Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Getting Started With AWS Inspector

DZone's Guide to

Getting Started With AWS Inspector

AWS Inspector can help seek out security threats in your Amazon services. Working either through the AWS console or APIs, you can help keep your cloud safe.

· Cloud Zone
Free Resource

Site24x7 - Full stack It Infrastructure Monitoring from the cloud. Sign up for free trial.

Inspector is an AWS Service that allows us to perform security analysis on AWS resources like EC2 instances and identify potential security issues. It not only identifies the security issues with severity but also provides the needed recommendations to fix these issues. This helps keep the AWS Cloud resources secure and protect from security vulnerabilities.

This blog covers the steps involved in working with AWS inspector right from “configuring the pre-requisites” to “addressing the findings”. The steps involved are explained to work with the AWS console or through APIs. This blog can be used as a “Getting Started guide to AWS Inspector”

Terminology

Terminology Description
AWS agent It is a software agent that runs on AWS EC2 instances that takes care of monitoring the network traffic, file system, process activity etc., and collects the needed data to be sent to AWS inspector.
Assessment Target Target in which the security assessment to be done. EC2 instances having some tag names are now considered to be the assessment targets
Assessment Template It is the configuration which specifies the rules packages to be run the assessment targets.
Assessment Run It is a security check executed on an assessment target based on the assessment template. Usually, assessment templates are executed.
Finding These are observations from the assessment run containing severity, description, and recommendation for each security issue
Rules Rules are security checks performed by the AWS agent on the assessment target
Rule Packages Rule package is a collection of rules. These packages are to define a security goal for the assessment.


How It Works

Inspector is an agent-based security assessment service that runs on AWS resources like EC2 instances. When an assessment is initiated on a target, these agents are notified of the same. The data related to network traffic, file system, process activity etc., are monitored and collected. The collected data are then consolidated and grouped under the rules within the assessment template. The vulnerabilities and security issues are then filtered to generate the findings for assessment run.

Each finding has the severity (Low, Medium, High, and Informational), description of the finding and recommendations to fix these issues.

The Steps

The diagram below explains the steps involved in configuring and using AWS Inspector

AWS-Inspector-img

Prerequisites

Following the pre-requisites configuration to start with AWS inspector

Create a Role

In the getting started page, assign an IAM role for Inspector to allow access to other AWS services like EC2, SNS etc., By default, no role will be assigned. The following picture shows the Inspector prerequisites page

create-a-role-img

By clicking on the “Choose or create role” button, we can create or choose an IAM role and assign it to Inspector. The following picture shows the “Choose or create role” page.

create-a-role-img1

Tag EC2 Instances

To include EC2 resources in an assessment run, we need to create a tag for each EC2 instance. These tags are key-value pairs, and each EC2 instance can have multiple tags. For example, if we have multiple EC2 instances, the tag name “Environment” can be used to differentiate which EC2 instances can be used for assessment run.

The following picture shows the tags for an EC2 instance

tag-EC2-instances-img

Install AWS Agent on EC2 Instances

In the target EC2 instance, we need to install the AWS agent. Commands/Steps involved in installing the AWS agent are available in the table below

Action Linux Machine Windows Machine
Download Agent wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install Download the file from following URL:
 https://d1wk0tztpsntt1.cloudfront.net/windows/installer/latest/AWSAgentInstall.exe
Install Agent sudo bash installAuto update disabled:

sudo bash install -u false
Run AWSAgentInstall.exe
Start Agent sudo /etc/init.d/awsagent start Start -> Run -> services.msc Right click service “AWS Agent Service” and then click “Start”
Stop Agent sudo /etc/init.d/awsagent stop Start -> Run -> services.msc
Right click service "AWS Agent Service" and then click "Stop"
Uninstall Agent AWS Linux, CentOS, RedHat:
yum remove AwsAgentUbuntu:

apt-get remove awsagent
Control Panel -> Add/Remove Programs Choose “AWS Agent” and click “Uninstall”
Agent Status sudo /opt/aws/awsagent/bin/awsagent status Start -> Run -> services.msc
Check status of "AWS Agent Service"

Define Assessment Target

The assessment target is the EC2 instance to be inspected. In the “Define Assessment Target” window, provide a custom name for the “Assessment Target” and specify the “Tag” to be used for picking up the instances.

In this example, we are using the EC2 instances with the tag name “Environment” and whose value is “QA”. When multiple tags are specified, EC2 instances with any of these tags will be picked for assessment.

assessment-target-img

API Details

Action: CreateResourceGroup 

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateResourceGroup.html 
POST { 
    "resourceGroupTags": [ 
        {
            "key": "string",
            "value": "string"
        }
    ]
}

Sample Response:
{
    "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-AB6DMKnv"
}


Action: CreateAssessmentTarget

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTarget.html
Request:
POST {
    "assessmentTargetName": "string",
    "resourceGroupArn": "string"
}

Sample response:
{
    "assessmentTargetArn": "string"
}

Action: DefineAssessmentTargets
API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTargets.html
POST {
    "assessmentTargetArn": "string"
}

Sample Response:
{
    "assessmentTargets": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
            "createdAt": 1458074191.459,
            "name": "ExampleAssessmentTarget",
            "resourceGroupArn": "arn:aws:inspector:us-west-2:123456789012:resourcegroup/0-PyGXopAI",
            "updatedAt": 1458074191.459
        }
    ],
    "failedItems": {}
}


Define Assessment Template

The assessment template is where we specify the rules packages and duration of the assessment run. Multiple rules packages can be selected and there are currently four packages provided as part of Inspector. There is no option to import new packages, and these packages are defined and owned by AWS.

Duration specifies how long the assessment is expected to run. It's defaulted to an hour. There are five duration options available for us to select – 15 minutes, 1 hour (recommended), 8 hours, 12 hours, and 24 hours. With a longer duration, more findings can be expected.

SNS topic is an optional input that can added even after the template is created. By subscribing to an SNS topic, users can get notified when the assessment is completed

Note: Currently, there is no option to edit an assessment template, so please make to sure you verify the template before creating it.

Rules Packages

As mentioned, there are currently four rules packages. All these packages are defined and owned by AWS. Users do not have the option to include new rules packages

Rules package Description
Security Best Practices-1.0 This package helps identify whether the systems are configured securely

 Example: Disable root login over SSH, Disable Password Authentication Over SSH, Configure Permissions for System Directories etc.,
Runtime Behavior Analysis-1.0 This package helps check the behavior of EC2 instances.  Example: Unused Listening TCP Ports, Root process with insecure permissions, Insecure Server Protocols (like HTTP, FTP) etc.,
Common Vulnerabilities and Exposures-1. This package includes assessment for common vulnerabilities and exposures. Helps identify unpatched vulnerabilities that can compromise security, confidentiality, and integrity.
CIS Operating System Security Configuration Benchmarks-1.0 "Center for Internet Security" is non-profit organization which defines benchmark rules packages for securing systems at the Operating System level

 Example: CIS Benchmark for Amazon Linux 2014.09-2015.03, v1.1.0, Level 1 Profile
 CIS Benchmark for Microsoft Windows Server 2012 R2, v2.2.0, Level 1 Domain Controller Profile etc.,

API Details

Action: ListRulesPackages

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListRulesPackages.html

POST {} 

Sample Response:
{
    "rulesPackageArns": [
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ",
        "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD"
    ]
}

Action: DescribeResourceGroups

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeResourceGroups.html

POST {
    "locale": "string",
    "rulesPackageArns": [ "string" ]
}

Sample response:
{
    "failedItems": {},
    "rulesPackages": [
        {
        "arn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p",
        "description": "The rules in this package help verify whether the EC2 instances in your application are exposed to Common Vulnerabilities and Exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference for publicly known information security vulnerabilities and exposures. For more information, see
            [https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in one of the produced Findings at the end of a completed
            Inspector assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) using the CVE's ID (for example, \"CVE-2009-0021\")
            to find detailed information about this CVE, its severity, and how to mitigate it. ",
            "name": "Common Vulnerabilities and Exposures",
            "provider": "Amazon Web Services, Inc.",
            "version": "1.1"
        }
    ]
}

Action: CreateAssessmentTemplate

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_CreateAssessmentTemplate.html

POST {
    "assessmentTargetArn": "string",
    "assessmentTemplateName": "string",
    "durationInSeconds": number,
    "rulesPackageArns": [ "string" ],
    "userAttributesForFindings": [
        {
            "key": "string",
            "value": "string"
        }
    ]
}

Sample Response:
{
    "assessmentTemplateArn": "string"
}

Action: DescribeAssessmentTemplates

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentTemplates.html

POST {
    "assessmentTemplateArns": [ "string" ]
}

Sample Response:
{
    "assessmentTemplates": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
            "assessmentTargetArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq",
            "createdAt": 1458074191.844,
            "durationInSeconds": 3600,
            "name": "ExampleAssessmentTemplate",
            "rulesPackageArns": [
                "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
            ], 
            "userAttributesForFindings": []
        }
    ],
    "failedItems": {}
}


Run Assessment Templates

After the above are defined, navigate to the “Assessment Templates” page in the AWS console. Select the template and click “Run”. This will run the assessment template on the target for the duration specified. When the assessment run is complete, the number of findings at the template level will be available in the “Assessment Templates” page.

Assessment Runs

This page lists the history of assessment runs. In this page, we have options to view the:

  • Assessment template used in the inspection.

  • Assessment targets on which the inspection is done.

  • Start and end time of the assessment.

  • Status of the assessment run,

  • Number of Findings.

assessment-run-img

API Details

Action: StartAssessmentRun

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_StartAssessmentRun.html

POST {
    "assessmentRunName": "string",
    "assessmentTemplateArn": "string"
}

Sample response:
{
    "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-nvgVhaxX/template/0-it5r2S4T/run/0-jOoroxyY"
}

Action: DescribeAssessmentRuns

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeAssessmentRuns.html

POST {
    "assessmentRunArns": [ "string" ]
}

Sample Response:
{
    "assessmentRuns": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
            "assessmentTemplateArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
            "completedAt": 1458680301.4,
            "createdAt": 1458680170.035,
            "dataCollected": true,
            "durationInSeconds": 3600,
            "name": "Run 1 for ExampleAssessmentTemplate",
            "notifications": [],
            "rulesPackageArns": [
                "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP"
            ],
            "startedAt": 1458680170.161,
            "state": "COMPLETED",
            "stateChangedAt": 1458680301.4,
            "stateChanges": [
                {
                    "state": "CREATED",
                    "stateChangedAt": 1458680170.035
                },
                {
                    "state": "START_DATA_COLLECTION_PENDING",
                    "stateChangedAt": 1458680170.065
                },
                {
                    "state": "START_DATA_COLLECTION_IN_PROGRESS",
                    "stateChangedAt": 1458680170.096
                },
                {
                    "state": "COLLECTING_DATA",
                    "stateChangedAt": 1458680170.161
                },
                {
                    "state": "STOP_DATA_COLLECTION_PENDING",
                    "stateChangedAt": 1458680239.883
                },
                {
                    "state": "DATA_COLLECTED",
                    "stateChangedAt": 1458680299.847
                },
                {
                    "state": "EVALUATING_RULES",
                    "stateChangedAt": 1458680300.099
                },
                {
                    "state": "COMPLETED",
                    "stateChangedAt": 1458680301.4
                }
            ],
            "userAttributesForFindings": []
        }
    ],
    "failedItems": {}
}


View Findings

There is a page in the AWS console for viewing the “Findings” of assessment runs. Each finding will have a rules package reference, description, and recommendations to fix the security issue.

Follow the recommendations to fix the issues and keep the system secured.

assessment-target-img1

API Details

Action: ListFindings 

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_ListFindings.html

POST {
    "assessmentRunArns": [ "string" ],
    "filter": {
        "agentIds": [ "string" ],
        "attributes": [
            {
                "key": "string",
                "value": "string"
            }
        ],
        "autoScalingGroups": [ "string" ],
        "creationTimeRange": {
            "beginDate": number,
            "endDate": number
        },
        "ruleNames": [ "string" ],
        "rulesPackageArns": [ "string" ],
        "severities": [ "string" ],
        "userAttributes": [
            {
                "key": "string",
                "value": "string"
            }
        ]
    },
    "maxResults": number,
    "nextToken": "string"
}

Sample Response:
{
    "findingArns": [
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
        "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-v5D6fI3v/finding/0-tyvmqBLy"
    ]
}

Action: DescribeFindings

API Reference: http://docs.aws.amazon.com/inspector/latest/APIReference/API_DescribeFindings.html

POST {
    "findingArns": [ "string" ],
    "locale": "string"
}

Sample Response:
{
    "failedItems": {},
    "findings": [
        {
            "arn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE/finding/0-HwPnsDm4",
            "assetAttributes": {
                "ipv4Addresses": [],
                "schemaVersion": 1
            },
            "assetType": "ec2-instance",
            "attributes": [],
            "confidence": 10,
            "createdAt": 1458680301.37,
            "description": "Amazon Inspector did not find any potential security issues during this assessment.",
            "indicatorOfCompromise": false,
            "numericSeverity": 0,
            "recommendation": "No remediation needed.",
            "schemaVersion": 1,
            "service": "Inspector",
            "serviceAttributes": {
                "assessmentRunArn": "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw/run/0-MKkpXXPE",
                "rulesPackageArn": "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-X1KXtawP",
                "schemaVersion": 1
            },
            "severity": "Informational",
            "title": "No potential security issues found",
            "updatedAt": 1458680301.37,
            "userAttributes": []
        }
    ]
}


Fix Security Issues

By following the recommendations in each Finding, you'll fix the security issues and vulnerabilities that Inspector pointed out. Note, however, that this is a manual activity. After fixing the issues, re-run the assessment template to confirm they don’t appear in the findings again.

Site24x7 - Full stack It Infrastructure Monitoring from the cloud. Sign up for free trial.

Topics:
cloud ,cloud security ,aws inspector ,ec2 ,tutorial

Published at DZone with permission of Sabapathy Arumugam, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}