Amazon Inspector

Amazon Inspector is an agent-based service that assesses the security of an EC2-backed environment. It monitors the configuration of the operating system and the flow of traffic to the host to detect potential risks. Inspector does not assess the broader infrastructure of an application beyond the EC2 instance. The configuration of VPCs, Route53 domains, other services, and the AWS account itself are not included in its checks. Whereas Inspector narrowly focuses on the configurations and applications on an instance, CloudSploit focuses on the broader environment. Ultimately, these services should be used in tandem; Inspector providing OS-level assessments and CloudSploit providing infrastructure-level assessments.

  • Instance and traffic-level analysis
  • Pre-defined rules and reports
  • API and IAM integration
  • Requires an agent on each EC2 instance
  • Pricing depends on the number of agents run
  • Broader infrastructure-level services are not covered
  • Only available in 4 regions

AWS Config Service

  • Configuration change history
  • Execute tasks in response to changes
  • Can "correct" misconfigurations through the API
  • Requires manual configuration and setup of rules
  • Pricing depends on the number of resources tracked
  • Potentially requires write-access to sensitive resources
  • Rules only available in 5 regions

The AWS Config Service is most accurately described as an historical database of configuration states and changes for resources within an AWS account. By itself, this service provides a great way of tracking changes across large accounts, taking inventory of current resources, and detecting security risks after a potential compromise. Additionally, you can configure rulesets that respond to specific state changes within your account, such as executing a Lambda function when the root user logs in. While these rule triggers are helpful, they still require manual setup and configuration. Monitoring accounts with thousands of resources can become quite costly as well.


AWS Trusted Advisor

AWS Trusted Advisor is a service provided as part of business and enterprise-level AWS support plans. It checks for a variety of service limits, cost optimizations, and security risks. Its security checks are relatively few in number, and only cover core services such as IAM and security groups. The generated reports do not provide historical data, nor do they provide much detail to aid in resolving the issues.

  • Checks covering cost, performance, and security
  • Emailed reports and notifications
  • Built into the AWS console
  • No additional setup required
  • Only available for business and enterprise support plans
  • Limited sets of security checks
  • No historical data or saved results

Ready to test your security?

Sign up and begin scanning within minutes

Get Started