Forem: Yuji Oshima

Build an Action Game to Learn AWS Security in a Fun Way with Amazon Q CLI

Yuji Oshima — Mon, 09 Jun 2025 11:19:29 +0000

There was an interesting campaign about Amazon Q CLI.
If I build a game with Amazon Q CLI and publish a blog or video, I can get a limited T-shirt, so I tried it right away.

Build Games with Amazon Q CLI and score a T shirt 🏆👕

You can interact with other builders and get support on Discord, so if you're interested, join us.

Discord

Environment preparation

Create an AWS Builder ID.

Builder ID

Install Amazon Q CLI.
There are procedures for each OS, so please refer to them.

Linux

Essential guide to installing Amazon Q Developer CLI on Linux

Windows

The essential guide to installing Amazon Q Developer CLI on Windows

This time, I used the Windows WSL environment.
As you go through the steps, you will be able to run the installer.

./install.sh

When running the installer, you will be asked questions, so answer them as follows.

Do you want to add it to the shell variable? → Yes
How do you want to change the login method? → Use for Free with Builder ID

? Do you want to modify your shell config (you will have to manually do this otherwise)? ›
❯ Yes
No

? Select login method ›
❯ Use for Free with Builder ID
Use with Pro license

Confirm the following code in the browser
Code: XXXX-XXXX

Open this URL: https://view.awsapps.com/start/#/device?user_code=XXXX-XXXX
▰▰▰▰▰▱▱ Logging in...

Device authorized
Logged in successfully

Then a URL with the authentication code will be issued, so open it in your browser and continue.

You will be asked if you want Amazon Q Developer for command line to access your data, so allow it.

Your request has been approved.

You can confirm that q cli starts successfully by running the following command from WSL.

q chat

Next, install PyGame, a library required for game development.

GettingStarted - pygame wiki

sudo apt-get install python3-pygame

If you have trouble with dependencies, you can ask Q to do it for you.

Try to build a game with Amazon Q CLI

When you're not sure what to make, it's a good idea to ask Q to think about it.

> pygameでゲームを作ります。AWSセキュリティを学べる簡単なゲーム案を考えてください。
AWSセキュリティを学べるPygameゲームの案を考えてみましょう。以下は「AWS Security Defender」というゲーム案です：

## AWS Security Defender

プレイヤーはAWSクラウド環境のセキュリティ担当者となり、様々なセキュリティ脅威からリソースを守るゲームです。

### ゲームコンセプト
• 2Dサイドビューまたはトップダウン視点のアクションゲーム
• プレイヤーはAWSセキュリティエンジニアとして、クラウド環境を守る
• 様々なセキュリティ脅威（マルウェア、不正アクセス、設定ミスなど）が攻撃してくる
• 正しいセキュリティ対策を選んで脅威を撃退する

### ゲーム要素
1. ステージ構成:
   • EC2、S3、RDS、Lambdaなど異なるAWSサービスをテーマにしたレベル
   • 各レベルで特有のセキュリティ脅威と対策が登場

2. プレイメカニック:
   • プレイヤーは「セキュリティツール」を収集・使用して脅威を撃退
   • 例: IAMポリシー（アクセス制御）、WAF（Webアタック防御）、GuardDuty（異常検知）など
   • 正しいツールを正しい脅威に対して使うことでポイント獲得

3. 教育要素:
   • 各脅威とツールには実際のAWSセキュリティ概念の説明が付く
   • クイズ形式の「セキュリティチェックポイント」でAWSセキュリティの知識をテスト
   • ゲームオーバー時に「セキュリティベストプラクティス」のヒントを表示

4. ゲームの進行:
   • スコアはセキュリティ対策の適切さと速さで決まる
   • 高難度になるほど複雑なセキュリティシナリオが登場
   • 最終的にはマルチレイヤーのセキュリティ対策が必要になる

### 技術的な実装ポイント
• Pygameで2Dグラフィックスとアニメーションを実装
• シンプルな物理エンジンでキャラクター移動とアイテム収集を実現
• JSONファイルでセキュリティシナリオとクイズデータを管理
• スコアとプレイヤーの進捗を保存する機能

このゲームは楽しみながらAWSセキュリティの基本概念（最小権限の原則、多層防御、暗号化、監視など）を学べる教育ツールとして
機能します。プラットフォーマーゲームの要素を取り入れつつ、セキュリティの知識を実践的に身につけられる内容になっています。

It looks good, so I asked Q to make it with this idea.

> pygameを使ってその案のゲームを作ってください。
それでは、AWS Security Defenderゲームをpygameで実装していきましょう。まずは基本的なゲーム構造を作成します。

Then, Q created the game in no time.

AWS Security Defenderゲームの実装が完了しました！以下のファイルを作成しました：

1. main.py - メインゲームループとゲームロジック
2. player.py - プレイヤーキャラクターのクラス
3. threats.py - セキュリティ脅威のクラス
4. tools.py - セキュリティツールのクラス
5. levels.py - ゲームレベルの定義
6. README.md - ゲームの説明書

## ゲームの実行方法

ゲームを実行するには、以下のコマンドを使用します：

bash
python main.py


## ゲームの特徴

1. 教育的要素:
   • AWSセキュリティの基本概念を学べる
   • 各レベルで異なるセキュリティシナリオを体験
   • セキュリティクイズでAWSの知識をテスト

2. ゲームプレイ:
   • 左右矢印キーでプレイヤーを移動
   • スペースキーで攻撃
   • タブキーでセキュリティツールを切り替え
   • 正しいツールで脅威を撃退するとスコア獲得

3. レベル構成:
   • レベル1: EC2セキュリティ（基本的な脅威）
   • レベル2: S3データ保護（データ漏洩対策）
   • レベル3: ネットワーク防御（複合的な脅威）

## 拡張アイデア

このゲームは基本的な実装ですが、以下のように拡張できます：

1. グラフィック改善:
   • 単純な四角形の代わりに、AWSサービスのアイコンを使用
   • アニメーションの追加
   • 背景にAWSクラウド環境の視覚的表現

2. ゲームプレイの拡張:
   • より多くのレベルとシナリオ
   • 難易度設定
   • ハイスコアの保存
   • より多くのセキュリティツールと脅威タイプ

3. 教育コンテンツの充実:
   • より詳細なAWSセキュリティの説明
   • 実際のAWSコンソールに似たUI要素
   • より多くのクイズと学習コンテンツ

このゲームを通じて、プレイヤーはAWSセキュリティの基本概念を楽しく学ぶことができます。

After that, I played the game and made small modifications to complete it.

Finished game

This game is called "AWS Security Defender Game".

Players become security officers in the AWS cloud environment and protect resources from various security threats.
Use the right security tools to defeat threats and get points.

Each level features a different threat that you need to deal with using the right security tools.
If you defeat the threat correctly, you get 100 points, and if you miss it, you lose 50 points.

The code is available on GitHub.

GitHub - AWS Security Defender Game

Summary

I was able to easily build a game using Amazon Q CLI.
It's amazing that I was able to build something that works just by interacting with Q without doing any coding.
Depending on how you devise the prompts, you may be able to build an even more amazing game.
Please take this campaign as an opportunity to try out Amazon Q CLI.

AWS Summit Japan 2024 Participation Summary

Yuji Oshima — Wed, 31 Jul 2024 09:48:09 +0000

I recently attended the AWS Summit Japan 2024 held at Makuhari Messe, so I will share my experience there.

Event Overview

Date: Thursday, June 20th - Friday, June 21st, 2024
Venue: Makuhari Messe
Participation fee: Free

AWS Summit is an event for everyone interested in innovating with all things cloud, where the cloud computing community can come together to learn about Amazon Web Services (AWS), share best practices, and exchange information.

There will be more than 150 sessions, more than 250 exhibition booths, and a variety of other content.

AWS Summit Japan

Entering the venue

When I enter Makuhari Messe, I see large board.

At the reception I can get a reserved seat ticket for the keynote speech and a lunch voucher.
Previous events have had unreserved seating, but this year it seems that seating will be reserved.

There are cushions placed on the seats that we can take home.
This year's cushions have bands and are foldable.
Since various swags will be available to receive during the event, it is great to have the cushions fold up compactly.

An opening DJ is playing at the keynote venue, which get me excited.

Keynote speech

First, a greeting from Jaime Valles, Vice President & Managing Director and Japan Managing Director.
He say that we will continue to focus on the Japanese market.

Next is a session by Werner Vogels, CTO.
I listened to Werner's session at re:Invent last year, and it was an engaging talk that interweaved historical background.
It was a very rare opportunity to listen to Werner speak in Japan.

The idea of automation has existed since the time of Plato and Aristotle.
From early expert systems, ideas such as deep learning and reinforcement learning have emerged, and LLM has recently come to prominence.
LLM is just the beginning, and it is important to think about what we will achieve with AI.
Good AI requires good data, and good work requires good people.
Examples of AI technology use in agriculture, drones, medicine, etc. were introduced.

Last year, "democratization of security" was an important keyword, but "democratization of data" is also likely to become an important keyword.
I feel that we will need the ability to look at issues from a broader perspective and consider ways to utilize AI technology.

Next is a session by Jared Kaplan, Co-Founder & Chief Scientist at Anthropic.
He talk about Anthropic's research, security efforts, and Claude3.

Next is a session by Mikihiko Tsunematsu, Director.
He made various announcements.

Anthropic's Claude3 now available in the Tokyo region
Amazon Q Business Japanese version released
Announcement of new certifications, AIF and MLA
Announcement of AWS Generated AI Practical Application Promotion Program

As expected, the keynote speech was full of generative AI.

Scene from the venue

The venue was very spacious, with many session venue and corporate booths creating a lively atmosphere.

The certified lounge is larger than last year.

An exciting race is taking place at the AWS DeepRacer venue.

There are also some photogenic spots.

I had the chance to try out Chaos Kitty.
The physical architecture, made up of blocks and IoT lightbulbs, represents a simple three-tier web app in an AWS environment.
When a configuration change occurs, the IoT lightbulbs change color from green (safe) to red (configuration violation), and I can change the settings in the AWS console to make them all green.

I tried holding the actual AWS Snowball

Conclusion

This year's AWS Summit was also very enjoyable.
As expected, there were many topics related to generative AI.
Many companies are offering services using generative AI, and I realized that generative AI is becoming increasingly widespread and being integrated into services as a matter of course.
This concludes my brief introduction to AWS Summit Japan 2024.

Amazon GuardDuty Malware Protection for Amazon S3 is now generally available at re:Inforce 2024

Yuji Oshima — Wed, 31 Jul 2024 09:47:55 +0000

Amazon GuardDuty Malware Protection for Amazon S3 was released at AWS re:Inforce 2024, so I immediately checked it out.

Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty - AWS

Introducing Amazon GuardDuty Malware Protection for Amazon S3 | AWS News Blog

Update Overview

The GuardDuty Malware Protection extension detects the upload of malicious files to the selected S3 bucket
If GuardDuty is not enabled, you can enable only the GuardDuty Malware Protection for Amazon S3 feature
The scanned object is tagged with GuardDutyMalwareScanStatus, and the tag value indicates whether it was determined to be a threat

The tag values are as follows

NO_THREATS_FOUND: No potential threats were detected
THREATS_FOUND: Potential threats were detected
UNSUPPORTED: Scanning of the object is not supported
ACCESS_DENIED: The object cannot be accessed
FAILED: Malware scanning cannot be performed

More details about tags are also available in the following documentation

Monitoring S3 object scan status - Amazon GuardDuty

Pricing is based on the size and number of objects. Prices are as follows:
$0.79/GB per month for file size
$0.282/1k per month for number of files

Intelligent Threat Detection – Amazon GuardDuty Pricing – AWS

Enable Malware Protection for Amazon S3

Click "Enable Malware Protection for S3" from "Malware Protection for S3" in GuardDuty.

Select "All objects in S3 bucket" as the S3 bucket to scan, and "Tag objects" as the tagging.
Create an IAM role for the Malware Protection for Amazon S3 feature.
Click "View Permissions".

The policies required for the IAM role will be displayed, so copy them.

For reference, the policies and trust relationships are as follows:

Policy



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowManagedRuleToSendS3EventsToGuardDuty",
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:DeleteRule",
        "events:PutTargets",
        "events:RemoveTargets"
      ],
      "Resource": [
        "arn:aws:events:ap-northeast-1:3<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
      ],
      "Condition": {
        "StringLike": {
          "events:ManagedBy": "malware-protection-plan.guardduty.amazonaws.com"
        }
      }
    },
    {
      "Sid": "AllowGuardDutyToMonitorEventBridgeManagedRule",
      "Effect": "Allow",
      "Action": [
        "events:DescribeRule",
        "events:ListTargetsByRule"
      ],
      "Resource": [
        "arn:aws:events:ap-northeast-1:<accountID>:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
      ]
    },
    {
      "Sid": "AllowPostScanTag",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectTagging",
        "s3:GetObjectTagging",
        "s3:PutObjectVersionTagging",
        "s3:GetObjectVersionTagging"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/*"
      ]
    },
    {
      "Sid": "AllowEnableS3EventBridgeEvents",
      "Effect": "Allow",
      "Action": [
        "s3:PutBucketNotification",
        "s3:GetBucketNotification"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket"
      ]
    },
    {
      "Sid": "AllowPutValidationObject",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/malware-protection-resource-validation-object"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket"
      ]
    },
    {
      "Sid": "AllowMalwareScan",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::test-s3mal-bucket/*"
      ]
    },
    {
      "Sid": "AllowDecryptForMalwareScan",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:ap-northeast-1:<accountID>:key/<key_id>",
      "Condition": {
        "StringLike": {
          "kms:ViaService": "s3.*.amazonaws.com"
        }
      }
    }
  ]
}

Trust relationship



{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "malware-protection-plan.guardduty.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Next, create an IAM role.

The entity type should be a custom trust policy and paste the copied trust relationship.

Policies are added as inline policies after creating a role.
Enter a role name and create the role.

In the inline policy permissions, paste the policy that you copied.

Enter a policy name and create the policy.

Return to the Enable S3 Malware Protection setting, select the IAM role you created, and click "Enable."

S3 Malware Protection has been enabled.

You can monitor the scan status.

The IAM policy had permissions to S3 and EventBridge.
So I checked EventBridge and found that a rule called "DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3-" had been created.
Looking at the event pattern and target, it appeared that when an object is created in the S3 bucket, guardduty-malware-protection-plan is launched and a scan is performed.

Detecting malware

Upload the eicar file to S3 bucket.

By the way, when S3 Malware Protection is enabled, a test file called "malware-protection-resource-validation-object" is automatically created.

When watching the monitoring, you can see that it is being scanned and determined to be infected.

The eicar file is tagged with "GuardDutyMalwareScanStatus: THREATS_FOUND", indicating that a potential threat has been detected.

By the way, if you look at the tag of the test file "malware-protection-resource-validation-object" created during activation, you will see that it is tagged with "GuardDutyMalwareScanStatus: NO_THREATS_FOUND", which indicates that it was not determined to be a potential threat.

Checking the detection results

Now let's look at the detection results.
Looking at the "Detection Results" in GuardDuty, you can see that the detection result type is "Object:S3/MaliciousFile" with a severity of "High".

If you look at the details, you can see the reason for the detection and information about the object.

Protect against malware

After scanning, objects are tagged, so you can implement tag-based access control (TBAC) in your bucket policies to isolate malware from the resources it accesses.

Using tag-based access control (TBAC) with Malware Protection for S3 - Amazon GuardDuty

There is an example policy, so set it in the S3 bucket policy.

It denies access to any objects other than those with the tag "GuardDutyMalwareScanStatus": "NO_THREATS_FOUND".

Tag-Based Access Control (TBAC) Bucket Policy Examples



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NoReadExceptForClean",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::555555555555:root",
                    "arn:aws:iam::555555555555:role/IAM-role-ARN",
                    "arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
                ]
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "s3:ExistingObjectTag/GuardDutyMalwareScanStatus": "NO_THREATS_FOUND"
                }
            }
        },
        {
            "Sid": "OnlyGuardDutyCanTag",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::555555555555:root",
                    "arn:aws:iam::555555555555:role/IAM-role-ARN",
                    "arn:aws:iam::555555555555:assumed-role/role-ARN/GuardDutyMalwareProtection"
                ]
            },
            "Action": "s3:PutObjectTagging",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

As a test, upload a harmless file to your S3 bucket.

The result was "GuardDutyMalwareScanStatus: NO_THREATS_FOUND".

When I tried copying it locally using AWS CloudShell, only the eicar file was blocked.



$ aws s3 cp s3://test-s3mal-bucket/test.txt ./

download: s3://test-s3mal-bucket/test.txt to ./test.txt


$ aws s3 cp s3://test-s3mal-bucket/eicar.com ./

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Summary

I tried Amazon GuardDuty Malware Protection for Amazon S3.

I'm glad that we can easily implement the isolation mechanism, not just detection.

As a use case, I think it will be effective in applications where an unspecified number of users can upload files to an S3 bucket.

On the other hand, there seems to be no need to force it on S3 buckets that are used internally for log storage and do not have room for uploads from an unspecified number of users.
Use it according to your needs.

You can freely customize tagging and EventBridge, so you can send notification emails to operators or isolate them in other buckets.
It's a good idea to design it flexibly according to your requirements.

The scope of use of GuardDuty is expanding, so let's try it out.

Summary of AWS Security Hub updates announced at re:Invent 2023

Yuji Oshima — Sat, 27 Jan 2024 12:19:54 +0000

At AWS re:Invent 2023, there were many updates regarding AWS security services.
In this article, I will introduce updates to AWS Security Hub.

AWS Security Hub Control Customization

You can now customize the managed controls in the Security Hub.

For example, the default renewal interval for certificates issued by ACM is 30 days, but you can change to 45 or 60 days according to your organization's policies.

You can now customize security controls in AWS Security Hub

This can be set from "Customize Control Parameters" under "Custom Policies."

Security Hub controls are not always the best for an organization, so it is a nice update to be able to customize them for our　organization.

AWS Security Hub Dashboard Enhancements

The summary dashboard widget can now be customized.

The dashboard can now be filtered by AWS account and resource tags, allowing you to customize the dashboard in a way that is easy for you to use.

Announcing major dashboard enhancements in AWS Security Hub

You can view threat and vulnerability rankings.

You can also drag and drop graphs from the widget on the right.

For operators, the ability to customize an unified dashboard to suit their purposes is a much appreciated feature.

This update makes the Security Hub much easier to use.

New centralized configuration feature in AWS Security Hub

Centralized configuration is now available from a delegated administrator account.

This allows for flexibility with specific standards and controls across accounts and regions.

For example, specific controls can be disabled on an organizational basis, or customization of control parameters can be applied only to specific accounts.

Announcing new central configuration capabilities in AWS Security Hub

To see the settings.

From the Security Hub, go to "Settings" and press "Start Central Configuration."

From "Region," select any region to which you want to apply the policy.

From "Configuration Type," select "Customize Security Hub Settings."

On the "Custom Policies", select "Disable Specific Controls" and select the controls you wish to disable.

Again, you can use the update "AWS Security Hub Control Customization" feature.

You can then specify to which organization or account the configured policy should be applied.

Finally, enter the name, description, and tags of the policy you have set up so far and you are done.

Previously, controls were enabled or disabled for individual member accounts, but with this update, they can be centrally managed, which will make operations easier.

Announcing the addition of new Findings in the AWS Security Hub

New metadata has been added to Findings to help prioritize responses and understand context.

Specifically, the AWS account name, resource tag, and application tag are assigned.

Announcing new finding enrichment in AWS Security Hub

From "Detection Results" in the Security Hub, "Details" shows the AWS account name and resource tag.

The same is shown in the JSON log.

If users wanted to add information to the detection results, they had to develop it, but with this update, it is no longer necessary to build it in.

For example, it used to be a time-consuming task to identify account names from account IDs in the logs, but now that the information is in the logs, it is easier to investigate.

This is a very welcome update for operators.

Summary

The Security Hub is essential to maintaining the security of an AWS environment, so I look forward to future updates.

Summary of Amazon Inspector updates announced at re:Invent 2023

Yuji Oshima — Sat, 27 Jan 2024 12:18:36 +0000

At AWS re:Invent 2023, there were many updates regarding AWS security services.
In this article, I will introduce updates to Amazon Inspector.

Support for Lambda Code Scanning with Generative AI

Generative AI now provides code modification support based on scan results.

Code scanning for Lambda is a feature that was generally available at re:Inforce 2023, but at that time, only abstract fix suggestions were provided.

With this update, more specific code fix suggestions and patch files can be obtained.

Amazon Inspector expands AWS Lambda code scanning with generative AI powered remediation

Let's try to detect "Path traversal" from "Amazon CodeGuru, Detector Library".

Path traversal | Amazon CodeGuru, Detector Library

Prepare a Lambda function to detect it.

After a while, the Lambda function is detected by Inspector.

In the detail screen, a specific code fix is proposed and a patch file can be downloaded.

I think it will be easier to focus on secure code development since you can easily scan the Lambda code and provide suggested fixes and patch files.

Support for Agentless Vulnerability Assessment for EC2

Amazon Inscpctor can now perform EC2 vulnerability assessment without installing an agent.

Previously, the AWS System Manager agent had to be installed, but now it can automatically determine whether an agent is present and scan for it.

Scanning frequency is at 24-hour intervals.

Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview

This is accomplished by using EBS snapshots to obtain software inventory information.

To configure, press "Edit" from "Scan mode" in "EC2 scanning settings" on the console screen.

You can select either "Hybrid" or "Agent-based" mode.
Agent-based" mode is the traditional scanning method: scanning only those EC2s with the agent installed.

"Hybrid" mode is the mode in which agent-less works: agent-based scans are performed if an agent is installed, and agent-less scans are performed if no agent is installed.

We understand that there may be cases where it is difficult to install an agent due to company rules or network configuration.

With this update, you can now manage vulnerabilities with Inspector even if you do not have an agent installed.

However, since the frequency of agent-less scans is every 24 hours, it is better to install an agent whenever possible and then switch to "Hybrid" mode for real-time detection.

Support for scanning container images within CI/CD tools

Amazon Inspector now integrates with developer tools to scan container images.

It is compatible with Jenkins, TeamCity, etc. and works seamlessly with traditional developer tools.

Amazon Inspector enhances container image security by integrating with developer tools

There were two types of container image scans: ECR's basic scanning and Inspector's enhanced scanning.

While basic scans could be integrated into the CI/CD pipeline, enhanced scanning were not supported.

With this update, enhanced scanning can also be integrated into the CI/CD pipeline, allowing for more security assurance at an earlier stage of development.

It is a welcome update to be able to integrate Inspector with developers' familiar tools and integrate it into the CI/CD pipeline.

Summary

There have been many updates to Inspector in 2023, and we have also seen features that integrateed into generative AI.

Not only security personnel, but also developers can easily manage vulnerabilities, and I believe that the user experience will change dramatically in the future.

We will keep an eye on the future of Inspector and Generative AI.