This is a pre-release sub-feature and is not part of the existing features of an official
commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
Agentless Vulnerability & Threat Detection is a serverless scanner in your cloud account.
You can use it to scan your cloud account for vulnerabilities without impact to other
resources and running applications.
Feature
Description
Vulnerability Scan
Inspects the following AWS resources to identify highly exploitable CVEs:
EBS volumes attached to your EC2 instances
ECR images with the "latest" tag
Lambda functions and their attached Lambda layers
Note
You can to specify which resource types to include in scans when you add your AWS account in Cloud Accounts. Three AWS resource types are currently supported: EBS (Elastic
Block Store), ECR (Elastic Container Registry), and Lambda.
Important
In EBS volumes, the vulnerability scan may fail due to memory limitations if the total
file count across the EBS volumes exceeds 250,000. There is no file type limitation.
Vulnerability scans in ECR have storage size limitations that might lead to failures
when scanning ECR images larger than 1 GB.
Lambda layers not attached to any Lambda functions are not scanned.
Agentless Vulnerability & Threat Detection works by taking a snapshot of EBS volumes
and collecting ECR images, Lambda function zip archives, and Lambda layers. The collected
resources are then scanned for vulnerabilities. Lambda functions deployed with container
images are covered by ECR image scanning. Scan results are sent to Trend Vision One for review, where you can see the suggested remediation options from Attack Surface Risk Management → Operations Dashboard. All collected data is analyzed within the serverless function, and only metadata
is sent to Trend Vision One. Your data does not leave your cloud account.
Agentless Vulnerability & Threat Detection is a serverless function. The engine only
activates during a scan and scales dynamically to meet the needs of the scanning process,
within a set resource limit.
