Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
Amazon Inspector is an automated and continual vulnerability scanning service that assesses Amazon Elastic Compute Cloud (EC2) instances, Amazon Lambda functions, and container images to improve the security and compliance of infrastructure workloads. Your monthly costs are determined by a combination of different services scanned:
Amazon EC2 instance scans: Each EC2 instance is continually scanned for software vulnerabilities and unintended network exposure. This applies to both agent-based and agentless scanning. Total monthly cost is based on the average number of EC2 instances assessed within a month. For instances that are run intermittently, the price is prorated based on total time run within a month.
Amazon EC2 CIS Benchmark assessment: Amazon Inspector supports the Center for Internet Security's CIS Benchmarks. It supports on-demand and targeted assessments against OS-level CIS configuration benchmarks for Amazon EC2 instances. The cost for CIS Benchmark assessment for operating systems in Amazon EC2 instances is charged per assessment per instance.
Amazon ECR container image scans: Each container image pushed to Amazon Elastic Container Registry (ECR) that is configured for Amazon Inspector scanning is assessed for software vulnerabilities. The cost is based on a combination of the number of images initially scanned when pushed to ECR and the number of times those images are rescanned per month.
On-demand container image scanning (includes scans initiated within CI/CD tools and by Amazon Inspector): Each container image is assessed within developer tools like Jenkins and TeamCity for software vulnerabilities. The cost is based on the number of images scanned in CI/CD tools per month, as well as the cost for on-demand scanning outside of CI/CD tools.
Amazon Lambda standard scans: Each deployed Lambda function is continually assessed for software package vulnerabilities. Total monthly cost is based on the average number of Lambda functions scanned per month; the price is prorated based on total Inspector coverage hours within a month.
Amazon Lambda code scans: Each deployed Lambda function is continually assessed for code vulnerabilities, such as injection flaws and embedded secrets in the application code you write. The total monthly cost is based on the average number of Lambda functions scanned per month. The price is prorated based on total Amazon Inspector coverage hours for the scanned functions within a month. The number of hours reflect the duration from when the function was discovered by Amazon Inspector until the function was deleted or excluded from scanning.
With Inspector you only pay for what you use, with no minimum fees and no upfront commitments.
All accounts new to Amazon Inspector are eligible for a 15-day free trial to evaluate the service and estimate its cost. During the trial, all eligible Amazon Elastic Compute Cloud (EC2) instances, Amazon Lambda functions, and container images pushed to Amazon Elastic Container Registry (ECR) are continually scanned at no cost. For on-demand container image scanning within CI/CD tools, you receive one-time free usage for 25 image assessments per account. Note: CIS Benchmark assessments are not included in the 15-day free trial.
Additionally, you can review estimated spend in the Amazon Inspector console, including aggregated organization-wide spend in the central Amazon Inspector administrator account. This way, you can understand and estimate the cost of using Amazon Inspector for automated and continual vulnerability scans across EC2, Amazon ECR, and Lambda functions for your entire organization before moving to paid usage.
Pricing details
EC2 Scanning per month (includes continual vulnerability and network reachability scans)
Average number of Amazon EC2 instances scanned per month using SSM-agent based scanning* | ¥10.81 per instance |
Average number of Amazon EC2 instances scanned per month using agentless based scanning* | ¥15.11 per instance |
CIS Benchmark assessment for operating systems in EC2 instances
Number of assessments per month | ¥0.215 per assessment per instance |
ECR Container image scanning
Amazon ECR pushed images for initial scan per month | ¥0.7865 per image |
Amazon ECR images rescanned per month | ¥0.0715 per rescan |
On-demand container image scanning (including within CI/CD solutions)
Number of container images scanned*** | ¥0.215 per image |
Lambda standard Scanning per month
Average number of Amazon Lambda functions scanned per month** | ¥2.57 per Lambda function |
Lambda standard and code scans
Average number of Amazon Lambda functions scanned per month with both Lambda Standard and Code Scanning** | ¥2.57 + ¥4.65 per Lambda function |
*Average number of EC2 instances = (total hours of active, supported instances being scanned) / (number of hours in a month, i.e., 720 hours). For example, you have 3 supported instances that were active and being scanned for different amounts of time during a month: The first for 360 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 720 hours of active, supported instances being scanned. Therefore, 720 hours total of instances being scanned that month / 720 hours in the month = 1 average EC2 instance.
**Average number of Lambda Functions = (total hours of Inspector coverage for a Lambda function) / (number of hours in a month, i.e., 720 hours). For example, you have 3 deployed Lambda functions that were scanned for different amounts of time during a month: The first for 720 hours, the second for 350 hours, and the third for 10 hours, adding up to a total 1080 hours of deployed Lambda functions instances being scanned. Therefore, 1080 hours total of Lambda functions being scanned that month / 720 hours in the month = 1.5 average Lambda functions.
***The same price of CNY 0.215 applies if you're using the Amazon Inspector API, which takes Software Bill of Materials (SBOM) as an input and provides vulnerability results
Pricing examples
Example 1: Amazon EC2 instance scanning
You enter a new billing month for your Amazon Web Services China (Beijing) Region deployment with 10 Amazon EC2 instances with the Systems Manager agent installed and configured for Amazon Inspector EC2 scanning, and these instances are running all month. In addition, during this monthly billing period, 10 additional instances are launched and continually scanned with Inspector, however, each of these new instances are active only 15 days during the billing period. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
10 EC2 instances scanned for all 30 days at ¥10.81 each = 10 * ¥10.81 = ¥108.1
10 EC2 instances scanned for only 15 days, resulting in an average of 5 instances, at ¥10.81 each = 5 * ¥10.81 = ¥54.05
For the month, your Amazon Inspector bill will be ¥162.15.
Example 2: Amazon ECR container image with continual scanning
You enter a new billing month for your Amazon Web Services China (Beijing) Region deployment with 500 previously pushed, scanned, and retained container images in the last 30 days into an ECR repository configured for continual scanning. You also push 1,000 new container images to the same repository during the month. Your costs will include the 1,000 new container images initially scanned when they are pushed in ECR and a charge for rescanning the total of 1,500 retained container images. For this month, there were updates to the Amazon Inspector vulnerability database, which triggered 15 rescans. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
1,000 newly pushed container images are initially scanned at ¥0.644 each = 1,000 * ¥0.644 = ¥644.00
500 previously pushed and scanned container images already in the repository bring the total to 1,500
1,500 images, each rescanned an average of 15 times, at ¥0.072 per rescan, 1,500 * 15 * ¥0.072 = ¥1620.00
For the month, your Amazon Inspector bill will be ¥2264.00.
Example 3: Amazon ECR container image with on-push scanning
You enter a new billing month for your Amazon Web Services China (Beijing) Region deployment with 500 previously pushed, scanned, and retained container images in an ECR repository configured for on-push scanning and you push 1,000 new container images to the same repository during the month. Your costs will only include the 1,000 new container images scanned when they are pushed in ECR. Since the repository is configured for on-push scanning, there will be no rescans and therefore, there will be no additional charges. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
1,000 newly pushed container images initially scanned at ¥0.215 each = 1,000 * ¥0.215 = ¥215.00
There is no charge for the 500 previously scanned images
For the month, your Amazon Inspector bill will be ¥215.00.
Example 4: Amazon Lambda function Standard scanning
You enter a new billing month for your Amazon Web Services China (Beijing) Region with 20 Lambda functions deployed. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
10 Lambda functions scanned for all 30 days at ¥2.57 per function = 10 * ¥2.57 = ¥25.70|
10 Lambda functions scanned for only 15 days (i.e., deleted after 15 days) at ¥2.57 per function = ¥12.85
(There is no additional charge for rescanning)
For the month, your Amazon Inspector bill would be ¥38.55.
Example 5: Amazon Lambda function standard plus code scanning
You enter a new billing month for your Amazon Web Services China (Beijing) Region with 20 Lambda functions deployed. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
10 Lambda functions scanned for all 30 days at (¥2.57 + ¥4.65) per function = 10 * ¥7.22 = ¥72.2
10 Lambda functions scanned for only 15 days (i.e., deleted after 15 days) at (¥2.57 + ¥4.65) per function = 5 * ¥7.22 = ¥36.1
(There is no additional charge for rescanning.)
For the month, your Amazon Inspector bill would be ¥108.3.
Example 6: On-demand container image assessment (including within CI/CD tools)
You enter a new billing month for your Amazon Web Services China (Beijing) Region deployment with 1000 container images within CI/CD tools. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
1,000 container images within CI/CD tools, at ¥0.215 each image
For the month, your Amazon Inspector bill will be 1000 * ¥0.215 = ¥215.
Example 7: Center for Internet Security (CIS) Benchmark assessments for operating systems in Amazon EC2 instances
You enter a new billing month for your Amazon Web Services China (Beijing) Region deployment with 10 EC2 instances with the Systems Manager agent installed. You schedule two monthly CIS Benchmark assessments for the 10 instances. Amazon Inspector charges in Amazon Web Services China (Beijing) Region would be calculated as follows:
10 EC2 instances assessed twice at ¥0.215 per assessment per instance
For the month, your Amazon Inspector bill will be 10 * ¥0.215 = ¥2.15.