
Amazon Inspector – Automated Security Assessment Service - hepha1979
https://aws.amazon.com/blogs/aws/amazon-inspector-automated-security-assessment-service/
======
rwmj
[Copying a comment I left on the deleted thread about this]

I wonder if they're using OpenSCAP for this. It's an XML document that (at
least) Red Hat and Microsoft publish which contains the lists of known good
hashes for every file we publish, and also a set of rules for common
vulnerabilities (things like "if a directory is public writable, flag an
error" \-- but lots of them, and more complex). Also CVE data is published in
a machine-readable format.

Here's the data that Red Hat publishes:
[https://www.redhat.com/security/data/oval/](https://www.redhat.com/security/data/oval/)

I'll pimp my own experiments scanning offline guests using SCAP:

[https://rwmj.wordpress.com/2013/05/16/scanning-offline-
guest...](https://rwmj.wordpress.com/2013/05/16/scanning-offline-guests-using-
openscap-and-guestmount/#content)

------
brechmos
Hahaha....

Region Unsupported

This service is not available in US East (N. Virginia).

Please select another region.

    
    
        Supported Regions
        US East (N. Virginia)
        US West (Oregon)
        US West (N. California)
        EU (Ireland)
        EU (Frankfurt)
        Asia Pacific (Singapore)
        Asia Pacific (Tokyo)
        Asia Pacific (Sydney)
        South America (São Paulo)

