Automatically prioritizing computing resource configurations for remediation

What is claimed is: 1. A system comprising one or more processors and memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to: retrieve account information of a user account from a datastore of a computing resource service provider, wherein the account information identifies a virtual machine instance (VMI) operating in a private computing environment of the user within a computing environment of the computing resource service provider; execute a database query to retrieve a vulnerability description from a vulnerability datastore, the vulnerability description being associated with a vulnerability and including information that encodes a baseline priority score, a baseline access score, and a baseline privilege score; parse the vulnerability description to determine a first software package associated with the vulnerability and the baseline priority score, the baseline access score, and the baseline privilege score; retrieve device configuration information associated with the VMI from a datastore of the computing resource service provider, the VMI configured by the computing resource service provider in accordance with the device configuration information; parse the device configuration information to identify a group of software packages installed within the VMI; determine that the first software package is in the group of software packages installed within the VMI; retrieve network configuration information of the private computing environment that defines a maximum level of network access to the VMI; determine a maximum privilege level allowed for applications executing within the VMI defined by the device configuration information; convert the maximum level of network access to a system access score according to a predefined vulnerability metric definition; convert the maximum privilege level to a system privilege score according to the predefined vulnerability metric definition; generate a vulnerability priority score for the vulnerability by providing the baseline priority score, the baseline access score, the baseline privilege score, the system access score, and the system privilege score as inputs to a weighting function specified by the predefined vulnerability metric definition that outputs the vulnerability priority score for the vulnerability according to weighting rules specified by the vulnerability metric definition; and display a vulnerability report to the user via a user interface provided by the computing resource service provider, the vulnerability report identifying the vulnerability and associating the vulnerability with the vulnerability priority score. 2. The system of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the system to: provide the network configuration information to a network access analysis service to determine that the maximum level of network access to the VMI does not allow communication between the VMI and a public network outside the computing environment of the computing resource service provider; wherein providing baseline access score, the baseline privilege score, the system access score, and the system privilege score as inputs to the weighting function causes the vulnerability priority score for the vulnerability to indicate a lower priority than indicated by the baseline priority score for remediating the vulnerability according to the vulnerability metric definition. 3. The system of claim 1 , wherein the vulnerability description includes an indication that exploiting the vulnerability enables unauthorized access to data; and wherein the instructions, when executed by the one or more processors, further cause the system to: retrieve an access policy of the private computing environment that defines datastores that may be accessed from the VMI; query a data management service to determine respective data sensitivity levels associated with each of the datastores; convert a highest level of data sensitivity level of the respective data sensitivity levels to a data sensitivity score according to the vulnerability metric definition; and provide the data sensitivity score as an additional input to the weighting function specified by the vulnerability metric definition. 4. The system of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the system to: determine that the vulnerability description indicates that exploiting the vulnerability enables a software application to execute with an elevated privilege level; determine that the elevated privilege level is higher than the maximum privilege level; calculate a privilege escalation score that corresponds to the maximum privilege level; and provide the privilege escalation score as an additional input to the weighting function, causing the vulnerability priority score to indicate a higher priority than indicated by the baseline priority score for remediating the vulnerability according to the vulnerability metric definition. 5. The system of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the system to: store first device configuration information of the VMI as a first configuration of the VMI; retrieve second device configuration information associated with the VMI; determine that the second device configuration information is not identical to the first device configuration information; reevaluate the vulnerability description with respect to the second device configuration information to generate an updated vulnerability priority score for the vulnerability; and update the vulnerability report to associate the vulnerability with the updated vulnerability priority score. 6. A system comprising one or more processors and memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to: retrieve a vulnerability description associated with a vulnerability, the vulnerability description indicating a required configuration characteristic of a computing device to exploit the vulnerability, a baseline priority score for the vulnerability, and that exploiting the vulnerability may permit unauthorized access to computing resources; determine a vulnerability metric definition associated with the vulnerability description; determine that first device configuration information of a virtual machine instance (VMI) operating within a private computing environment provided by a computing resource service provider within a computing environment of the computing resource service provider on behalf of a user has the required configuration characteristic; determine a level of data sensitivity for information accessible from the VMI; and generate a vulnerability priority score for the vulnerability by: converting the level of data sensitivity for information accessible from the VMI into a data sensitivity score; and providing the baseline priority score and the data sensitivity score as inputs to a weighting function specified by the vulnerability metric definition, the weighting function configured to output a vulnerability priority score for the vulnerability according to weighting rules specified by the vulnerability metric definition; and display a vulnerability report to the user that identifies the vulnerability and associates the vulnerability with the vulnerability priority score via a user interface provided by the computing resource service provider. 7. The system of claim 6 , wherein the vulnerability description indicates that access to the VMI via a public network outside the computing environment of the computing resource service provider is required to exploit the vulnerability and the instructi