6
6
Table of Contents

Amazon Web Services will discontinue support for Amazon Inspector Classic starting May 20, 2026. After this date, access to the Inspector Classic console and resources will be disabled permanently. Inspector Classic is already unavailable to new AWS accounts or accounts without any assessments completed in the past 6 months. Existing users will retain access until the stated end-of-support date.
AWS has introduced a globally available, fully reengineered new Amazon Inspector. This advanced service provides enhanced security vulnerability management by automatically discovering AWS workloads—such as EC2 instances, container images, and Lambda functions—and continuously scanning these for vulnerabilities and unintended network exposure. Upon identifying vulnerabilities, Inspector generates findings, which are detailed reports of the vulnerability or misconfiguration.

Key Features of the New Amazon Inspector

  1. Continuous, Automated Scanning: The inspector conducts real-time vulnerability assessments across your AWS resources automatically. It initiates immediate scanning upon resource deployment or updates, such as Amazon EC2 instance creation, Lambda function updates, or container image pushes to Amazon ECR. Existing resources are re-scanned promptly upon major changes, including new CVE releases, ensuring immediate threat detection without reliance on manual schedules.

  2. Comprehensive Resource Coverage: Inspector supports the following -

    a) Amazon EC2 Instances: Automated scanning of operating systems, applications, and network configurations for exposure without manual target selection.

    b) Amazon ECR Container Images: Automatic integration with Amazon ECR to scan images for vulnerabilities in both OS components and application dependencies. Scanning occurs on image push and continues to monitor for new vulnerabilities.

    c) AWS Lambda Functions: Scanning of AWS Lambda deployment packages, layers, and optionally custom code through automated analysis. Functions are scanned continuously on creation, update, or recent invocation (if not already scanned)

  3. Flexible Scanning Methods for EC2: Inspector provides two distinct scanning approaches:

    a) Agent-Based Scanning: Uses AWS Systems Manager (SSM) Agent for real-time software inventory collection, including deep package analysis.

    b) Agentless Scanning: Utilizes EBS snapshot analysis to detect OS and application-level vulnerabilities without installing agents.

    By default, Inspector follows a hybrid approach, using agent-based scanning for SSM-based instances and switching to agentless unmanaged EBS-backed instances. Agentless scans run at least every 24 hours.

  4. Context-Aware Risk Scoring and Dashboard: Inspector findings include CVSS severity ratings and custom risk scores (0-10) for the scanned resources. The centralized dashboard simplifies visibility, highlighting critical vulnerabilities and risk trends for prioritized remediation.
  5. Integrated Remediation Capabilities: Findings are centralized within the Inspector console and APIs. Integration with AWS Security Hub, AWS EventBridge for automation triggers, direct notifications in Amazon ECR, and centralized findings management via AWS Organizations ensures streamlined workflows.

  6. Enhanced Capabilities:

    a) Software Bill of Materials (SBOM): Generates and centrally manages detailed software inventories for EC2, container images, and Lambda functions.

    b) CIS Benchmark Assessments: Performs on-demand configuration checks against CIS security benchmarks.

    c) CI/CD Integration: Seamlessly integrates into development pipelines (ex., Jenkins) for early vulnerability detection during the build process.

Migration Steps from Inspector Classic to the New Amazon Inspector:

While AWS will continue to support Amazon Inspector Classic for some time, and customers can use both the new Amazon Inspector and Amazon Inspector Classic in the same account.
The following sections walk you through the process of moving from Amazon Inspector Classic to the new Amazon Inspector.

Step 1: (Optional) Export assessment reports and findings

To save the assessment reports and findings in Amazon Inspector Classic, generate an assessment report by following the steps below.
On the Assessment Runs page, locate the assessment run that you want to generate a report for. Make sure that its status is Analysis complete.

Under the Reports column for this assessment run, choose the reports icon.

In the Assessment report dialog box, choose the type of report that you want to view (either a Findings report or a Full report) and the report format (HTML or PDF). Then choose Generate report.

Step 2: Delete all scheduled assessment runs in Amazon Inspector Classic

To disable Amazon Inspector Classic, delete all the assessment templates in your account in all active AWS Regions. Deleting assessment templates stops all your scheduled future assessment runs.

On the Assessment Templates page, choose the template that you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.

Note: When you delete an assessment template, all assessment runs, findings, and versions of the reports associated with this template are also deleted.

Step 3: Enable the new Amazon Inspector

You can enable the new Amazon Inspector using the AWS Management Console or the new Amazon Inspector APIs.

This is typically done by clicking “Get Started” then “Activate Amazon Inspector”. Upon activation, all available scan types (EC2, ECR, and Lambda scanning) are enabled by default, and the required service-linked role is created automatically.

Inspector will immediately begin discovering resources and initiating scans. In a multi-account environment, use your Organization's management account to designate a delegated administrator for Inspector and enable the service across member accounts.(This can also be automated via API/CLI for bulk accounts.)

Step 4. Verify and Monitor

Once enabled, monitor the new Amazon Inspector’s coverage and findings. The Inspector dashboard will show how many EC2 instances, images, and functions are being monitored. Verify that all expected resources are listed as covered (for EC2, the “Instances” tab under Account Management shows each instance’s scanning status).

Ensure SSM Agent is running on instances so they move from “Unmanaged” to managed scanning, or else agentless will cover them. It’s normal to see a surge of initial findings as the new Inspector completes its first scans – review these results and compare against what Classic had reported to ensure nothing critical is missed.

Step 5. Sunset Inspector Classic

After the new Inspector is running and you are satisfied with its coverage, you can fully sunset the Classic deployment. This includes informing teams of the new interface/API to use, updating any automation or reports that pulled from Classic API to instead use the new Inspector’s API (which uses a different namespace, typically inspector2 in AWS SDK/CLI), and removing any remaining Classic IAM assets.

If you rely on Security Hub, note that you might have had Classic findings in Security Hub: going forward, the new Inspector will send findings there. Ensure no one is trying to access the old Classic console or endpoints.

Step 6. No Overlap with Classic Agent

If you previously used Amazon Inspector Classic, you may have the old Amazon Inspector Agent installed on some servers. The new Amazon Inspector does not use or need the Classic agent – in fact, the Classic agent is now obsolete. It’s recommended to uninstall the Classic agent once you migrate (after ensuring no further Classic assessments will run) to avoid confusion. The new Inspector’s use of SSM Agent means one less agent to manage on your instances.

Inspector Pricing (N.Virginia)

AWS Lambda standard scanning: 10 Lambda functions scanned for all 30 days at $0.30 per function = $3.00 per month

AWS Lambda standard and code scans: 10 Lambda functions scanned for all 30 days at $0.90 ($0.30+$0.60) per function = $9.00 per month

EC2 Instance scanning per month (includes continual vulnerability and network reachability scans):
10 EC2 instances scanned for all 30 days at $1.258 each = 10 * $1.258 = $12.58 per month (SSM-agent based scanning)
10 EC2 instances scanned for all 30 days at $1.750  each = 10 * $1.750 = $17.50 per month (agentless based scanning)

ECR container image scanning: 1,000 newly pushed container images initially scanned at $0.09 each = 1,000 * $0.09 = $90.00 per month

Check out the official AWS documentation for reference.

You may also like

Thumbnail

99% of companies saved up to 15% monthly with this plan & achieved peak performance.

Download Whitepaper
12
Let's discuss your cloud challenges and see how CloudKeeper can solve them all!
Connect with us
Meet the Author
  • Aakash
    Aakash Tayal
    Associate Devops Lead

    Aakash is an AWS Certified Professional specializing in DevOps, with deep expertise across Cloud Automation, CI/CD Pipelines, Infrastructure as Code (IaC), and Monitoring stacks.

0 Comment
Read More
Read Less
Leave a Comment

Speak with our advisors to learn how you can take control of your Cloud Cost

Contact us
  • 1
  • 2
  • 3
  • 5
  • 6
  • 8
  • 9
  • 10