This blog will cover the AWS Inspector Use cases, Limitations and Pricing related information. This is continuation to blog “Getting Started with AWS Inspector”
Following are the different use cases for AWS Inspector
- Inspector helps perform “Runtime behaviour analysis” which addresses the following
- Identify ports that are open without any service running on it. Say for example port 3306 might be opened but MySQL is not running on that port
- Identify insecure protocols being used for communication and provides recommendations such as
- HTTPS instead of HTTP
- FTPS instead of FTP
- SMTPS instead of SMTP
- POP3/SSL instead of POP3
- IMAP4/SSL instead of IMAP4
- Identify root processes that can be modified by unauthorized users. Such as apache2 service running on non-root user which can be accessed by anyone other than the root user
- Inspector helps impose “AWS defined security best practices” for the resources running on AWS such as
- Disabling password authentication over SSH for EC2 instances
- Disabling root login over SSH
These best practices are also industry recommended to safeguard from attacks at the first step.
- Inspector helps assess common Security Vulnerabilities using “AWS defined security best practices” which is integrated with “The MITRE Corporation”. It defines the standard for common security vulnerability or exposures- names, numbers, ids, descriptions and its mitigations.
- Inspector helps identify vulnerabilities and exposures at the Operating System by referring to the benchmarks defined by “Center for Internet Security (CIS)”
- Inspector action can be scheduled to run automatically by writing a LAMBDA code which can run on a scheduled basis (daily, weekly, fortnightly etc.,) to trigger Inspector Templates. These templates will generate security findings when the execution is complete
- Inspector “Run Assessment templates” can be run on production instances as it doesn’t take much computing resources. It can also be run on a QA machine to generate findings to be sure and patch them in your production environment.
- Inspector allows notification by configuring Assessment template with a SNS topic. From SNS, trigger a Lambda code to consolidate the findings of the inspection based on severity of the findings and create tickets in your project/support management tools like JIRA, Zendesk, Redmine etc.,
- Inspector Assessment Template allows specifying tags to be included as part of the findings. When downloading the findings in a CSV format, these tags are also included. This will help filter the findings based on user defined criteria. For example, from the list of findings we can easily filter out the ones based on user-defined tag “Production = true”.
There are some limitations to AWS inspector now which are listed below. Hope they will be addressed in the future soon
- Inspector can be used to assess only the EC2 instances currently. Though expectation is to include S3 and other AWS services as per the roadmap
- Inspector do not support external systems or services
- There is no graphical dashboard to show the statistics and metrics collected. Usually vulnerability assessment tools provide charts in different format to project the different metrics. This is lacking right now.
- Currently, it takes 1-2 weeks for build test and validation of new kernel versions. Aiming to complete this in 1 day (roadmap)
- Support for newer distributions is expected to take longer time and there is no SLA at the moment. For example support for Cirros is not there at the moment and if it has to be included it will take longer turnaround time
- No option to import custom rules packages. It is completely defined and managed by AWS
- Requires agent to run in the assessment targets (EC2 instances) to initiate and complete the inspection
- No option to apply security patches through AWS console, requires manual action for all findings
- No option to export findings with description and recommendation in a PDF/Word. Most tools in the market provide capability to generate such reports
- Vulnerability assessment for the data is not available. So assessing Databases, files, logs etc., are not possible now
Inspector is an agent based security assessment service. When defining a “Assessment Target” in Inspector, need to mention the EC2 tags to filter out the EC2 instances that will be used as target for Inspector Security assessment.
Consider there are 3 EC2 instances having a common tag “Production = true”. If the assessment target is defined to filter out the agents having tag as “Production = true”, then all these 3 EC2 instances will be picked for assessment. So there will be 3 agent executions when the template is executed. AWS will charge based on the number of agent executions per month.
Suppose if one of the EC2 instance having the tag “Production = true” is terminated, then executing the same assessment template will be run only on the 2 remaining agents having the tag “Production = true”
- Pricing is based on the number of agents assessed
- AWS agent though running in EC2 instance it will not be charged as long as an assessment template is initiated. So AWS agent can be running all the time or it can be started before an assessment is initiated
- AWS agent running in an EC2 instance will transfer the data collected only when the assessment template is initiated and till the duration of the assessment
For 90-days after getting started with AWS inspector, there will be no charge when the number of agent-assessment is below 250 each month.
|Per billing period (month)||Per Agent-assessment Price|
|First 250 agent-assessments||$0.30|
|Next 750 agent-assessments||$0.25|
|Next 4,000 agent-assessments||$0.15|
|Next 45,000 agent-assessments||$0.10|
|All other agent-assessments||$0.05|
Inspector is a maturing security assessment service from AWS which covers basic security checks now. On the long run, it is expected to cover almost all security checks required for a production system running in AWS. As the pricing is based on the number of assessment runs, it seems cheaper than to invest a huge amount of money on other security assessment tools.