Skip to content

Cloud Vulnerability Management — Inspector, Defender & SCC Scanning Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud Vulnerability Management. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud vulnerability management automatically scans compute workloads, container images, and Serverless functions for known CVEs and misconfigurations using tools like AWS Inspector, Azure Defender, and GCP Security Command Center with risk-based prioritization.

What You Will Learn

How to deploy vulnerability scanning across EC2, Azure VMs, GCP Compute Engine, and containers, prioritize findings by exploitability and asset criticality, and automate patching.

Why It Matters

New vulnerabilities are disclosed daily. Unpatched systems are the most common entry point for attackers. Automated vulnerability management ensures you discover, prioritize, and remediate CVEs before they are exploited.

Real-World Use

DodaTech scans 500 EC2 instances weekly with AWS Inspector. Findings with a known exploit in the wild and a CVSS score above 7 are automatically routed to a patching workflow. Critical patches are deployed within 24 hours.

Vulnerability Management Lifecycle

flowchart LR
  Scan[Automated Scan\nAgent or Agentless] --> Discover[Discovery\nCVE Database Match]
  Discover --> Prioritize[Risk Prioritization\nCVSS + Exploitability + Asset Criticality]
  Prioritize --> Report[Reporting & Dashboard]
  Prioritize --> Remediate["Remediation\nPatch / Config Change / Replacement"]
  Remediate --> Verify[Verification\nRe-Scan]
  
  ThreatIntel[Threat Intelligence\nKnown Exploits in Wild] --> Prioritize
  
  style Scan fill:#f90,color:#fff
  style Prioritize fill:#e00,color:#fff

AWS Inspector

AWS Inspector scans EC2 instances and container images for software vulnerabilities and network exposure.

# Enable Inspector for EC2 scanning
aws inspector2 enable \
  --resource-types EC2 ECR

# Create a scan schedule (continuous scanning is default)
aws inspector2 create-filter \
  --action SUPPRESS \
  --filter-criteria '{"findingStatus": [{"comparison": "EQUALS", "value": "CLOSED"}]}' \
  --name suppress-closed-findings

# List active findings with CVSS score
aws inspector2 list-findings \
  --filter-criteria '{"severity": [{"comparison": "EQUALS", "value": "CRITICAL"}]}' \
  --query 'findings[*].[title,severity,cvssScore,findingArn]' \
  --output table
# Output:
# ------------------------------------------------
# | Title                              | Severity | CVSS |
# | CVE-2026-5678 in openssl 1.1.1     | CRITICAL | 9.8  |
# | CVE-2026-9012 in curl 7.79        | CRITICAL | 9.1  |
# ------------------------------------------------

# Get detailed finding information
aws inspector2 get-finding \
  --finding-arn arn:aws:inspector2:us-east-1:...:finding/abc123
# Output:
# {
#   "finding": {
#     "title": "CVE-2026-5678 in openssl 1.1.1",
#     "severity": "CRITICAL",
#     "cvssScore": 9.8,
#     "exploitAvailable": "YES",
#     "fixAvailable": "YES",
#     "resource": {"id": "i-1234567890abcdef", "type": "AWS_EC2_INSTANCE"}
#   }
# }

Azure Defender for Servers

Azure Defender for Servers includes vulnerability assessments, just-in-time access, and file integrity monitoring.

# Enable Defender for Cloud on a subscription
az security pricing create \
  --name VirtualMachines \
  --pricing-tier Standard

# Enable integrated vulnerability assessment
az security va sql \
  --enable \
  --workspace prod-loganalytics

# List vulnerability findings
az security vm vulnerability-assessment list \
  --resource-group prod-rg \
  --vm-name prod-web-vm
# Output:
# [
#   {
#     "cveId": "CVE-2026-5678", "#     "severity": "Critical"", "#     "description": "OpenSSL vulnerability"",
#     "remediation": "Update openssl to 1.1.1t]
#   }
# ]

# Generate a vulnerability assessment report
az security vm vulnerability-assessment report \
  --resource-group prod-rg \
  --vm-name prod-web-vm \
  --query "[?severity=='Critical'].{CVE:cveId, Severity:severity, Patch:remediation}" \
  --output table
# Output:
# CVE              Severity  Patch
# CVE-2026-5678   Critical  Update openssl to 1.1.1t
# CVE-2026-9012   Critical  Update curl to 7.88

GCP Security Command Center

SCC detects vulnerabilities across Compute Engine VMs, GKE containers, and Cloud Functions.

# Enable vulnerability scanning
gcloud scc services update \
  --organization 123456789012 \
  --service vulnerability-scanning \
  --state enabled

# Create a scan for Compute Engine instances
gcloud scc findings list \
  --organization 123456789012 \
  --filter 'category="VULNERABILITY" AND severity="CRITICAL" AND state="ACTIVE"' \
  --format="table(name, findingProviderId, vulnerability.cve.cveId)"
# Output:
# name                             cveId
# organizations/.../findings/abc   CVE-2026-5678
# organizations/.../findings/def   CVE-2026-9012

# Get remediation for a specific finding
gcloud scc findings get \
  organizations/123456789012/sources/-/findings/vulnerability-001 \
  --format="json(vulnerability.cve, vulnerability.remediation)"
# Output:
# {
#   "vulnerability": {
#     "cve": {"id": "CVE-2026-5678", "cvssScore": 9.8},
#     "remediation": {"description": "Update openssl package to version 1.1.1t or later"}
#   }
# }

Risk-Based Prioritization

Not all CVEs pose equal risk. Prioritize based on CVSS score, exploit availability in the wild, asset criticality, and network exposure.

Common Mistakes

  1. Only scanning monthly: Vulnerabilities are disclosed daily. Weekly scans are the minimum. Daily or continuous scanning is preferred.
  2. No exploitability context: A CVSS 9.8 vulnerability with no known exploit is lower priority than a CVSS 7.5 vulnerability being actively exploited. Use threat intelligence for prioritization.
  3. Ignoring container images: VMs get attention but container images in registries also need scanning. Scan images at build time and in registries.
  4. No automated patching workflow: Finding vulnerabilities without fixing them creates backlog. Automate patching for low-risk vulnerabilities and create workflows for critical ones.
  5. Scanning only OS packages: Application dependencies and libraries also have vulnerabilities. Extend scanning to language packages (npm, pip, maven).

Practice Questions

  1. How does AWS Inspector determine a finding's severity?
  2. What vulnerability assessment options does Azure Defender offer?
  3. How does GCP SCC prioritize vulnerabilities across an organization?
  4. Why is exploitability context important for vulnerability prioritization?
  5. How often should vulnerability scans run in production environments?

Challenge

Deploy a comprehensive vulnerability management program. Enable AWS Inspector for EC2 and ECR scanning. Enable Azure Defender for Servers with integrated vulnerability assessment. Enable GCP SCC with vulnerability scanning. Create a weekly report of all CRITICAL and HIGH findings across all three clouds. Prioritize findings using CVSS score and exploitability context. Automate patching for non-production systems using a patching Lambda or Automation document.

FAQ

What is cloud vulnerability management?

The continuous Process of identifying, prioritizing, and remediating security vulnerabilities in cloud workloads.

Does AWS Inspector scan for Windows vulnerabilities?

Yes. AWS Inspector supports both Windows and Linux EC2 instances, scanning for OS and application-level vulnerabilities.

What is the Azure vulnerability assessment?

A built-in vulnerability scanner in Azure Defender for Servers that identifies missing patches, weak configurations, and exposed credentials.

How does GCP SCC detect vulnerabilities?

SCC integrates with the Google Cloud vulnerability database to scan Compute Engine VMs, GKE nodes, and container images for known CVEs.

What is a CVSS score?

The Common Vulnerability Scoring System provides a numerical score (0-10) representing the severity of a vulnerability based on exploitability and impact.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro