AWS Config Inspector

AWS Config

AWS Config continuously records the configuration of your AWS resources, evaluates them against rules, and emits a timestamped change history per resource. It answers two questions: "what does this resource look like right now?" and "did it ever drift from the approved configuration?"

Key Features:

Continuous Configuration Recording: Snapshots and change events for every supported resource type are written to S3, with full history retrievable via API or console.
Managed & Custom Rules: 300+ AWS-managed rules (e.g., encrypted-volumes, s3-bucket-public-read-prohibited); custom rules via Lambda or AWS Config Custom Policy (Guard syntax).
Conformance Packs: Bundles of rules and remediations packaged as CloudFormation — pre-built packs for HIPAA, PCI-DSS, NIST, CIS Benchmarks.
Resource Relationships: Graph of dependencies — see which security groups reference a deleted ENI, which IAM roles trust which accounts.
Remediation: Trigger SSM Automation documents to auto-fix non-compliant resources (re-encrypt volume, remove public S3 ACL).
Aggregator: Org-wide compliance view across accounts and regions in a central account.
Advanced Queries: SQL-style queries against the latest configuration state across all recorded resources.

Common Use Cases:

Continuous Compliance: Detect that someone disabled encryption or opened a security group within minutes.
Drift Detection: Compare current state vs. CloudFormation/Terraform-defined state.
Forensics: "Show me what this S3 bucket policy looked like on April 5th at 14:00 UTC."
Audit Reports: Conformance pack scorecards as evidence for SOC 2 / PCI auditors.
Inventory: Authoritative answer to "how many EBS volumes do we have, by region, encrypted vs not."

Service Limits & Quotas:

Rules per region per account: default soft limit 1,000.
Conformance packs per region: 50.
Aggregator source accounts: 10,000.
Configuration item retention: 7 years (max).
Recording delay: typically minutes from change to recorded item.

Pricing Model:

$0.003 per configuration item recorded (per resource per change).
$0.001 per active rule evaluation.
Conformance packs: billed per evaluation across the bundled rules.
Common cost surprise: recording all supported resource types in noisy accounts (Lambda versions, ENI churn, Auto Scaling activity) generates millions of CIs/month. Use recorder filters to exclude high-churn resource types you don't need to audit.

Code Example — Enable a Managed Rule:


aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "s3-public-read-prohibited",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  },
  "Scope": {"ComplianceResourceTypes": ["AWS::S3::Bucket"]}
}'

aws configservice select-resource-config --expression \
  "SELECT resourceId, configuration.encrypted FROM AWS::EC2::Volume WHERE configuration.encrypted = false"

AWS Config is the system of record for resource state and policy compliance. Pair it with CloudTrail (which records actions) for a complete audit picture: CloudTrail tells you who ran ModifyDBInstance, Config tells you what the database looked like before and after.

Amazon Inspector

Amazon Inspector is an automated vulnerability management service that continuously scans EC2 instances, container images in ECR, and Lambda functions for software vulnerabilities (CVEs) and unintended network exposure. Inspector v2 is agentless for ECR and Lambda and uses the SSM agent for EC2.

Key Features:

Continuous CVE Scanning: Operating system packages on EC2, Lambda function dependencies (Python, Node, Java), and container images in ECR are scanned on push and on every CVE database update.
Network Reachability: Identifies EC2 instances reachable from the internet on which ports — combines VPC topology, security groups, NACLs, and route tables.
CVSS & Inspector Score: Findings ranked by severity with CVSS v3 plus Inspector's environmental score that factors exposure and exploitability.
SBOM Export: Software bill of materials in CycloneDX/SPDX format for supply-chain compliance.
Multi-Account via Organizations: Delegated administrator account aggregates findings across the org.
EventBridge / Security Hub: Findings stream to Security Hub and EventBridge for ticketing or auto-remediation.

Common Use Cases:

Container Image Vulnerability Gating: Block CI/CD promotion if Critical CVEs appear in the pushed image.
EC2 Patch Compliance: Identify unpatched OS/library packages and feed into SSM Patch Manager.
Lambda Dependency Hygiene: Surface vulnerable npm/PyPI packages in deployed functions.
Internet Exposure Audit: Catch dev EC2s that ended up with 0.0.0.0/0 SG rules and public IPs.
Compliance Evidence: Continuous scanning satisfies PCI-DSS and FedRAMP vulnerability management controls.

Service Limits & Quotas:

Resources per account: no hard limit on EC2/ECR/Lambda scanned.
Findings retention: 90 days for closed findings, indefinite while active.
ECR scan latency: typically minutes after image push.

Pricing Model:

EC2: ~$1.258 per instance per month (continuous scanning).
ECR images: $0.09 per image per month for continuous scanning, $0.011 per initial scan.
Lambda functions: $0.30 per function per month standard scanning, $1.65 with code scanning.
15-day free trial on activation; pricing tiers down with volume.
Common cost surprise: ephemeral EC2 fleet (Auto Scaling, Spot) — each new instance counts; or ECR repos with thousands of historical tags. Lifecycle-prune ECR aggressively before enabling Inspector.

Code Example — Enable Inspector and Filter Findings:


aws inspector2 enable --resource-types EC2 ECR LAMBDA

aws inspector2 list-findings --filter-criteria '{
  "severity": [{"comparison": "EQUALS", "value": "CRITICAL"}],
  "findingStatus": [{"comparison": "EQUALS", "value": "ACTIVE"}]
}' --max-results 50

Common Interview Questions:

How is AWS Config different from CloudTrail?

CloudTrail logs API calls (the verb — who called what API). Config records resource state and changes (the noun — what the resource looked like before and after). They are complementary: an investigation typically starts in Config (what changed) and pivots to CloudTrail (who did it).

What's a conformance pack?

A bundle of Config rules + optional remediation actions packaged as a CloudFormation template, deployable to one account or across an organization. AWS publishes conformance packs aligned to HIPAA, PCI, NIST, CIS, and more.

How do you keep Config costs under control?

Use recording filters to exclude high-churn types (e.g., AWS::Lambda::Function versions, ENIs in heavy ASG accounts), record global resource types in only one region, and don't enable both periodic and change-triggered evaluations on the same rules unless required.

What does Inspector scan and how is v2 different from classic Inspector?

Inspector v2 covers EC2 (OS packages via SSM agent), ECR container images, and Lambda functions and dependencies — continuously and agentlessly where possible. Classic Inspector required deploying the Inspector agent and running on-demand assessments; v2 is always-on.

How do you handle a critical CVE finding from Inspector?

Triage by Inspector score (factors exposure and exploitability beyond raw CVSS), suppress accepted risk via suppression rules, route findings to Security Hub or Jira via EventBridge, and integrate with SSM Patch Manager for OS patches or container rebuilds for ECR images.

Can Inspector check for misconfigurations like open S3 buckets?

No — Inspector focuses on software vulnerabilities and network reachability of compute. Misconfigurations of services like S3 are AWS Config's domain, with results aggregated in Security Hub alongside Inspector findings.