Snapshot-based SBOM Analysis for AWS EC2 Linux VMs

Kodem now supports EC2 Side Scanning for Amazon EC2 Linux VMs.

This capability uses EC2 snapshots to perform SBOM analysis without placing the initial scan workload directly on the running VM. The Kodem Linux sensor remains installed on the VM for continuous runtime monitoring and protection.

The result is a lower-friction deployment model for product security teams that need faster VM visibility without increasing operational risk during onboarding.

The deployment problem

VM security coverage is often constrained by deployment friction.

Security teams need early visibility into installed packages, vulnerable components, and workload risk. Infrastructure teams need to understand what runs on the VM, what permissions are required, and whether the scan can affect production performance.

That creates a practical delay: the team cannot prioritize what it cannot see, but the infrastructure team may not approve deeper instrumentation until the security value is clear.

This is especially visible during POVs. Time to first result matters. A slow or heavy VM onboarding path can make it harder for security teams to demonstrate coverage, prioritize risk, and build confidence with infrastructure owners.

EC2 Side Scanning addresses this by separating initial software inventory analysis from continuous runtime monitoring.

How EC2 Side Scanning Performs Snapshot-Based SBOM Analysis

Kodem can now analyze Amazon EC2 Linux VM snapshots for SBOM results.

During setup, customers deploy a dedicated CloudFormation stack. The stack creates the IAM role and permissions needed for snapshot-based scanning.

The Linux sensor still runs on the VM. It provides continuous runtime monitoring and protection after deployment.

This gives customers two complementary layers:

Customers who prefer the existing approach can continue using standalone VM scanning without changing their workflow.

Why Snapshot-Based Scanning Reduces Workload Impact

Initial inventory and runtime monitoring are different security jobs.

Inventory analysis needs to be fast, repeatable, and low impact. Runtime monitoring needs to observe the actual workload over time.

When both jobs are forced through the same operational path, onboarding becomes harder than it needs to be. Teams may delay deployment because they are concerned about scan load, agent behavior, or production impact.

EC2 Side Scanning gives teams a cleaner split:

• Use snapshots to get initial SBOM visibility.
• Use the Linux sensor for ongoing runtime evidence and protection.

This reduces workload impact during the first scan while preserving the runtime layer required for deeper security context.

The distinction is architectural, not cosmetic.

Kodem does not remove the sensor. The sensor remains the source of continuous runtime monitoring and protection. Side scanning reduces the cost of the initial SBOM step.

EC2 Side Scanning Deployment Flow: CloudFormation and IAM Setup

To use EC2 Side Scanning, customers follow the updated Amazon EC2 Linux VM deployment flow.

The process is:

1. Deploy the Kodem Linux sensor on the VM.
2. Deploy the dedicated CloudFormation stack.
3. Grant the IAM permissions required for snapshot-based scanning.
4. Allow Kodem to analyze EC2 snapshots for SBOM results.
5. Continue using the Linux sensor for runtime monitoring and protection.

This model keeps cloud permissions, software inventory analysis, and runtime monitoring clearly separated.

Product Security Impact

EC2 Side Scanning helps product security teams in three ways.

First, it improves the time to first VM results. Teams can get initial SBOM visibility faster, which is useful during POVs and early rollout phases.

Second, it reduces operational concern. Snapshot-based analysis limits the need to run the initial scan directly on the live workload.

Third, it preserves runtime context. Kodem still uses the Linux sensor to monitor the running VM, which is required for ongoing security evidence and protection.

The practical benefit is faster onboarding without weakening the runtime model.

Conclusion

VM security programs need faster visibility with less operational overhead.

EC2 Side Scanning gives Kodem customers a lower-friction way to generate SBOM results for Amazon EC2 Linux VMs while keeping continuous runtime monitoring on the workload.

For product security teams, the benefit is straightforward:

faster initial VM evidence, reduced scan impact, and a deployment model that is easier to approve.