[insanitybit]

It's not like something is stopping one from doing a vuln scan, right? Like, there's something that SSM's in (or uses the admin container) and then runs the scan. Couldn't you just do the same thing?

Genuine questions, I don't know if this is the case or not.

[stigz]

That's a good point. And it sounds like it would work to me as well. I don't know the answer either.

I guess my point is the project should be providing a clear path that doesn't involve AWS instead of just stopping short.

[robszumski]

I just wrote a post on this. We have an eBPF + SBOM based security tool and it runs great due to hooking the kernel directly via Kube DaemonSet: https://edgebit.io/blog/base-os-vulnerabilities/

tl;dr: Amazon prioritizes patching really well, fixing real issues first