access configured
    ```
  </Tabs.Tab>

  <Tabs.Tab>
    **ECR Container Image Scanning**

    ```yaml theme={null}
    Scanning Types:
      Basic Scanning:
        - On-push scanning
        - Uses Clair engine
        - Scans OS packages
        
      Enhanced Scanning (Inspector):
        - Continuous monitoring
        - OS and programming language packages
        - SBOM (Software Bill of Materials)
        - Auto-scan on push
        
    Supported Languages:
      - Go, Java, JavaScript/Node.js
      - Python, Ruby, .NET, PHP
      
    SBOM Generation:
      - JSON format
      - Lists all components
      - Export to S3
    ```
  </Tabs.Tab>

  <Tabs.Tab>
    **Lambda Function Scanning**

    ```yaml theme={null}
    What Gets Scanned:
      - Application code
      - Package dependencies
      - Layers
      - Runtime vulnerabilities
      
    Supported Runtimes:
      - Python, Node.js, Java
      - .NET, Go, Ruby
      
    Automatic Scanning:
      - On function update
      - On layer update
      - Continuous monitoring
      
    No Additional Setup:
      - Automatic for all functions
      - No agent required
      - No configuration needed
    ```
  </Tabs.Tab>
</Tabs>

### Vulnerability Scoring

<svg viewBox="0 0 700 250" className="w-full h-auto my-6 rounded-lg">
  <defs>
    <linearGradient id="scoreGrad" x1="0%" y1="0%" x2="100%" y2="100%">
      <stop offset="0%" style={{stopColor:"#232F3E",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#1a2332",stopOpacity:1}} />
    </linearGradient>
  </defs>

  <rect width="700" height="250" fill="url(#scoreGrad)" rx="8" />

  <text x="350" y="30" textAnchor="middle" fill="#FF9900" fontSize="16" fontWeight="bold">Inspector Severity Scoring</text>

  <g transform="translate(30, 60)">
    <rect x="0" y="0" width="640" height="140" fill="#2D3748" rx="6" stroke="#4A5568" strokeWidth="1" />

    <text x="320" y="25" textAnchor="middle" fill="#A0AEC0" fontSize="12" fontWeight="bold">CVSS Score Mapping</text>

    {/* Critical */}

    <g transform="translate(20, 40)">
      <rect x="0" y="0" width="140" height="80" fill="#1a202c" rx="4" />

      <rect x="10" y="10" width="120" height="30" fill="#DC2626" rx="3" />

      <text x="70" y="30" textAnchor="middle" fill="white" fontSize="11" fontWeight="bold">CRITICAL</text>

      <text x="70" y="55" textAnchor="middle" fill="#E2E8F0" fontSize="10">Score: 9.0 - 10.0</text>
      <text x="70" y="70" textAnchor="middle" fill="#A0AEC0" fontSize="8">Immediate action</text>
    </g>

    {/* High */}

    <g transform="translate(170, 40)">
      <rect x="0" y="0" width="140" height="80" fill="#1a202c" rx="4" />

      <rect x="10" y="10" width="120" height="30" fill="#EF4444" rx="3" />

      <text x="70" y="30" textAnchor="middle" fill="white" fontSize="11" fontWeight="bold">HIGH</text>

      <text x="70" y="55" textAnchor="middle" fill="#E2E8F0" fontSize="10">Score: 7.0 - 8.9</text>
      <text x="70" y="70" textAnchor="middle" fill="#A0AEC0" fontSize="8">Priority fix</text>
    </g>

    {/* Medium */}

    <g transform="translate(320, 40)">
      <rect x="0" y="0" width="140" height="80" fill="#1a202c" rx="4" />

      <rect x="10" y="10" width="120" height="30" fill="#FBBF24" rx="3" />

      <text x="70" y="30" textAnchor="middle" fill="#1a202c" fontSize="11" fontWeight="bold">MEDIUM</text>

      <text x="70" y="55" textAnchor="middle" fill="#E2E8F0" fontSize="10">Score: 4.0 - 6.9</text>
      <text x="70" y="70" textAnchor="middle" fill="#A0AEC0" fontSize="8">Plan remediation</text>
    </g>

    {/* Low */}

    <g transform="translate(470, 40)">
      <rect x="0" y="0" width="140" height="80" fill="#1a202c" rx="4" />

      <rect x="10" y="10" width="120" height="30" fill="#10B981" rx="3" />

      <text x="70" y="30" textAnchor="middle" fill="white" fontSize="11" fontWeight="bold">LOW</text>

      <text x="70" y="55" textAnchor="middle" fill="#E2E8F0" fontSize="10">Score: 0.1 - 3.9</text>
      <text x="70" y="70" textAnchor="middle" fill="#A0AEC0" fontSize="8">Monitor</text>
    </g>
  </g>

  <g transform="translate(30, 210)">
    <text x="0" y="0" fill="#FF9900" fontSize="11" fontWeight="bold">Inspector Score = </text>
    <text x="110" y="0" fill="#E2E8F0" fontSize="10">CVSS Base Score</text>
    <text x="230" y="0" fill="#FF9900" fontSize="11"> + </text>
    <text x="250" y="0" fill="#E2E8F0" fontSize="10">Network Reachability</text>
    <text x="390" y="0" fill="#FF9900" fontSize="11"> + </text>
    <text x="410" y="0" fill="#E2E8F0" fontSize="10">Exploitability</text>
  </g>
</svg>

## Enabling Inspector

### For EC2 Instances

```bash theme={null}
# Enable Inspector for EC2 in account
aws inspector2 enable \
  --resource-types EC2 \
  --account-ids 123456789012

# Check status
aws inspector2 batch-get-account-status \
  --account-ids 123456789012

# Get findings for EC2
aws inspector2 list-findings \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_EC2_INSTANCE"}],
    "severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]
  }'
```

### For ECR

```bash theme={null}
# Enable Inspector scanning for ECR
aws inspector2 enable \
  --resource-types ECR

# Enable enhanced scanning for specific repo
aws ecr put-image-scanning-configuration \
  --repository-name my-app \
  --image-scanning-configuration scanOnPush=true

# Get ECR findings
aws inspector2 list-findings \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_ECR_CONTAINER_IMAGE"}],
    "severity": [{"comparison": "EQUALS", "value": "HIGH"}]
  }'

# Get SBOM
aws inspector2 list-coverage \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_ECR_CONTAINER_IMAGE"}]
  }'
```

### For Lambda

```bash theme={null}
# Enable Inspector for Lambda
aws inspector2 enable \
  --resource-types LAMBDA \
  --account-ids 123456789012

# Lambda scanning is automatic - no additional config needed

# Get Lambda findings
aws inspector2 list-findings \
  --filter-criteria '{
    "resourceType": [{"comparison": "EQUALS", "value": "AWS_LAMBDA_FUNCTION"}],
    "severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]
  }'
```

## Terraform Configuration

```hcl theme={null}
# Enable Inspector
resource "aws_inspector2_enabler" "main" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["EC2", "ECR", "LAMBDA"]
}

# ECR repository with enhanced scanning
resource "aws_ecr_repository" "app" {
  name                 = "my-application"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }

  encryption_configuration {
    encryption_type = "KMS"
    kms_key         = aws_kms_key.ecr.arn
  }

  tags = {
    Environment = "production"
  }
}

# Inspector delegated admin (for Organizations)
resource "aws_inspector2_delegated_admin_account" "main" {
  account_id = "123456789012"
}

# Inspector member association
resource "aws_inspector2_member_association" "members" {
  account_id = "111122223333"
}

# EventBridge rule for critical findings
resource "aws_cloudwatch_event_rule" "inspector_critical" {
  name        = "inspector-critical-findings"
  description = "Capture critical Inspector findings"

  event_pattern = jsonencode({
    source      = ["aws.inspector2"]
    detail-type = ["Inspector2 Finding"]
    detail = {
      severity = ["CRITICAL"]
      status   = ["ACTIVE"]
    }
  })
}

resource "aws_cloudwatch_event_target" "notify" {
  rule      = aws_cloudwatch_event_rule.inspector_critical.name
  target_id = "SendToSNS"
  arn       = aws_sns_topic.security_alerts.arn
}

# SNS topic for alerts
resource "aws_sns_topic" "security_alerts" {
  name = "inspector-security-alerts"
}

resource "aws_sns_topic_subscription" "email" {
  topic_arn = aws_sns_topic.security_alerts.arn
  protocol  = "email"
  endpoint  = "security-team@example.com"
}
```

## Finding Management

### Understanding Findings

```json theme={null}
{
  "findingArn": "arn:aws:inspector2:us-east-1:123456789012:finding/...",
  "awsAccountId": "123456789012",
  "type": "PACKAGE_VULNERABILITY",
  "description": "CVE-2024-12345 - Remote Code Execution in libssl1.1",
  "severity": "CRITICAL",
  "firstObservedAt": "2024-01-15T10:00:00.000Z",
  "lastObservedAt": "2024-01-15T10:00:00.000Z",
  "updatedAt": "2024-01-15T10:00:00.000Z",
  "status": "ACTIVE",
  "remediation": {
    "recommendation": {
      "text": "Update libssl1.1 to version 1.1.1w-0+deb11u1 or later",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12345"
    }
  },
  "packageVulnerabilityDetails": {
    "vulnerabilityId": "CVE-2024-12345",
    "vulnerablePackages": [
      {
        "name": "libssl1.1",
        "version": "1.1.1n-0+deb11u3",
        "architecture": "amd64",
        "packageManager": "APT"
      }
    ],
    "source": "NVD",
    "cvss": {
      "version": "3.1",
      "baseScore": 9.8,
      "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "referenceUrls": [
      "https://nvd.nist.gov/vuln/detail/CVE-2024-12345"
    ]
  },
  "resources": [
    {
      "type": "AWS_EC2_INSTANCE",
      "id": "i-1234567890abcdef0",
      "details": {
        "awsEc2Instance": {
          "type": "t3.medium",
          "platform": "UBUNTU_20_04",
          "ipV4Addresses": ["10.0.1.50"]
        }
      }
    }
  ],
  "networkReachabilityDetails": {
    "networkPath": {
      "steps": [
        {
          "componentType": "INTERNET_GATEWAY"
        },
        {
          "componentType": "SECURITY_GROUP",
          "componentId": "sg-0123456789abcdef0"
        }
      ]
    },
    "openPortRange": {
      "begin": 443,
      "end": 443
    },
    "protocol": "TCP"
  },
  "exploitAvailable": "YES",
  "fixAvailable": "YES"
}
```

### Automated Remediation

```python theme={null}
import boto3
import json

inspector = boto3.client('inspector2')
ssm = boto3.client('ssm')
sns = boto3.client('sns')

def lambda_handler(event, context):
    """
    Automated response to Inspector findings
    """
    finding = event['detail']
    severity = finding['severity']
    resource_type = finding['resources'][0]['type']
    
    if severity == 'CRITICAL' and finding['fixAvailable'] == 'YES':
        if resource_type == 'AWS_EC2_INSTANCE':
            remediate_ec2_vulnerability(finding)
        elif resource_type == 'AWS_ECR_CONTAINER_IMAGE':
            notify_container_vulnerability(finding)
        elif resource_type == 'AWS_LAMBDA_FUNCTION':
            remediate_lambda_vulnerability(finding)

def remediate_ec2_vulnerability(finding):
    """
    Patch EC2 instance using Systems Manager.
    
    This is the "golden path" for EC2 patching: Inspector detects the vuln,
    EventBridge triggers this Lambda, and SSM Run Command applies the patch.
    No SSH access needed, no bastion hosts, fully auditable.
    
    Common mistake: patching without testing. In production, route the
    SSM command to a staging instance first, verify the patch doesn't break
    your application, THEN apply to production instances in a rolling fashion.
    """
    instance_id = finding['resources'][0]['id']
    vulnerability_id = finding['packageVulnerabilityDetails']['vulnerabilityId']
    
    # Get affected package
    vulnerable_pkg = finding['packageVulnerabilityDetails']['vulnerablePackages'][0]
    package_name = vulnerable_pkg['name']
    fixed_version = finding['remediation']['recommendation']['text']
    
    # Run patch command via SSM
    response = ssm.send_command(
        InstanceIds=[instance_id],
        DocumentName='AWS-RunPatchBaseline',
        Parameters={
            'Operation': ['Install']
        },
        Comment=f'Patching {vulnerability_id} - {package_name}'
    )
    
    command_id = response['Command']['CommandId']
    
    # Notify team
    notify_remediation(
        finding,
        f'Initiated patching on {instance_id}. SSM Command: {command_id}'
    )

def notify_container_vulnerability(finding):
    """
    Alert team about container vulnerability
    """
    image_uri = finding['resources'][0]['id']
    vulnerability_id = finding['packageVulnerabilityDetails']['vulnerabilityId']
    cvss_score = finding['packageVulnerabilityDetails']['cvss']['baseScore']
    
    message = {
        'severity': finding['severity'],
        'vulnerability': vulnerability_id,
        'cvss_score': cvss_score,
        'image': image_uri,
        'action_required': 'Rebuild container image with updated base image',
        'remediation': finding['remediation']['recommendation']['text']
    }
    
    sns.publish(
        TopicArn='arn:aws:sns:us-east-1:123456789012:container-security',
        Subject=f'CRITICAL: Container Vulnerability {vulnerability_id}',
        Message=json.dumps(message, indent=2)
    )

def remediate_lambda_vulnerability(finding):
    """
    Update Lambda function dependencies
    """
    function_arn = finding['resources'][0]['id']
    function_name = function_arn.split(':')[-1]
    
    vulnerability_id = finding['packageVulnerabilityDetails']['vulnerabilityId']
    
    # Get Lambda function
    lambda_client = boto3.client('lambda')
    function = lambda_client.get_function(FunctionName=function_name)
    
    message = {
        'severity': finding['severity'],
        'function': function_name,
        'vulnerability': vulnerability_id,
        'runtime': function['Configuration']['Runtime'],
        'action_required': 'Update function dependencies and redeploy',
        'remediation': finding['remediation']['recommendation']['text']
    }
    
    sns.publish(
        TopicArn='arn:aws:sns:us-east-1:123456789012:lambda-security',
        Subject=f'Lambda Vulnerability: {function_name}',
        Message=json.dumps(message, indent=2)
    )

def notify_remediation(finding, action_taken):
    """
    Send notification about remediation action
    """
    sns.publish(
        TopicArn='arn:aws:sns:us-east-1:123456789012:security-remediation',
        Subject=f"Inspector Remediation: {finding['packageVulnerabilityDetails']['vulnerabilityId']}",
        Message=json.dumps({
            'finding_arn': finding['findingArn'],
            'severity': finding['severity'],
            'vulnerability': finding['packageVulnerabilityDetails']['vulnerabilityId'],
            'action_taken': action_taken
        }, indent=2)
    )
```

## Suppression Rules

```python theme={null}
import boto3

inspector = boto3.client('inspector2')

def create_suppression_rule():
    """
    Suppress findings for dev environment
    """
    response = inspector.create_filter(
        action='SUPPRESS',
        description='Suppress low severity findings in development',
        filterCriteria={
            'severity': [
                {
                    'comparison': 'EQUALS',
                    'value': 'LOW'
                }
            ],
            'resourceTags': [
                {
                    'comparison': 'EQUALS',
                    'key': 'Environment',
                    'value': 'development'
                }
            ]
        },
        name='suppress-dev-low-severity',
        reason='Low severity acceptable in dev environment'
    )
    return response

def suppress_specific_cve():
    """
    Suppress specific CVE across all resources
    """
    response = inspector.create_filter(
        action='SUPPRESS',
        description='Suppress CVE-2024-12345 - false positive',
        filterCriteria={
            'vulnerabilityId': [
                {
                    'comparison': 'EQUALS',
                    'value': 'CVE-2024-12345'
                }
            ]
        },
        name='suppress-cve-2024-12345',
        reason='False positive - not applicable to our use case'
    )
    return response
```

## Multi-Account Setup

### Organization Integration

<Steps>
  ### Designate Delegated Administrator

  ```bash theme={null}
  # From management account
  aws inspector2 enable-delegated-admin-account \
    --delegated-admin-account-id 123456789012
  ```

  ### Enable Auto-Enable

  ```bash theme={null}
  # From delegated admin account
  aws inspector2 update-organization-configuration \
    --auto-enable '{
      "ec2": true,
      "ecr": true,
      "lambda": true
    }'
  ```

  ### Add Member Accounts

  ```bash theme={null}
  # Associate member accounts
  aws inspector2 associate-member \
    --account-id 111122223333

  aws inspector2 associate-member \
    --account-id 444455556666
  ```
</Steps>

## Best Practices

<Cards>
  <Card title="Enable All Resource Types" icon="shield">
    Enable scanning for EC2, ECR, and Lambda for complete coverage
  </Card>

  <Card title="Automate Patching" icon="robot">
    Use Systems Manager for automated EC2 patching
  </Card>

  <Card title="SBOM Generation" icon="list">
    Generate and store SBOM for compliance and audit
  </Card>

  <Card title="Integrate with CI/CD" icon="code">
    Fail builds on critical vulnerabilities in containers
  </Card>
</Cards>

### Security Checklist

```yaml theme={null}
Inspector Best Practices:
  Setup:
    ☐ Enable Inspector in all regions
    ☐ Configure delegated administrator
    ☐ Enable auto-enable for new accounts
    ☐ Set up EventBridge rules
    
  Monitoring:
    ☐ Daily review of critical findings
    ☐ Weekly review of high severity
    ☐ Track patching metrics
    ☐ Monitor SBOM generation
    
  Remediation:
    ☐ Automate EC2 patching where possible
    ☐ Set up container rebuild pipelines
    ☐ Update Lambda dependencies regularly
    ☐ Document suppression reasons
    
  Compliance:
    ☐ Generate regular vulnerability reports
    ☐ Export SBOM for compliance
    ☐ Track time-to-remediation
```

## Cost Optimization

```yaml theme={null}
Pricing Model:
  EC2 Scanning:
    - $0.30 per instance per month
    - Charged per active instance
    # Cost tip: 100 EC2 instances = $30/month -- very reasonable
    # compared to commercial vulnerability scanners at $5-15/instance
    
  ECR Scanning:
    - First scan per image: FREE
    - Re-scan if pushed: FREE
    - Continuous monitoring: $0.09 per image per month
    # Cost tip: only enable continuous monitoring for production images.
    # Dev/test images get scanned on push, which is usually sufficient.
    
  Lambda Scanning:
    - $0.60 per function per month
    - Includes code and layers
    # Cost tip: if you have 200 Lambda functions but only 30 are
    # production-critical, use tags and Inspector filters to focus scanning.
    
Optimization Tips:
  - Use tags to exclude dev resources from continuous scanning
  - Create suppression rules for accepted risks (with documented justification)
  - Disable scanning for deprecated resources pending decommission
  - Export findings to S3 for long-term storage and trend analysis
  - Track mean-time-to-remediation (MTTR) as a KPI -- aim for <7 days for critical
```

## Exam Tips

<Accordions>
  <Accordion title="Key Concepts for AWS Exams">
    * Inspector scans **EC2, ECR, Lambda** for vulnerabilities
    * Uses **CVE database** and **SBOM** analysis
    * Provides **CVSS scores** and **network reachability** context
    * **Automatic** for Lambda and ECR (when enabled)
    * Requires **SSM Agent** for EC2 scanning
    * Integrates with **Security Hub** for centralized findings
    * **EventBridge** for automated response
    * **Suppression rules** for false positives
  </Accordion>

  <Accordion title="Common Exam Scenarios">
    **Q: How to scan EC2 instances for vulnerabilities?**
    A: Enable Inspector and ensure SSM Agent is installed on instances

    **Q: How to automatically patch EC2 vulnerabilities?**
    A: EventBridge → Lambda → Systems Manager Run Command

    **Q: How to scan container images?**
    A: Enable Inspector ECR scanning with scan-on-push

    **Q: How to centralize vulnerability findings?**
    A: Use delegated administrator with Security Hub integration
  </Accordion>
</Accordions>
