DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Secure Golden Images: A Blueprint for Vulnerability Management
  • The Art of Ethical Hacking: Securing Systems in the Digital Age
  • Infrastructure as Code: Exploring Terraform's Dominance
  • Removing the Bastion Host and Improving the Security in AWS

Trending

  • Kubeflow: Driving Scalable and Intelligent Machine Learning Systems
  • Mastering Advanced Traffic Management in Multi-Cloud Kubernetes: Scaling With Multiple Istio Ingress Gateways
  • AI Meets Vector Databases: Redefining Data Retrieval in the Age of Intelligence
  • Hybrid Cloud vs Multi-Cloud: Choosing the Right Strategy for AI Scalability and Security
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. How to Use Amazon Inspector With Terraform

How to Use Amazon Inspector With Terraform

Check out this post to learn more about using Amazon Inspector with Terraform to identify security vulnerabilities on your target system!

By 
Abhay Bhargav user avatar
Abhay Bhargav
·
Jul. 26, 18 · Tutorial
Likes (3)
Comment
Save
Tweet
Share
7.7K Views

Join the DZone community and get the full member experience.

Join For Free

I have been playing around with Terraform for the last two months or so, and I really enjoy working with it. The entire approach to infrastructure as code, especially the modular parts, are not only powerful but extremely intuitive and easy-to-use — once you get used to the HCL (Hashicorp Configuration Language).

Today, I'd like to provide a detailed, simple use-case where Terraform is used as a way to provision and configure an Amazon EC2 Server (I'll be using Ubuntu in this example) and configure Amazon Inspector to scan said server for security vulnerabilities, once provisioned.

While this appears to be a seemingly simple use-case, I didn't find too many good examples detailing this implementation. Before, I dive in, some background.

What Is Amazon Inspector?

Amazon (AWS) Inspector is a service that Amazon provides for its customers on AWS. This service allows you to configure a vulnerability scanner to identify and flag vulnerabilities in your server environment.

In short, Amazon Inspector is a vulnerability sScanner (similar to Nessus/Qualys/etc) that scans the target server for security vulnerabilities to capture these vulnerabilities in a set of reports that can be used by the DevOps team to patch and remediate as required.

Amazon Inspector is an agent-based service, which needs to be deployed on the servers and needs to assess the vulnerabilities. Unlike several vulnerability scanners, Amazon Inspector cannot be run remotely against a target to identify flaws.

Amazon Inspector uses a "rules packages" to identify vulnerabilities against the target packages. These packages contain different signatures, rules, and payloads that would be used to identify security vulnerabilities on the target system. They are:

  • Common Vulnerabilities and Exposures (CVE Database): A popular database of existing vulnerabilities against commonly used software components
  • Center for Internet Security (CIS): These are hardening benchmarks for commonly used software components
  • Security Best Practices: A specific list of good security practices that one should follow while running servers
  • Runtime Behavior Analysis: Security analysis based on the services deployed on the target EC2 instance. Typically, this includes insecure ports and services, unused TCP ports, and insecure client protocols, among several others.

Details of these rule packages can be found here.

Amazon Inspector can be run against specific Linux and Windows Operating System versions and distros. You can find that list here. In addition, Amazon Inspector works only for deployments in specific AWS regions.

A Minimal Example: Terraform and Amazon Inspector

As Amazon Inspector is an agent-based service. You would need to download the agent to the EC2 server(s) that you want to run security assessments against to identify vulnerabilities. Obviously, when you have a small set of servers, manually installing the agent is not very complex. But, when you are running deployments at a massive scale, you need automated orchestration to handle this for you — that's where Terraform comes in.

In this example, I will use Terraform to provision an Ubuntu 16.X server on Amazon EC2. To use Amazon Inspector, this server needs to be part of a "Resource Group" that is used by Terraform to identify the specific targets that it would need to be run against. Subsequently, I will generate Amazon Inspector-specific configurations to specify an "Assessment Template," which is Amazon-speak for "configure a set of rules to be run against the target(s)." Finally, after this has been provisioned, you can actually "run" the assessment, which in this case is one hour.

Code Snippet
resource "aws_key_pair" "inspectkey" {
  public_key = "${file(var.PATH_TO_PUB_KEY)}"
}

resource "aws_instance" "inspector-instance" {
  ami = "${lookup(var.AMIS, var.AWS_REGION)}"
  instance_type = "m1.small"
  key_name = "${aws_key_pair.inspectkey.key_name}"
  security_groups = ["inspect"]

  tags {
    Name = "InspectInstances"
  }

  provisioner "remote-exec" {
    connection {
      type = "ssh"
      user = "ubuntu"
      private_key = "${file("${var.PATH_TO_PRIVATE_KEY}")}"
      host = "${aws_instance.inspector-instance.public_ip}"
    }
    inline = [
      "wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install -P /tmp/",
      "sudo bash /tmp/install"
    ]
  }
}


Explanation:
  • In the above code snippet, I am provisioning an AWS EC2 ubuntu instance, using a generated keypair to inject ssh keys into the newly provisioned instance
  • In line 12: I am adding this EC2 server to a tag called "InspectInstances" which I will be using subsequently to run Inspector assessments against (Resource Group)
  • Line 15-26: I am downloading and installing the Amazon Inspector agent from an approved source. Consider hash-matching for higher security
Code Snippet:
resource "aws_inspector_resource_group" "bar" {
  tags {
    Name = "${aws_instance.inspector-instance.tags.Name}"
  }
}

resource "aws_inspector_assessment_target" "myinspect" {
  name = "inspector-instance-assessment"
  resource_group_arn = "${aws_inspector_resource_group.bar.arn}"
}

resource "aws_inspector_assessment_template" "foo" {
  name       = "bar template"
  target_arn = "${aws_inspector_assessment_target.myinspect.arn}"
  duration   = 3600

  rules_package_arns = [
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q",
    "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h",
  ]
}


Explanation:
  • In this segment of the  instance.tf  file, I am initializing a resource group that will be used by Amazon Inspector to perform its security scan. (Lines 1-5)
  • Subsequently, I am adding all the servers in that resource group to be targets of my security assessment. Please note that this will only work against servers that have the agents installed.
  • In lines 12-23, I am defining an Assessment Template. In this case, my server is hosted in the us-east-1 region. So, the rules for CVE, CIS, etc., are specific to the region. You can find this list of Amazon Resource Names (arns)here and here
Please note that this code is only for demonstration purposes. I have not added several other security features to the EC2 deployment, like VPCs and other restrictive security groups. That's beyond the scope of this article.

Now, once I run  terraform apply, I would find that the EC2 server (ubuntu 16) gets provisioned, and the inspector agent gets installed in the server.

Subsequently, an Amazon Inspector Assessment also gets provisioned, based on the resource group, assessment rules, and targets.

Amazon Inspector Assessment Target for the "Inspect Instances" Tag

Assessment Template provisioned by Terraform

All that remains now is to actually run the assessment. Unfortunately, I didnt find any Terraform modules that run the assessment for you (I may be wrong). However, since AWS can be completely controlled with its SDK, you can use boto (or the equivalent) to invoke the run_assessment()  function.

For this example, I manually invoked the Run Assessment and these following images are an example of some of the results.

Assessment Run Screen

Findings from the Assessment Run

Conclusion
  • Amazon Inspector is a vulnerability scanning service from Amazon that works in an "agent-based" mode against specific operating systems on an EC2.
  • Terraform has comprehensive modules that allow you to not only provision and set up infrastructure on cloud environments, but also invoke APIs related to ancillary services, like Amazon Inspector.
Terraform (software) Vulnerability security AWS operating system

Published at DZone with permission of Abhay Bhargav, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Secure Golden Images: A Blueprint for Vulnerability Management
  • The Art of Ethical Hacking: Securing Systems in the Digital Age
  • Infrastructure as Code: Exploring Terraform's Dominance
  • Removing the Bastion Host and Improving the Security in AWS

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!