Not the "homerun" I was hoping for.
Organization is wanting to use Inspector to validate that launched EC2s are adequately hardened. Further, they wanted to evaluate against Inspector's CIS benchmarks. Figured, "if I start from an official AMI, it ought to be a homerun to get a clean output from Inspector". Launch an EC2 from the AMI. Discover that the AMI is missing the AWS agent. Correct this gap. Run Inspector. Wait for report. Report comes back with nearly 40 "High" findings (nearly 30 if you ignore the DC-only and NG-only findings).
Notice, "oh, *this* AMI is built using the 1.3.0.2 benchmarks and Inspector is using the 1.1.0 benchmarks. Go back to AWSMP and click on the "view older versions" link under the AMI. Am simply taken back to the AMI's normal information page with no indication of availability of back-rev AMIs that I might need.
Report back issues to my organization. They note, "but those findings are all HIGH findings".
Not the "homerun" I was hoping for.
Thank you for your feedback! We would love to hear more from you on this product. Please visit https://www.cisecurity.org/support and submit a support ticket under “CIS Product Technical Support” to provide additional feedback or engage with CIS support. Thank you!