Learn DevOps

Differences between inspector detection and SSM patch manager detection

Hải Yến Trịnh's photo
Hải Yến Trịnh
·

2 min read

I would like to see the difference between the perspective of diagnosing instance vulnerabilities in Inspector v2 and the perspective of detecting vulnerabilities in Patch Manager.

Is it necessary to support both, or is it possible to cover only with Inspector?I would like to decide the operation policy.

The instance ID you have specified is just one example.We are thinking about the same for other instances running within the same account.

Answer:

I would like to see the difference between the perspective of diagnosing instance vulnerabilities in Inspector v2 and the perspective of detecting vulnerabilities in Patch Manager. > Is it necessary to support both, or is it possible to cover only with Inspector?

As for the answer to this inquiry, we would like to quote the answer of the past case from AWS support as an excerpt below.

AWS SSM Patch Manager and Amazon Inspector are not directly interrelated services, so we are aware that it is possible that Inspector will detect a vulnerability after patching with AWS-RunPatchBaseline. > The importance of patch manager updates is set in the Amazon Linux Security Center [1] by assigning a code called ALAS. > However, the importance of Inspector is determined mainly based on the CVSS base score, so it may be different from ALAS. (Reference [2])

[1] Amazon Linux Security Center
[2] Accurately assess vulnerabilities using Amazon Inspector risk scores

As Amazon Inspector collects information about your environment through scans, it provides severity scores specifically tailored to your environment. Amazon Inspector examines the security metrics that compose the National Vulnerability Database (NVD) base score for a vulnerability and adjusts them according to your compute environment. For example, the service may lower the Amazon Inspector score of a finding for an Amazon EC2 instance if the vulnerability is exploitable over the network but no open network path to the internet is available from the instance. This score is in CVSS format and is a modification of the base Common Vulnerability Scoring System (CVSS) score provided by NVD. > Amazon Inspector collects information about your environment through scanning, so it provides a severity score that is specially tailored to your environment. Amazon Inspector examines the security metrics that make up the National Vulnerability Database (NVD), which is the base score for vulnerabilities and is tailored to your computing environment. For example, if a vulnerability can be exploited on your network, but an open network path from your instance to the Internet isn’t available, the service could lower your Amazon Inspector score on Amazon EC2 instance detection results. This score is in CVSS format and is a modification of the basic Common Vulnerability Scoring System. (CVSS) Score provided by NVD. (Machine translation)

AWS