AWS Inspector v2: Automated Vulnerability Scanning for EC2, Containers, and Lambda

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
AWS Inspector v2 is one of the most underutilized security services in the AWS catalog. Teams that have it enabled often treat it as a compliance checkbox -- they turn it on, note that findings are flowing to Security Hub, and stop there. The operational value comes from the prioritization layer: Inspector's enhanced risk score, which combines CVSS with EPSS exploitability probability and network reachability, cuts through CVE noise to surface the handful of vulnerabilities that actually matter right now. This guide covers enabling Inspector v2 across an AWS Organization, configuring EC2, ECR, and Lambda scanning, understanding the risk score components, and building a remediation workflow that gets engineers fixing the right vulnerabilities rather than churning through a flat CVE list sorted by CVSS alone.
Enable Inspector v2 Across Your AWS Organization
Inspector v2 supports a delegated administrator model identical to Security Hub. Use a dedicated security tooling account to manage Inspector across all member accounts.
Designate a delegated administrator
From the AWS Organizations management account: `aws inspector2 enable-delegated-admin-account --delegated-admin-account-id <security-account-id>`. The security account can then configure Inspector settings, view findings from all member accounts, and generate organization-wide reports without needing access to individual member accounts.
Enable Inspector across all member accounts
In the delegated admin account, enable auto-enrollment for new accounts and bulk-enable existing accounts: `aws inspector2 enable --account-ids <list-of-account-ids> --resource-types EC2,ECR,LAMBDA`. This activates all three scanning types simultaneously. Inspector begins scanning EC2 instances that have SSM Agent within 15 minutes of enablement.
Verify SSM Agent coverage
Inspector EC2 scanning requires SSM Agent. Check coverage: in the Inspector console, go to Coverage and filter by EC2 instances where 'Inspector agent status' is UNMANAGED. These instances are not being scanned. For each unmanaged instance, verify SSM Agent is installed (`aws ssm describe-instance-information`) and that the instance has an IAM role with the AmazonSSMManagedInstanceCore policy. Alternatively, enable agentless scanning in the Inspector settings as a fallback for unmanaged instances.
Configure ECR enhanced scanning
In the Inspector console, go to Manage ECR repositories. Select repositories to enroll in enhanced scanning. Enhanced scanning replaces ECR's basic scanning (Clair-based) with continuous Inspector scanning. Configure a scanning rule that covers all repositories: set the filter to 'repository name' contains '' (empty prefix matches all). New repositories automatically inherit enhanced scanning once the rule is in place.
Understand and Use the Enhanced Risk Score
The Inspector enhanced risk score is the key feature that separates Inspector v2 from basic CVE scanners. Using it correctly transforms vulnerability management from backlog-driven to risk-driven.
Understand the risk score components
The enhanced risk score (0-10) weights: CVSS base score (40%), EPSS exploitability probability (30%), CISA KEV membership (bump to 9+ if present, indicating active exploitation), and network reachability context (multiplicative factor if ports are internet-accessible). A CVSS 5.0 vulnerability with a 90% EPSS score and a CISA KEV entry on an internet-facing instance scores higher than a CVSS 9.8 vulnerability on an isolated internal host with 0.1% EPSS.
Filter findings by risk score, not CVSS
In the Inspector console, filter the findings view to show only findings with an enhanced risk score above 7.0 on internet-reachable resources. This typically cuts the displayed finding count by 80-90% while surfacing the 10-20% of vulnerabilities that warrant immediate remediation. Export this filtered list as the weekly remediation sprint input rather than handing engineers a full CVE dump sorted by CVSS.
Track CISA KEV findings with highest urgency
Inspector tags findings where the CVE appears in CISA's Known Exploited Vulnerabilities catalog. Create an EventBridge rule specifically for Inspector findings where `inspectorScore` is above 8.0 AND the finding title contains the affected CVE from the KEV catalog. Route these to an immediate-response workflow separate from your standard weekly remediation cycle. KEV findings on internet-facing resources should have a 24-72 hour remediation SLA.
Use suppression rules for accepted risks
Inspector allows suppression rules that hide findings matching specific criteria from the default view. Use suppressions for: vulnerabilities in packages your application bundles but does not execute (dead code dependencies), findings on instances scheduled for decommission with a documented date, and findings where your WAF or network controls remove the reachability risk. Document each suppression with a justification and review date -- suppressions without documentation create audit risk.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Build Remediation Workflows from Inspector Findings
Inspector findings without remediation workflows are just a longer vulnerability report. Connect findings to engineering teams through Security Hub EventBridge automations.
Route critical findings to Security Hub and ticketing
Inspector sends all findings to Security Hub in ASFF format. Create an EventBridge rule matching Inspector findings with severity CRITICAL and `network reachability` set to true. Route to a Lambda function that: (1) creates a Jira issue with the CVE ID, affected resource, package version, fixed version, and Inspector remediation link; (2) assigns the issue to the team tag on the affected EC2 instance or ECR repo; (3) sets a due date 7 days out for CRITICAL findings on internet-facing resources.
Generate weekly Lambda vulnerability reports
Lambda vulnerabilities often fall through the cracks because they are not tied to infrastructure teams. Schedule a weekly Lambda function that calls `aws inspector2 list-findings --filter-criteria 'resourceType=[{comparison: EQUALS, value: AWS_LAMBDA_FUNCTION}]' --sort-criteria 'field: INSPECTOR_SCORE, sortOrder: DESC'` and emails the results to application team distribution lists segmented by Lambda function name prefix (which typically maps to service ownership).
Track coverage gaps as a security metric
Inspector coverage percentage -- the proportion of EC2 instances and Lambda functions with active Inspector scanning -- is a security health metric worth tracking over time. Query the Inspector Coverage API weekly and publish to a CloudWatch dashboard: `aws inspector2 list-coverage --filter-criteria 'ec2InstanceTags=[]'`. A declining coverage percentage (new instances launched without SSM Agent, new functions deployed in accounts not enrolled) indicates infrastructure growth outpacing your security tooling configuration.
The bottom line
AWS Inspector v2's continuous scanning and enhanced risk score change vulnerability management from a periodic audit exercise into a real-time prioritization problem. Enable it organization-wide via the delegated admin model, configure ECR enhanced scanning for all repositories, and build EventBridge-based routing that sends CRITICAL network-reachable findings to engineers within minutes of a new CVE matching their workloads. The EPSS and KEV-informed risk score is the tool that makes this operationally tractable -- use it to cut the finding list to the 5-10% that requires urgent action.
Frequently asked questions
What is the difference between AWS Inspector v1 and Inspector v2?
Inspector v1 required assessment targets, templates, and manual or scheduled runs. Inspector v2 is fully continuous and event-driven: it automatically scans EC2 instances when they launch, rescans them when new CVEs are published, scans ECR images when they are pushed to a repository, and scans Lambda functions when they are deployed or updated. Inspector v2 also added Lambda and ECR scanning (v1 only covered EC2), multi-account Organizations management, and the enhanced risk score that incorporates exploitability context.
Does AWS Inspector v2 require an agent on EC2 instances?
Inspector v2 uses AWS Systems Manager (SSM) Agent for EC2 scanning. The SSM Agent must be installed and running on each EC2 instance (it is pre-installed on most Amazon Linux and Windows Server AMIs). Inspector does not deploy its own agent. For instances without SSM Agent, Inspector uses agentless scanning (available since late 2023) which scans EBS snapshots for vulnerability data -- agentless scanning has less coverage than agent-based scanning and does not capture running process information.
How does Inspector v2 scan Lambda functions?
Inspector v2 scans Lambda function deployment packages and Lambda layers for vulnerable software dependencies. It analyzes the function's package manager manifest files (requirements.txt, package.json, pom.xml) to identify library versions with known CVEs. Inspector continuously monitors for new CVEs affecting already-deployed functions and updates findings without requiring function redeployment. Lambda scanning covers both the function code and any attached Lambda layers.
What is the Inspector v2 enhanced risk score?
The Inspector enhanced risk score is a 0-10 value that combines: CVSS base score (severity of the vulnerability itself), exploitability data (EPSS probability score and CISA KEV membership indicating active exploitation), and network reachability context (whether the affected resource has internet-accessible ports that increase exploitability). A vulnerability with CVSS 7.5 on an internet-facing EC2 instance with a CISA KEV entry scores higher than the same CVE on an isolated internal system, enabling prioritization based on actual business risk.
How does Inspector v2 work with ECR container scanning?
Inspector v2 integrates with ECR as the registry's enhanced scanning provider. When enabled, Inspector scans images on push and continues monitoring them for new CVEs even after push (unlike basic ECR scanning which only scans on push). Inspector findings appear in both the ECR console (under the image's vulnerability tab) and in Security Hub as ASFF findings. Configure ECR scanning rules in Inspector to specify which repositories get enhanced scanning -- you can scope by repository name prefix.
Can Inspector v2 scan EC2 instances that are not managed by SSM?
Inspector v2 introduced agentless EC2 scanning for instances where SSM is not available or not permitted. Agentless scanning takes periodic EBS volume snapshots and analyzes the file system for installed package manifests without requiring the SSM Agent. Agentless scanning has lower coverage than agent-based (no running process analysis, no in-memory findings) and higher latency -- scans happen on a schedule rather than continuously. For compliance-heavy workloads where software inventory is the primary concern, agentless scanning provides adequate coverage.
How do you integrate Inspector v2 findings with Jira or ServiceNow?
Inspector v2 sends findings to Security Hub in ASFF format. Create EventBridge rules matching Inspector finding types (Software/Vulnerabilities/CVE) at CRITICAL or HIGH severity to trigger a Lambda function that creates Jira issues or ServiceNow records. Include the Inspector finding's affected package, CVE ID, enhanced risk score, and remediation recommendation in the ticket body. For bulk remediation tracking, use Inspector's Findings export to S3 and import into your vulnerability management platform.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
