AWS Security Specialty: Vulnerability Scanning for Compute Resources
Scan compute resources for known vulnerabilities (for example, scan container images and Lambda functions by using Amazon Inspector, monitor compute runtimes by using GuardDuty)
Curriculum Overview: Vulnerability Scanning for Compute Resources
This curriculum covers the design and implementation of vulnerability management for AWS compute workloads, specifically focusing on Amazon Inspector and Amazon GuardDuty. This alignment follows the AWS Certified Security - Specialty (SCS-C03) exam objectives under Infrastructure Security (Task 3.2).
Prerequisites
Before beginning this module, learners should have a firm grasp of the following:
- AWS Shared Responsibility Model: Understanding what AWS secures versus what the customer must secure at the OS and Application layers.
- Compute Fundamentals: Familiarity with Amazon EC2 (AMIs, Instance Profiles), AWS Lambda (Execution Roles), and Amazon ECR (Container Registries).
- Identity & Access Management (IAM): Understanding service-linked roles and cross-account delegated administration.
- Cybersecurity Basics: General knowledge of CVEs (Common Vulnerabilities and Exposures) and the difference between static scanning and runtime monitoring.
Module Breakdown
| Module | Title | Primary Services | Difficulty |
|---|---|---|---|
| 1 | Vulnerability Management Foundations | IAM, CVE | Beginner |
| 2 | Amazon Inspector Deep Dive | Inspector, EC2, ECR, Lambda | Intermediate |
| 3 | Automated & Continuous Scanning | EventBridge, AWS Organizations | Intermediate |
| 4 | Runtime Monitoring with GuardDuty | GuardDuty, Malware Protection | Intermediate |
| 5 | Remediation & Reporting Strategies | Security Hub, Systems Manager, SBOM | Advanced |
Learning Objectives per Module
Unit 1: Foundations
- Differentiate between static analysis (scanning at rest) and dynamic/runtime monitoring.
- Understand the lifecycle of a vulnerability from discovery to remediation.
Unit 2: Amazon Inspector Deep Dive
- Configure EC2 Scanning using both agent-based (SSM) and hybrid/agentless (EBS snapshot) modes.
- Implement Enhanced Scanning for Amazon ECR to trigger scans on image push and continuous rescan.
- Enable Lambda Code Scanning to detect vulnerabilities in custom application code and dependencies.
Unit 3: Architecture & Automation
- Design a multi-account scanning strategy using Delegated Administrator in AWS Organizations.
- Automate the export of Software Bill of Materials (SBOM) in CycloneDX or SPDX formats to S3.
Unit 4: GuardDuty Runtime Monitoring
- Enable GuardDuty Runtime Monitoring to observe malicious activity within active compute environments.
- Compare GuardDuty findings with Inspector vulnerabilities to prioritize high-risk threats (e.g., an unpatched instance being actively exploited).
Unit 5: Remediation
- Interpret Inspector Score and finding severity to prioritize patching.
- Integrate findings with AWS Systems Manager Patch Manager for automated remediation.
Success Metrics
To demonstrate mastery of this curriculum, the learner should be able to:
- Identify Scan Scopes: Correctly determine which scan type (Package vs. Code vs. Network) applies to a given compute resource.
- Architect Multi-Account Security: Configure a central security account to view findings from 50+ member accounts using AWS Organizations.
- Perform Root Cause Analysis: Use Amazon Detective in conjunction with GuardDuty/Inspector findings to trace the origin of a security event.
- Manage Compliance: Successfully generate an SBOM report for a production environment to satisfy a third-party audit request.
[!IMPORTANT] Amazon Inspector is a Regional service. To maintain a global security posture, it must be enabled in every region where compute resources are deployed.
Real-World Application
In a production environment, this curriculum translates to the following scenarios:
- CI/CD Pipeline Security: Automatically blocking a Docker image from being deployed to production if Amazon Inspector detects a High or Critical CVE during the ECR push phase.
- Zero-Day Response: When a new "Log4j" style vulnerability is announced, using the continuous scanning feature of Inspector to instantly identify every affected Lambda function and EC2 instance across the enterprise.
- Cost Management: Balancing the use of agent-based vs. agentless scanning to optimize for both visibility and performance impact on production workloads.
Compute Scanning Comparison
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, minimum width=3cm, minimum height=1.5cm, align=center}] \node (inspector) [fill=blue!10] {\textbf{Amazon Inspector}\Static Scanning}; \node (guardduty) [right of=inspector, xshift=4cm, fill=green!10] {\textbf{Amazon GuardDuty}\Runtime Monitoring};
\node (insp_detail) [below of=inspector, yshift=-0.5cm, draw=none] {\small Finds known CVEs\\in software packages};
\node (gd_detail) [below of=guardduty, yshift=-0.5cm, draw=none] {\small Finds active threats\\and anomalous behavior};
\draw[<->, thick] (inspector) -- node[above] {Contextual Correlation} (guardduty);\end{tikzpicture}
[!TIP] Use Network Reachability scans in Inspector to identify EC2 instances that are unintentionally exposed to the internet, even if they don't have known software vulnerabilities.