Check if Inspector2 Active Findings Exist

Overview

This check verifies whether your AWS account has any active findings in Amazon Inspector2. When Inspector2 is enabled, it continuously scans your EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and network exposures. Active findings represent security issues that have been detected but not yet addressed.

The goal is to have zero active findings--meaning all discovered vulnerabilities have been remediated or appropriately suppressed.

Risk

Unremediated Inspector2 findings represent known security vulnerabilities in your environment. Leaving these unaddressed can lead to:

• Unauthorized access: Attackers may exploit known vulnerabilities to gain access to your systems
• Data breaches: Vulnerable software can be an entry point for data exfiltration
• Privilege escalation: Unpatched systems may allow attackers to gain elevated permissions
• Service disruption: Exploited vulnerabilities can cause downtime or enable malware deployment

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to view Amazon Inspector2
• Ability to patch or update the affected resources (EC2 instances, container images, or Lambda functions)

Required IAM permissions

To view and manage Inspector2 findings, you need these permissions:

• inspector2:ListFindings
• inspector2:GetFindingDetails
• inspector2:CreateFilter (for suppression rules)
• inspector2:BatchGetAccountStatus

AWS Console Method

Step 1: View your active findings

1. Open the Amazon Inspector console
2. In the left navigation, click Findings then All findings
3. Use the filter bar to select Finding status = Active to see only unresolved issues
4. Review the list of findings, noting the severity level (Critical, High, Medium, Low)

Step 2: Prioritize and remediate findings

1. Start with Critical and High severity findings
2. Click on a finding to see details including:
   • The affected resource (EC2 instance, container image, or Lambda function)
   • The vulnerability (CVE ID and description)
   • Recommended remediation steps
3. Take action based on the finding type:

Finding Type	Remediation Action
EC2 vulnerability	Patch the instance using Systems Manager or manually update packages
ECR image vulnerability	Rebuild the container image with updated base image or dependencies
Lambda vulnerability	Update the Lambda runtime or dependency packages
Network exposure	Update security groups or network ACLs to restrict access

Step 3: Suppress findings when appropriate

Some findings may be acceptable risks (e.g., a vulnerability in a test environment). To suppress these:

1. Go to Suppression rules in the left navigation
2. Click Create suppression rule
3. Define the criteria (e.g., specific resource, severity, or finding type)
4. Add a reason for the suppression
5. Click Create

Caution: Only suppress findings after careful risk assessment. Avoid broad suppression rules that hide real security issues.

AWS CLI (optional)

List all active findings:

aws inspector2 list-findings \
    --region us-east-1 \
    --filter-criteria '{"findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}]}' \
    --query 'findings[*].{Title:title,Severity:severity,Resource:resources[0].id}' \
    --output table

List active findings by severity (Critical and High only):

aws inspector2 list-findings \
    --region us-east-1 \
    --filter-criteria '{
        "findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}],
        "severity":[{"comparison":"EQUALS","value":"CRITICAL"},{"comparison":"EQUALS","value":"HIGH"}]
    }' \
    --output json

Get detailed information about a specific finding:

aws inspector2 batch-get-finding-details \
    --region us-east-1 \
    --finding-arns "arn:aws:inspector2:us-east-1:123456789012:finding/<finding-id>"

Create a suppression rule for accepted risks:

aws inspector2 create-filter \
    --region us-east-1 \
    --name "suppress-test-environment" \
    --action SUPPRESS \
    --reason "Test environment - vulnerabilities accepted" \
    --filter-criteria '{
        "findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}],
        "resourceTags":[{"comparison":"EQUALS","key":"Environment","value":"test"}]
    }'

Check Inspector2 account status:

aws inspector2 batch-get-account-status \
    --region us-east-1 \
    --output table

CloudFormation (optional)

You can use CloudFormation to create suppression rules for known acceptable findings:

AWSTemplateFormatVersion: '2010-09-09'
Description: Inspector2 suppression rule for accepted risks

Resources:
  TestEnvironmentSuppressionRule:
    Type: AWS::InspectorV2::Filter
    Properties:
      Name: suppress-test-environment-findings
      Description: Suppress findings in test environment resources
      FilterAction: SUPPRESS
      FilterCriteria:
        FindingStatus:
          - Comparison: EQUALS
            Value: ACTIVE
        ResourceTags:
          - Comparison: EQUALS
            Key: Environment
            Value: test

Outputs:
  FilterArn:
    Description: ARN of the suppression rule
    Value: !Ref TestEnvironmentSuppressionRule

Deploy with:

aws cloudformation deploy \
    --template-file inspector2-suppression.yaml \
    --stack-name inspector2-suppression-rules \
    --region us-east-1

Terraform (optional)

# Configure the AWS provider
provider "aws" {
  region = "us-east-1"
}

# Create a suppression rule for test environment findings
resource "aws_inspector2_filter" "test_environment_suppression" {
  name   = "suppress-test-environment-findings"
  action = "SUPPRESS"

  filter_criteria {
    finding_status {
      comparison = "EQUALS"
      value      = "ACTIVE"
    }

    resource_tags {
      comparison = "EQUALS"
      key        = "Environment"
      value      = "test"
    }
  }

  tags = {
    Purpose = "Suppress accepted risks in test environment"
  }
}

output "suppression_rule_arn" {
  description = "ARN of the Inspector2 suppression rule"
  value       = aws_inspector2_filter.test_environment_suppression.arn
}

Verification

After remediating findings:

1. Return to the Amazon Inspector console
2. Go to Findings > All findings
3. Filter by Finding status = Active
4. Confirm the count shows 0 active findings (or only suppressed/accepted findings remain)

CLI verification

# Count active findings
aws inspector2 list-findings \
    --region us-east-1 \
    --filter-criteria '{"findingStatus":[{"comparison":"EQUALS","value":"ACTIVE"}]}' \
    --query 'length(findings)' \
    --output text

A result of 0 indicates no active findings remain.

Additional Resources

• Amazon Inspector User Guide
• Managing Inspector2 findings
• Creating suppression rules
• Integrating Inspector with Security Hub

Notes

• Inspector2 must be enabled first: This check only applies when Inspector2 is active. If Inspector2 is not enabled, enable it first to begin scanning.
• Findings refresh continuously: New findings may appear as Inspector2 scans newly deployed resources or discovers new vulnerabilities.
• Prioritize by severity: Focus on Critical and High severity findings first as they pose the greatest risk.
• Integrate with CI/CD: Consider integrating Inspector2 into your deployment pipelines to catch vulnerabilities before they reach production.
• Suppression is not remediation: Suppressed findings are hidden from the active count but the underlying vulnerability still exists. Only suppress findings after proper risk assessment and documentation.