How to Use Amazon Inspector With Terraform

I have been playing around with Terraform for the last two months or so, and I really enjoy working with it. The entire approach to infrastructure as code, especially the modular parts, are not only powerful but extremely intuitive and easy-to-use — once you get used to the HCL (Hashicorp Configuration Language).

Today, I'd like to provide a detailed, simple use-case where Terraform is used as a way to provision and configure an Amazon EC2 Server (I'll be using Ubuntu in this example) and configure Amazon Inspector to scan said server for security vulnerabilities, once provisioned.

While this appears to be a seemingly simple use-case, I didn't find too many good examples detailing this implementation. Before, I dive in, some background.

What Is Amazon Inspector?

Amazon (AWS) Inspector is a service that Amazon provides for its customers on AWS. This service allows you to configure a vulnerability scanner to identify and flag vulnerabilities in your server environment.

In short, Amazon Inspector is a vulnerability sScanner (similar to Nessus/Qualys/etc) that scans the target server for security vulnerabilities to capture these vulnerabilities in a set of reports that can be used by the DevOps team to patch and remediate as required.

Amazon Inspector is an agent-based service, which needs to be deployed on the servers and needs to assess the vulnerabilities. Unlike several vulnerability scanners, Amazon Inspector cannot be run remotely against a target to identify flaws.

Amazon Inspector uses a "rules packages" to identify vulnerabilities against the target packages. These packages contain different signatures, rules, and payloads that would be used to identify security vulnerabilities on the target system. They are:

• Common Vulnerabilities and Exposures (CVE Database): A popular database of existing vulnerabilities against commonly used software components
• Center for Internet Security (CIS): These are hardening benchmarks for commonly used software components
• Security Best Practices: A specific list of good security practices that one should follow while running servers
• Runtime Behavior Analysis: Security analysis based on the services deployed on the target EC2 instance. Typically, this includes insecure ports and services, unused TCP ports, and insecure client protocols, among several others.

Details of these rule packages can be found here.

Amazon Inspector can be run against specific Linux and Windows Operating System versions and distros. You can find that list here. In addition, Amazon Inspector works only for deployments in specific AWS regions.

In this example, I will use Terraform to provision an Ubuntu 16.X server on Amazon EC2. To use Amazon Inspector, this server needs to be part of a "Resource Group" that is used by Terraform to identify the specific targets that it would need to be run against. Subsequently, I will generate Amazon Inspector-specific configurations to specify an "Assessment Template," which is Amazon-speak for "configure a set of rules to be run against the target(s)." Finally, after this has been provisioned, you can actually "run" the assessment, which in this case is one hour.

resource "aws_key_pair" "inspectkey" {
  public_key = "${file(var.PATH_TO_PUB_KEY)}"
}

resource "aws_instance" "inspector-instance" {
  ami = "${lookup(var.AMIS, var.AWS_REGION)}"
  instance_type = "m1.small"
  key_name = "${aws_key_pair.inspectkey.key_name}"
  security_groups = ["inspect"]

  tags {
    Name = "InspectInstances"
  }

  provisioner "remote-exec" {
    connection {
      type = "ssh"
      user = "ubuntu"
      private_key = "${file("${var.PATH_TO_PRIVATE_KEY}")}"
      host = "${aws_instance.inspector-instance.public_ip}"
    }
    inline = [
      "wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install -P /tmp/",
      "sudo bash /tmp/install"
    ]
  }
}

• In the above code snippet, I am provisioning an AWS EC2 ubuntu instance, using a generated keypair to inject ssh keys into the newly provisioned instance
• In line 12: I am adding this EC2 server to a tag called "InspectInstances" which I will be using subsequently to run Inspector assessments against (Resource Group)
• Line 15-26: I am downloading and installing the Amazon Inspector agent from an approved source. Consider hash-matching for higher security

resource "aws_inspector_resource_group" "bar" {
  tags {
    Name = "${aws_instance.inspector-instance.tags.Name}"
  }
}

resource "aws_inspector_assessment_target" "myinspect" {
  name = "inspector-instance-assessment"
  resource_group_arn = "${aws_inspector_resource_group.bar.arn}"
}

resource "aws_inspector_assessment_template" "foo" {
  name       = "bar template"
  target_arn = "${aws_inspector_assessment_target.myinspect.arn}"
  duration   = 3600

  rules_package_arns = [
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h",
  ]
}

• In this segment of the  instance.tf  file, I am initializing a resource group that will be used by Amazon Inspector to perform its security scan. (Lines 1-5)
• Subsequently, I am adding all the servers in that resource group to be targets of my security assessment. Please note that this will only work against servers that have the agents installed.
• In lines 12-23, I am defining an Assessment Template. In this case, my server is hosted in the us-east-1 region. So, the rules for CVE, CIS, etc., are specific to the region. You can find this list of Amazon Resource Names (arns)here and here

Subsequently, an Amazon Inspector Assessment also gets provisioned, based on the resource group, assessment rules, and targets.

Amazon Inspector Assessment Target for the "Inspect Instances" Tag

Assessment Template provisioned by Terraform

All that remains now is to actually run the assessment. Unfortunately, I didnt find any Terraform modules that run the assessment for you (I may be wrong). However, since AWS can be completely controlled with its SDK, you can use boto (or the equivalent) to invoke the run_assessment()  function.

For this example, I manually invoked the Run Assessment and these following images are an example of some of the results.

Assessment Run Screen

Findings from the Assessment Run

• Amazon Inspector is a vulnerability scanning service from Amazon that works in an "agent-based" mode against specific operating systems on an EC2.
• Terraform has comprehensive modules that allow you to not only provision and set up infrastructure on cloud environments, but also invoke APIs related to ancillary services, like Amazon Inspector.