On May 19, 2025, AWS unveiled a major enhancement to Amazon Inspector, its automated vulnerability management service, aimed specifically at improving container runtime visibility. The latest update allows Inspector to map Amazon Elastic Container Registry (ECR) images to running containers, enabling security teams to assess not only what vulnerabilities exist in container images, but also where those images are deployed and actively running.
Features
This enhancement is designed to close a critical gap in cloud-native security—understanding the real-time impact of known vulnerabilities by tying them directly to active workloads.
Key new features include:
-
- Runtime Container Mapping: Amazon Inspector now detects running containers derived from ECR images and links them back to image scan results. This makes it possible to identify which vulnerabilities are actively exposed in production environments.
-
- Real-Time Risk Assessment: By correlating image scan data with live container telemetry, Inspector helps teams prioritize which vulnerabilities to remediate based on actual workload exposure.
-
- Improved CI/CD Integration: These updates enhance integration into DevSecOps pipelines, especially when used alongside Amazon ECS, EKS, or containerized EC2 workloads.
-
- Automatic Scanning and Monitoring: Container images stored in Amazon ECR continue to be automatically scanned upon push and regularly rescanned thereafter, with added context about their deployment footprint.
-
- CloudWatch and EventBridge Integration: Findings can be streamed to observability tools, SIEMs, or ticketing systems for automated response workflows.
This marks a significant evolution of Amazon Inspector from a passive scanning tool to a context-aware runtime security solution.
Benefits
This enhancement of Amazon Inspector delivers high-value outcomes for cloud-native teams operating containerized workloads across development, staging, and production environments:
-
- Precise Vulnerability Prioritization: By knowing which containers are running vulnerable images, security teams can focus on real, not theoretical, risks.
-
- Improved Operational Efficiency: DevOps and SecOps teams can reduce the alert fatigue and manual overhead often associated with CVE triage.
-
- Faster Incident Response: Real-time container mapping shortens the time from detection to mitigation by providing deployment-level context.
-
- Stronger Compliance and Governance: Organizations with strict audit and compliance mandates benefit from the ability to show runtime correlation between vulnerabilities and mitigations.
-
- Seamless DevSecOps Alignment: The enhanced insights naturally integrate into CI/CD processes, reducing late-stage friction between developers and security reviewers.
These benefits are particularly impactful for teams adopting shift-left security practices in modern DevOps workflows.
Use Cases
The updated Amazon Inspector enables a number of mission-critical security practices, especially in organizations with maturing container strategies.
Zero-Day Vulnerability Triage in Production
When a zero-day vulnerability is disclosed, security teams can instantly identify whether any running containers are based on affected ECR images and prioritize patching accordingly.
Proactive Risk Assessment During Deployment
As part of CI/CD pipelines, teams can halt deployments of containers with high-severity vulnerabilities and simultaneously check whether existing running instances are already at risk.
Compliance Reporting for Regulated Industries
Healthcare, finance, and government organizations can produce detailed reports correlating known vulnerabilities with current deployment states—satisfying requirements for runtime verification.
Security Posture Hardening in Kubernetes
Teams using Amazon EKS or self-managed Kubernetes clusters can use this runtime visibility to enhance pod security policies and perform real-world exposure analysis.
Threat Hunting and Forensics
Security analysts can investigate historical exposure by correlating vulnerability timelines with container runtime logs and CloudTrail events.
These scenarios highlight the growing need for runtime-aware container security solutions.
Alternatives
While AWS has raised the bar with this Inspector update, several alternative solutions exist for container vulnerability and runtime security:
Aqua Security, Prisma Cloud, and Sysdig Secure
Third-party tools offer deep visibility across cloud, container, and Kubernetes workloads, often with runtime protection, behavioral analysis, and threat detection capabilities.
KubeClarity by Cisco and Trivy by Aqua
Open-source tools that provide container image scanning and SBOM (Software Bill of Materials) generation but often lack native runtime mapping unless paired with other solutions.
AWS GuardDuty for EKS Runtime Monitoring
A complementary AWS service offering runtime threat detection for Amazon EKS workloads. It detects suspicious behavior, whereas Inspector focuses on vulnerabilities.
Kubernetes Admission Controllers + OPA
Custom policy enforcement can prevent vulnerable containers from running but requires deep configuration and does not correlate with runtime state.
Amazon Inspector’s advantage lies in being natively integrated, lightweight, and continuously updated for real-time vulnerability-to-runtime correlation.
Final Thoughts
The May 2025 update to Amazon Inspector represents a meaningful leap forward in container security for AWS customers. As organizations adopt containers at scale, vulnerability management must go beyond static image scanning and move toward runtime-informed security intelligence.
Inspector’s ability to map ECR images to running containers eliminates guesswork, empowers faster decision-making, and enhances trust in automated pipelines. It’s particularly well-aligned with modern DevSecOps goals: reducing friction, increasing automation, and securing the software supply chain from code to production.
This enhancement also reflects a broader trend in cloud security—toward contextual, intelligent protection systems that prioritize actionable insights over noisy dashboards. For most teams already embedded in AWS, the value proposition is clear: more accurate assessments, fewer blind spots, and lower time-to-mitigation.
Looking ahead, we can expect Amazon Inspector to further evolve toward behavioral analytics, SBOM generation, and full lifecycle integration with other AWS security services. For now, this release brings a crucial capability to production-grade security—knowing which vulnerabilities actually matter, where they are running, and what to do next.