- Newest
- Most votes
- Most comments
Hello.
To cost-effective solution within your budget, you can combine AWS native tools and open-source tools that provide wide coverage without requiring complex setup or management.
AWS Inspector EC2, Lambda, Containers
- What it does Automatically scans EC2 instances, Lambda functions, and containers (ECS) for vulnerabilities and misconfigurations.
Setup
- Go to AWS Inspector in the AWS Management Console.
- Enable the service for your environment (EC2, Lambda, ECS).
- Set up periodic scans for your instances.
- Cost: Pay-as-you-go, likely under $5,000 per year depending on usage.
Prowler Free Open-Source Tool for Broader Coverage
- What it does Scans for AWS security best practices and compliance across services like IAM, S3, RDS, CloudTrail, etc.
Setup
- Install Prowler on your local machine or an EC2 instance.
- Run the following command to scan your AWS environment.
- Review the findings and address critical vulnerabilities.
- Cost Free.
prowler -M csv -p <AWS Profile>
AWS Security Hub Central Dashboard for Findings
- What it does Aggregates security findings from AWS Inspector, Prowler, GuardDuty, and other security services into one dashboard for easier management.
Setup
- Enable AWS Security Hub from the AWS Console.
- Integrate it with AWS Inspector and Prowler for centralized reporting.
- Cost Pay based on the number of findings; likely under $2,000 annually.
For a budget-friendly scanner covering more than just EC2/Lambda/ECR, here are a few options worth looking at:
Prowler is the most established open-source tool in this space. It covers a wide range of AWS services with CIS benchmark checks and generates reports in multiple formats. It is free and actively maintained with a large community.
AWS Security Hub with its built-in standards (CIS, AWS Foundational Best Practices) is another option that works natively within AWS. Pricing is based on the number of checks, but for smaller environments it stays well under your budget.
cloud-audit (https://github.com/gebalamariusz/cloud-audit) is a lighter-weight CLI tool that runs 45 checks across 15 AWS services with CIS benchmark mapping. What makes it useful for teams working with IaC is that every finding includes a copy-paste Terraform HCL fix, so you can go from detection to remediation quickly. It also has a diff feature that compares scan results over time, which helps track security posture improvements between audit cycles. Free and open source.
All three run without any SaaS dependency - you keep your data in your environment. For under $10k/year, any combination of these would give you solid coverage beyond the EC2/Lambda/ECR basics.
Relevant content
- asked 4 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 6 months ago
A word of warning about Security Hub: it does most of its posture assessments with AWS Config rules. They can get excessively expensive, particularly in the continuous recording mode that is normally recommended, when a large number of changes happens in the environment. For example, ECS and EKS environments often create and destroy tasks/pods at a high frequency, causing a cascading effect on the CIs in Config and excessive costs. For example, an ENI is connected to a security group and subnet and VPC, so creation and removal causes changes to be recorded to all the linked resources.