DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Hear from the experts in our "DZone 2023 Preview: DevOps Edition" on Fri, Jan 27!
Save your seat
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Getting Started With AWS Inspector

Getting Started With AWS Inspector

AWS Inspector can help seek out security threats in your Amazon services. Working either through the AWS console or APIs, you can help keep your cloud safe.

Rathinasabapathy Arumugam user avatar by
Rathinasabapathy Arumugam
·
Jan. 31, 17 · Tutorial
Like (9)
Save
Tweet
Share
6.98K Views

Join the DZone community and get the full member experience.

Join For Free

Inspector is an AWS Service that allows us to perform security analysis on AWS resources like EC2 instances and identify potential security issues. It not only identifies the security issues with severity but also provides the needed recommendations to fix these issues. This helps keep the AWS Cloud resources secure and protect from security vulnerabilities.

This blog covers the steps involved in working with AWS inspector right from “configuring the pre-requisites” to “addressing the findings”. The steps involved are explained to work with the AWS console or through APIs. This blog can be used as a “Getting Started guide to AWS Inspector”

Terminology

Terminology Description
AWS agent It is a software agent that runs on AWS EC2 instances that takes care of monitoring the network traffic, file system, process activity etc., and collects the needed data to be sent to AWS inspector.
Assessment Target Target in which the security assessment to be done. EC2 instances having some tag names are now considered to be the assessment targets
Assessment Template It is the configuration which specifies the rules packages to be run the assessment targets.
Assessment Run It is a security check executed on an assessment target based on the assessment template. Usually, assessment templates are executed.
Finding These are observations from the assessment run containing severity, description, and recommendation for each security issue
Rules Rules are security checks performed by the AWS agent on the assessment target
Rule Packages Rule package is a collection of rules. These packages are to define a security goal for the assessment.


How It Works

Inspector is an agent-based security assessment service that runs on AWS resources like EC2 instances. When an assessment is initiated on a target, these agents are notified of the same. The data related to network traffic, file system, process activity etc., are monitored and collected. The collected data are then consolidated and grouped under the rules within the assessment template. The vulnerabilities and security issues are then filtered to generate the findings for assessment run.

Each finding has the severity (Low, Medium, High, and Informational), description of the finding and recommendations to fix these issues.

The Steps

The diagram below explains the steps involved in configuring and using AWS Inspector

AWS-Inspector-img

Prerequisites

Following the pre-requisites configuration to start with AWS inspector

Create a Role

In the getting started page, assign an IAM role for Inspector to allow access to other AWS services like EC2, SNS etc., By default, no role will be assigned. The following picture shows the Inspector prerequisites page

create-a-role-img

By clicking on the “Choose or create role” button, we can create or choose an IAM role and assign it to Inspector. The following picture shows the “Choose or create role” page.

create-a-role-img1

Tag EC2 Instances

To include EC2 resources in an assessment run, we need to create a tag for each EC2 instance. These tags are key-value pairs, and each EC2 instance can have multiple tags. For example, if we have multiple EC2 instances, the tag name “Environment” can be used to differentiate which EC2 instances can be used for assessment run.

The following picture shows the tags for an EC2 instance

tag-EC2-instances-img

Install AWS Agent on EC2 Instances

In the target EC2 instance, we need to install the AWS agent. Commands/Steps involved in installing the AWS agent are available in the table below

Action Linux Machine Windows Machine
Download Agent wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install Download the file from following URL:
 https://d1wk0tztpsntt1.cloudfront.net/windows/installer/latest/AWSAgentInstall.exe
Install Agent sudo bash installAuto update disabled:

sudo bash install -u false
Run AWSAgentInstall.exe
Start Agent sudo /etc/init.d/awsagent start Start -> Run -> services.msc Right click service “AWS Agent Service” and then click “Start”
Stop Agent sudo /etc/init.d/awsagent stop Start -> Run -> services.msc
Right click service "AWS Agent Service" and then click "Stop"
Uninstall Agent AWS Linux, CentOS, RedHat:
yum remove AwsAgentUbuntu:

apt-get remove awsagent
Control Panel -> Add/Remove Programs Choose “AWS Agent” and click “Uninstall”
Agent Status sudo /opt/aws/awsagent/bin/awsagent status Start -> Run -> services.msc
Check status of "AWS Agent Service"

Define Assessment Target

The assessment target is the EC2 instance to be inspected. In the “Define Assessment Target” window, provide a custom name for the “Assessment Target” and specify the “Tag” to be used for picking up the instances.

In this example, we are using the EC2 instances with the tag name “Environment” and whose value is “QA”. When multiple tags are specified, EC2 instances with any of these tags will be picked for assessment.

assessment-target-img

API Details

Action: CreateResourceGroup 

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateResourceGroup.html 
POST { 
    "resourceGroupTags": [ 
        {
            "key": "string",
            "value": "string"
        }
    ]
}

Sample Response:
{
    "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv"
}


Action: CreateAssessmentTarget

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTarget.html
Request:
POST {
    "assessmentTargetName": "string",
    "resourceGroupArn": "string"
}

Sample response:
{
    "assessmentTargetArn": "string"
}

Action: DefineAssessmentTargets
API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTargets.html
POST {
    "assessmentTargetArn": "string"
}

Sample Response:
{
    "assessmentTargets": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
            "createdAt": 1458074191.459,
            "name": "ExampleAssessmentTarget",
            "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI",
            "updatedAt": 1458074191.459
        }
    ],
    "failedItems": {}
}


Define Assessment Template

The assessment template is where we specify the rules packages and duration of the assessment run. Multiple rules packages can be selected and there are currently four packages provided as part of Inspector. There is no option to import new packages, and these packages are defined and owned by AWS.

Duration specifies how long the assessment is expected to run. It's defaulted to an hour. There are five duration options available for us to select – 15 minutes, 1 hour (recommended), 8 hours, 12 hours, and 24 hours. With a longer duration, more findings can be expected.

SNS topic is an optional input that can added even after the template is created. By subscribing to an SNS topic, users can get notified when the assessment is completed

Note: Currently, there is no option to edit an assessment template, so please make to sure you verify the template before creating it.

Rules Packages

As mentioned, there are currently four rules packages. All these packages are defined and owned by AWS. Users do not have the option to include new rules packages

Rules package Description
Security Best Practices-1.0 This package helps identify whether the systems are configured securely

 Example: Disable root login over SSH, Disable Password Authentication Over SSH, Configure Permissions for System Directories etc.,
Runtime Behavior Analysis-1.0 This package helps check the behavior of EC2 instances.  Example: Unused Listening TCP Ports, Root process with insecure permissions, Insecure Server Protocols (like HTTP, FTP) etc.,
Common Vulnerabilities and Exposures-1. This package includes assessment for common vulnerabilities and exposures. Helps identify unpatched vulnerabilities that can compromise security, confidentiality, and integrity.
CIS Operating System Security Configuration Benchmarks-1.0 "Center for Internet Security" is non-profit organization which defines benchmark rules packages for securing systems at the Operating System level

 Example: CIS Benchmark for Amazon Linux 2014.09-2015.03, v1.1.0, Level 1 Profile
 CIS Benchmark for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 Domain Controller Profile etc.,

API Details

Action: ListRulesPackages

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListRulesPackages.html

POST {} 

Sample Response:
{
    "rulesPackageArns": [
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD"
    ]
}

Action: DescribeResourceGroups

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeResourceGroups.html

POST {
    "locale": "string",
    "rulesPackageArns": [ "string" ]
}

Sample response:
{
    "failedItems": {},
    "rulesPackages": [
        {
        "arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
        "description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see
            [https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed
            Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\")
            to find detailed information about this CVE, its severity, and how to mitigate it. ",
            "name": "Common Vulnerabilities and Exposures",
            "provider": "Amazon Web Services, Inc.",
            "version": "1.1"
        }
    ]
}

Action: CreateAssessmentTemplate

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTemplate.html

POST {
    "assessmentTargetArn": "string",
    "assessmentTemplateName": "string",
    "durationInSeconds": number,
    "rulesPackageArns": [ "string" ],
    "userAttributesForFindings": [
        {
            "key": "string",
            "value": "string"
        }
    ]
}

Sample Response:
{
    "assessmentTemplateArn": "string"
}

Action: DescribeAssessmentTemplates

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTemplates.html

POST {
    "assessmentTemplateArns": [ "string" ]
}

Sample Response:
{
    "assessmentTemplates": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
            "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
            "createdAt": 1458074191.844,
            "durationInSeconds": 3600,
            "name": "ExampleAssessmentTemplate",
            "rulesPackageArns": [
                "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
            ], 
            "userAttributesForFindings": []
        }
    ],
    "failedItems": {}
}


Run Assessment Templates

After the above are defined, navigate to the “Assessment Templates” page in the AWS console. Select the template and click “Run”. This will run the assessment template on the target for the duration specified. When the assessment run is complete, the number of findings at the template level will be available in the “Assessment Templates” page.

Assessment Runs

This page lists the history of assessment runs. In this page, we have options to view the:

  • Assessment template used in the inspection.

  • Assessment targets on which the inspection is done.

  • Start and end time of the assessment.

  • Status of the assessment run,

  • Number of Findings.

assessment-run-img

API Details

Action: StartAssessmentRun

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_StartAssessmentRun.html

POST {
    "assessmentRunName": "string",
    "assessmentTemplateArn": "string"
}

Sample response:
{
    "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY"
}

Action: DescribeAssessmentRuns

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentRuns.html

POST {
    "assessmentRunArns": [ "string" ]
}

Sample Response:
{
    "assessmentRuns": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
            "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
            "completedAt": 1458680301.4,
            "createdAt": 1458680170.035,
            "dataCollected": true,
            "durationInSeconds": 3600,
            "name": "Run 1 for ExampleAssessmentTemplate",
            "notifications": [],
            "rulesPackageArns": [
                "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
            ],
            "startedAt": 1458680170.161,
            "state": "COMPLETED",
            "stateChangedAt": 1458680301.4,
            "stateChanges": [
                {
                    "state": "CREATED",
                    "stateChangedAt": 1458680170.035
                },
                {
                    "state": "START_DATA_COLLECTION_PENDING",
                    "stateChangedAt": 1458680170.065
                },
                {
                    "state": "START_DATA_COLLECTION_IN_PROGRESS",
                    "stateChangedAt": 1458680170.096
                },
                {
                    "state": "COLLECTING_DATA",
                    "stateChangedAt": 1458680170.161
                },
                {
                    "state": "STOP_DATA_COLLECTION_PENDING",
                    "stateChangedAt": 1458680239.883
                },
                {
                    "state": "DATA_COLLECTED",
                    "stateChangedAt": 1458680299.847
                },
                {
                    "state": "EVALUATING_RULES",
                    "stateChangedAt": 1458680300.099
                },
                {
                    "state": "COMPLETED",
                    "stateChangedAt": 1458680301.4
                }
            ],
            "userAttributesForFindings": []
        }
    ],
    "failedItems": {}
}


View Findings

There is a page in the AWS console for viewing the “Findings” of assessment runs. Each finding will have a rules package reference, description, and recommendations to fix the security issue.

Follow the recommendations to fix the issues and keep the system secured.

assessment-target-img1

API Details

Action: ListFindings 

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListFindings.html

POST {
    "assessmentRunArns": [ "string" ],
    "filter": {
        "agentIds": [ "string" ],
        "attributes": [
            {
                "key": "string",
                "value": "string"
            }
        ],
        "autoScalingGroups": [ "string" ],
        "creationTimeRange": {
            "beginDate": number,
            "endDate": number
        },
        "ruleNames": [ "string" ],
        "rulesPackageArns": [ "string" ],
        "severities": [ "string" ],
        "userAttributes": [
            {
                "key": "string",
                "value": "string"
            }
        ]
    },
    "maxResults": number,
    "nextToken": "string"
}

Sample Response:
{
    "findingArns": [
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy"
    ]
}

Action: DescribeFindings

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeFindings.html

POST {
    "findingArns": [ "string" ],
    "locale": "string"
}

Sample Response:
{
    "failedItems": {},
    "findings": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
            "assetAttributes": {
                "ipv4Addresses": [],
                "schemaVersion": 1
            },
            "assetType": "ec2-instance",
            "attributes": [],
            "confidence": 10,
            "createdAt": 1458680301.37,
            "description": "Amazon Inspector did not find any potential security issues during this assessment.",
            "indicatorOfCompromise": false,
            "numericSeverity": 0,
            "recommendation": "No remediation needed.",
            "schemaVersion": 1,
            "service": "Inspector",
            "serviceAttributes": {
                "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
                "rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP",
                "schemaVersion": 1
            },
            "severity": "Informational",
            "title": "No potential security issues found",
            "updatedAt": 1458680301.37,
            "userAttributes": []
        }
    ]
}


Fix Security Issues

By following the recommendations in each Finding, you'll fix the security issues and vulnerabilities that Inspector pointed out. Note, however, that this is a manual activity. After fixing the issues, re-run the assessment template to confirm they don’t appear in the findings again.

AWS operating system security Template

Published at DZone with permission of Rathinasabapathy Arumugam, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Check Docker Images for Vulnerabilities
  • A Brief Overview of the Spring Cloud Framework
  • Understanding gRPC Concepts, Use Cases, and Best Practices
  • Iptables Basic Commands for Novice

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: