Getting Started with AWS Inspector

 In AWS

aws-inspector-tt-img

Introduction

Inspector is an AWS Service which allows us to perform security analysis on AWS resources like EC2 instances and identify potential security issues. It not only identifies the security issues with severity but also provides the needed recommendations to fix these issues. This helps keep the AWS Cloud resources secure and protect from security vulnerabilities.

This blog covers the steps involved in working with AWS inspector right from “configuring the pre-requisites” to “addressing the findings”. The steps involved are explained to work with AWS console or through APIs. This blog can be used as a “Getting Started guide to AWS Inspector”

Terminologies

TerminologyDescription
AWS agentIt is a software agent that runs on AWS EC2 instances which takes care of monitoring the network traffic, file system, process activity etc., and collects the needed data to be sent to AWS inspector.
Assessment TargetTarget in which the security assessment to be done. EC2 instances having some tag names are now considered to be the assessment targets
Assessment TemplateIt is the configuration which specifies the rules packages to be run the assessment targets.
Assessment RunIt is a security check executed on an assessment target based on the assessment template. Usually assessment templates are executed.
FindingThese are observations from the assessment run containing severity, description and recommendation for each security issue
RulesRules are security checks performed by the AWS agent on the assessment target
Rule PackagesRule package is a collection of rules. These packages are to define a security goal for the assessment.

How it works?

Inspector is an agent based security assessment service which runs on AWS resources like EC2 instances. When an assessment is initiated on a target, these agents are notified of the same. The data related to network traffic, file system, process activity etc., are monitored and collected. The collected data are then consolidated and grouped under the rules within the assessment template. The vulnerabilities and security issues are then filtered to generate the findings for assessment run.

Each finding has the severity (Low, Medium, High, and Informational), description of the finding and recommendations to fix these issues.

Steps Involved in detail

Below diagram explains the steps involved in configuring and using AWS Inspector
AWS-Inspector-img

1- Prerequisites

Following the pre-requisites configuration to start with AWS inspector

1.1 Create a Role

In the getting started page assign a IAM role for Inspector to allow accessing other AWS services like EC2, SNS etc., By default no role will be assigned which is a pre-requisite to start using inspector service.
Following picture shows the Inspector pre-requisites page

create-a-role-img
By clicking on the “Choose or create role” button, we can create or choose a IAM role and assign to Inspector service. Following picture shows the “Choose or create role” page

create-a-role-img1

1.2 Tag EC2 Instances

To include EC2 resources in an assessment run, need to create a tag for each EC2 instance. These tags are key-value pairs and each EC2 instance can have multiple tags. For example, if we have multiple EC2 instances, tag name “Environment” can be used to differentiate which EC2 instances can be used for assessment run.

Following picture shows the Tags for a EC2 instance

tag-EC2-instances-img

1.3 Install AWS Agent on EC2 Instances

In the target EC2 instance, need to install the AWS agent. Commands/Steps involved in installing the AWS agent are available in the table below

Action Linux Machine Windows Machine
Download Agent wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/installDownload the file from following URL:

 https://d1wk0tztpsntt1.cloudfront.net/windows/installer/latest/AWSAgentInstall.exe
Install Agentsudo bash install

Auto update disabled:
sudo bash install -u false

Run AWSAgentInstall.exe
Start Agentsudo /etc/init.d/awsagent startStart -> Run -> services.msc
Right click service “AWS Agent Service” and then click “Start”
Stop Agentsudo /etc/init.d/awsagent stopStart -> Run -> services.msc
Right click service "AWS Agent Service" and then click "Stop"
Uninstall AgentAWS Linux, CentOS, RedHat:
yum remove AwsAgent

Ubuntu:
apt-get remove awsagent

Control Panel -> Add/Remove Programs
Choose “AWS Agent” and click “Uninstall”
Agent Status sudo /opt/aws/awsagent/bin/awsagent statusStart -> Run -> services.msc
Check status of "AWS Agent Service"

2- Define Assessment Target

Assessment target is the EC2 instance to be inspected. In the “Define Assessment Target” window, provide a custom name for the “Assessment Target” and specify the “Tag” to be used for picking up the instances.

In this example, we are using the EC2 instances with tag name “Environment” and having value as “QA”. When multiple tags are specified, EC2 instances with any of these tags will be picked for assessment.

assessment-target-img

2.1- API Details


Action: CreateResourceGroup

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateResourceGroup.html

POST {

"resourceGroupTags": [

{

"key": "string",

"value": "string"

}

]

}

Sample Response:

{

"resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv"

}

 

Action: CreateAssessmentTarget

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTarget.html

Request:

POST {

"assessmentTargetName": "string",

"resourceGroupArn": "string"

}

Sample response:

{

"assessmentTargetArn": "string"

}

Action: DefineAssessmentTargets

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTargets.html

POST {

"assessmentTargetArn": "string"

}

Sample Response:

{

"assessmentTargets": [

{

"arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",

"createdAt": 1458074191.459,

"name": "ExampleAssessmentTarget",

"resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI",

"updatedAt": 1458074191.459

}

],

"failedItems": {}

}

3- Define Assessment Template

Assessment template is where we specify the rules packages and duration of the assessment run. Multiple rules packages can be selected and currently there are 4 packages provided as part of inspector. There is no option to import new packages and these packages are defined and owned by AWS.

Duration specifies how long the assessment is expected to run and defaulted to 1 hour. There are 5 duration options available for us to select – 15 minutes, 1 hour (recommended), 8 hours, 12 hours and 24 hours. With longer duration, more findings can be expected.

SNS topic is an optional input which can added even after the template is created. By subscribing to a SNS topic, user can get notified when the assessment is completed

Note: Currently there is no option to edit an assessment template so please make to sure verify the template before creating it.

3.1- Rules Packages

As mentioned, there are currently 4 rules packages. All these packages are defined and owned by AWS. Users do not have the option to include new rules packages

Rules packageDescription
Security Best Practices-1.0This package helps identify whether the systems are configured securely

 Example: Disable root login over SSH, Disable Password Authentication Over SSH, Configure Permissions for System Directories etc.,

Runtime Behavior Analysis-1.0This package helps check the behavior of EC2 instances. 

 Example: Unused Listening TCP Ports, Root process with insecure permissions, Insecure Server Protocols (like HTTP, FTP) etc.,

Common Vulnerabilities and Exposures-1.This packages includes assessment for common vulnerabilities and exposures. Helps identify unpatched vulnerabilities that can compromise security, confidentiality and integrity.
CIS Operating System Security Configuration Benchmarks-1.0"Center for Internet Security" is non-profit organization which defines benchmark rules packages for securing systems at the Operating System level

 Example: CIS Benchmark for Amazon Linux 2014.09-2015.03, v1.1.0, Level 1 Profile
 CIS Benchmark for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 Domain Controller Profile etc.,

3.2- API Details


Action: ListRulesPackages

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListRulesPackages.html

POST {}

Sample Response:

{

"rulesPackageArns": [

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD"

]

}

Action: DescribeResourceGroups

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeResourceGroups.html

POST {

"locale": "string",

"rulesPackageArns": [ "string" ]

}

 

Sample response:

{

"failedItems": {},

"rulesPackages": [

{

"arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",

"description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and

Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service

or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see

[https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed

Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\")
to

find detailed information about this CVE, its severity, and how to mitigate it. ",

"name": "Common Vulnerabilities and Exposures",

"provider": "Amazon Web Services, Inc.",

"version": "1.1"

}

]

}

Action: CreateAssessmentTemplate

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTemplate.html

POST {

"assessmentTargetArn": "string",

"assessmentTemplateName": "string",

"durationInSeconds": number,

"rulesPackageArns": [ "string" ],

"userAttributesForFindings": [

{

"key": "string",

"value": "string"

}

]

}

Sample Response:

{

"assessmentTemplateArn": "string"

}

Action: DescribeAssessmentTemplates

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTemplates.html

POST {

"assessmentTemplateArns": [ "string" ]

}

Sample Response:

{

"assessmentTemplates": [

{

"arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",

"assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",

"createdAt": 1458074191.844,

"durationInSeconds": 3600,

"name": "ExampleAssessmentTemplate",

"rulesPackageArns": [

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"

],

"userAttributesForFindings": []

}

],

"failedItems": {}

}

4- Run Assessment Templates

After the above are defined, navigate to “Assessment Templates” page in AWS console. Select the template and click “Run”. This will run the assessment template on the target for the duration specified. When the assessment run is complete, the number of findings at the template level will be available in the “Assessment Templates” page.

4.1- Assessment Runs

This page lists the history of assessment runs. In this page, we have options to view

Assessment template used in the inspection
Assessment targets on which the inspection is done
Start and End time of the assessment
Status of the assessment run
Number of Findings
assessment-run-img

4.2- API Details


Action: StartAssessmentRun

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_StartAssessmentRun.html

POST {

"assessmentRunName": "string",

"assessmentTemplateArn": "string"

}

 

Sample response:

{

"assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY"

}

Action: DescribeAssessmentRuns

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentRuns.html

POST {

"assessmentRunArns": [ "string" ]

}

Sample Response:

{

"assessmentRuns": [

{

"arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",

"assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",

"completedAt": 1458680301.4,

"createdAt": 1458680170.035,

"dataCollected": true,

"durationInSeconds": 3600,

"name": "Run 1 for ExampleAssessmentTemplate",

"notifications": [],

"rulesPackageArns": [

"arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"

],

"startedAt": 1458680170.161,

"state": "COMPLETED",

"stateChangedAt": 1458680301.4,

"stateChanges": [

{

"state": "CREATED",

"stateChangedAt": 1458680170.035

},

{

"state": "START_DATA_COLLECTION_PENDING",

"stateChangedAt": 1458680170.065

},

{

"state": "START_DATA_COLLECTION_IN_PROGRESS",

"stateChangedAt": 1458680170.096

},

{

"state": "COLLECTING_DATA",

"stateChangedAt": 1458680170.161

},

{

"state": "STOP_DATA_COLLECTION_PENDING",

"stateChangedAt": 1458680239.883

},

{

"state": "DATA_COLLECTED",

"stateChangedAt": 1458680299.847

},

{

"state": "EVALUATING_RULES",

"stateChangedAt": 1458680300.099

},

{

"state": "COMPLETED",

"stateChangedAt": 1458680301.4

}

],

"userAttributesForFindings": []

}

],

"failedItems": {}

}

5- View Findings

There is a page in AWS console for viewing the “findings” of the assessment runs. Each finding will have rules package reference, description and recommendation to fix the security issue.

Follow the recommendations to fix the issues and keep the system secured.
assessment-target-img1

5.1- API Details


Action: ListFindings

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListFindings.html

POST {

"assessmentRunArns": [ "string" ],

"filter": {

"agentIds": [ "string" ],

"attributes": [

{

"key": "string",

"value": "string"

}

],

"autoScalingGroups": [ "string" ],

"creationTimeRange": {

"beginDate": number,

"endDate": number

},

"ruleNames": [ "string" ],

"rulesPackageArns": [ "string" ],

"severities": [ "string" ],

"userAttributes": [

{

"key": "string",

"value": "string"

}

]

},

"maxResults": number,

"nextToken": "string"

}

Sample Response:

{

"findingArns": [

"arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",

"arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy"

]

}

Action: DescribeFindings

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeFindings.html

POST {

"findingArns": [ "string" ],

"locale": "string"

}

Sample Response:

{

"failedItems": {},

"findings": [

{

"arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",

"assetAttributes": {

"ipv4Addresses": [],

"schemaVersion": 1

},

"assetType": "ec2-instance",

"attributes": [],

"confidence": 10,

"createdAt": 1458680301.37,

"description": "Amazon Inspector did not find any potential security issues during this assessment.",

"indicatorOfCompromise": false,

"numericSeverity": 0,

"recommendation": "No remediation needed.",

"schemaVersion": 1,

"service": "Inspector",

"serviceAttributes": {

"assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",

"rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP",

"schemaVersion": 1

},

"severity": "Informational",

"title": "No potential security issues found",

"updatedAt": 1458680301.37,

"userAttributes": []

}

]

}

6- Fix Security Issues

By following the recommendations in each finding, fix the security issues and vulnerabilities. This is a manual activity. After fixing the issues, re-run the assessment template to confirm they don’t appear in the findings again.

Inspector Use-cases and Limitations

Use cases and Limitations of AWS Inspector will be covered in another blog.

Recommended Posts

Leave a Comment

Start typing and press Enter to search