By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Vulnerability scanner For AWS

0

Hello everyone, I am currently looking for a vulnerability scanner for AWS environments. The challenge I am facing is that many scanners exceed my budget, which is around $10,000 per year. Additionally, the scanners I’ve found so far are unable to scan the entire environment, as they typically only cover services like EC2, Lambda, and ECR. Does anyone have any suggestions?

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Identity and Access ManagementAWS Security HubAmazon EC2
Language
English
mohammed0183
asked 7 months ago229 views
1 Answer
0

Hello.

To cost-effective solution within your budget, you can combine AWS native tools and open-source tools that provide wide coverage without requiring complex setup or management.

AWS Inspector EC2, Lambda, Containers

  • What it does Automatically scans EC2 instances, Lambda functions, and containers (ECS) for vulnerabilities and misconfigurations.

Setup

  • Go to AWS Inspector in the AWS Management Console.
  • Enable the service for your environment (EC2, Lambda, ECS).
  • Set up periodic scans for your instances.
  • Cost: Pay-as-you-go, likely under $5,000 per year depending on usage.

Prowler Free Open-Source Tool for Broader Coverage

  • What it does Scans for AWS security best practices and compliance across services like IAM, S3, RDS, CloudTrail, etc.

Setup

  • Install Prowler on your local machine or an EC2 instance.
  • Run the following command to scan your AWS environment.
  • Review the findings and address critical vulnerabilities.
  • Cost Free.

prowler -M csv -p <AWS Profile>

AWS Security Hub Central Dashboard for Findings

  • What it does Aggregates security findings from AWS Inspector, Prowler, GuardDuty, and other security services into one dashboard for easier management.

Setup

  • Enable AWS Security Hub from the AWS Console.
  • Integrate it with AWS Inspector and Prowler for centralized reporting.
  • Cost Pay based on the number of findings; likely under $2,000 annually.
EXPERT
Parthasaradi
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed 7 months ago
  • Leo K EXPERT
    7 months ago

    A word of warning about Security Hub: it does most of its posture assessments with AWS Config rules. They can get excessively expensive, particularly in the continuous recording mode that is normally recommended, when a large number of changes happens in the environment. For example, ECS and EKS environments often create and destroy tasks/pods at a high frequency, causing a cascading effect on the CIs in Config and excessive costs. For example, an ENI is connected to a security group and subnet and VPC, so creation and removal causes changes to be recorded to all the linked resources.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content