AWS Inspector
A way to conduct vulnerability assessments for EC2 Instances
An Overview
Amazon Inspector is a vulnerability assessment service for your Amazon EC2 instances and the applications running on those instances.
It uses an on-host agent (Inspector Agent) to analyze the configuration and behavior of operating systems and applications to identify potential security exposures like common vulnerabilities and insecure configuration settings.
It can basically carry out two (02) main functions:
- Network Assessment : [Network Reachability]
- Host Assessment : [Common vulnerabilities and exposes, CIS benchmarking, Security Best Practices, Runtime behavior analysis]
As you can see on Figure 1, in order to do this assessments, especially the host assessment, you are required to install the Inspector Agent on the assessed EC2 instance.
Inspector Agent Installation
There are two ways you can activate Inspector on your EC2 instances.
- Manual Installation on EC2
- Using the Inspector Target
The Manual Installation on EC2 (Linux)
You may follow the following steps to install the Amazon Inspector Agent on a Linux based EC2 instance.
Step 1: Create an EC2 instance (t2.micro, Amazon Linux)
Step 2: Download the Agent installation script by executing one of the following:
wget https://inspector-agent.amazonaws.com/linux/latest/install
curl -O https://inspector-agent.amazonaws.com/linux/latest/install
Step 3: Install Inspector Agent now.
$ sudo bash install
The above command will install Amazon Inspector Agent in your EC2 instance.
Using the Inspector Target
Step 1: Create another instance to showcase the Inspector Target option.
Use the following parameters while creating the EC2 instance.
Create an EC2 instance (t2.micro, Amazon Linux instance)
Security Group (Open port SSH(22) and HTTP(80))
Add two Tags (Name → MyInstance2, Inspector → true)
Assign EC2SSMFullAccess IAM Role to the EC2 instance (SSM is used for Inspector installation in this example)
Step 2: Creating an Inspector Target
This step will define a set of EC2 target instance(s). It will filter the EC2 instances with the tag “Inspector →true”.
Go to AWS Console → Select Inspector → Click Assessment Targets → Click Create button to create an assessment target.
Name : EC2AssessmentTarget
Do not check All Instances check box. Use the Tag Inspector as the key and select true as the value
Check Install Agents check box and finally click Save to save the target
Once you click the Save button, you can see the following (See Figure 2) with a SUCCESS message citing that your action has successfully installed Inspector Agent in the select EC2 instances using the SSM RUN Command. As you know, you did this without even sign-in to the SSM page.
To confirm this, you may select Assessment Targets again and select the Assessment Target that you have created a minute ago (See Figure 3).
Now click the small arrow key in front of EC2AssessmentTarget → Click Preview Target button and if all went well, you will see a HEALTHY instance on the screen (See Figure 4).
You can further ensure this, by browsing the SSM RUN Command options.
Go to System Manager → Select Run Command (Under Instances and Nodes)→ Select Command History
If you see “AmazonInspector-ManageAWSAgent” is a “Success” that means the SSM RUN Command has been executed successfully (See Figure 5).
Now click the Command ID of the “AmazonInspector-ManageAWSAgent” command, you will see more details related to the installation (See Figure 6).
Now you have selected an Inspector Target with EC2 instances Inspector Agent installed in them. It is high time for us to do some assessment on them.
For that, we need to create an Inspector Template.
Step 3: Creating an Inspector Template
Name: MyAssessmentTemplate
Target Name: EC2AssessmentTarget
Rules Packages:
<Select All 04 available packages>(Network Reachability, Security Best Practices, Common Vulnerabilities and Exposures, CIS Operating System Security Configuration Benchmarks)
Duration: 1 hour (recommended)
SNS Topic: <Not required>
Tags: <Select Tag Name Inspector and its value true>
Attributes:<Not required>
Assessment Schedule: <Not required> — uncheck this field.
After inputting above details (See Figure 7), you may click Save to save the Assessment template.
Step 4: Analyzing the Results using Assessment Runs
After letting it for run the assessment for 1 hour you can analyze the assessment results by vising Assessment Runs link
Go to Inspector → Select Assessment Runs
Click small arrow next to the assessment run (See Figure 9).
Click Show Status button (at the bottom of the screen on Figure 9) to see the current status of the assessment (See Figure 10).
The above says,
Amazon Inspector assessed EC2AssessmentTarget for 1 hour 1 minute 29 seconds. Amazon Inspector received 804 telemetry messages in total from 1 agent.
Now press Close button and go back to the Assessment Runs page and click Show AWS Agents button. Here AWS Agent means the EC2 instance that you are assessing (See Figure 11).
According to above the AWS Inspector Agent has completed its assessment and ready for use.
Step 5: See the Findings
After a cycle of assessment run for the EC2 instance (Inspector Agent) selected, now it is the time to see the findings of the assessment run.
Go to Inspector → Select Findings (See Figure 12)
You can see in the above scenario there are 106 findings shown. Seems most of them are CIS Recommendations at the OS level. If you click (right arrow) any of the findings you can get details of the findings and the recommendation steps as well.
Seems the issue was reported from the CIS Operating System Security Configuration Benchmark 1.0 Rules package. Guess the instance has many OS level issues to be rectified in terms of security vulnerabilities.
References
- Inspector Getting Started Guide : https://docs.aws.amazon.com/inspector/latest/userguide/inspector_getting-started.html
- Installing Amazon Inspector Agents : https://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html
