Scan for Security Vulnerabilities via Amazon Inspector
Amazon Inspector can be used to scan ec2-instances for security vulnerabilities. There are multiple rules packages which scans for different issues. For example, Inspector can scan for vulnerabilities reported at CVE. Inspector can also confirm if ec2-instances are following recommended security configurations (can check if root login is disabled e.t.c.). Amazon Inspector can be a good first step to make infrastructure more secure and to make sure that all targets are correctly patched.
- In order to use Amazon Inspector, you need to install Inspector agent on ec2-instance. Log into ec2-instance using private key and run following commands.
wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install curl -O https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install sudo bash install
- Tag ec2-instances. For example, add tag of 'Name' with value of 'Demo Inspector' to all ec2-instances which you want to scan.
- On AWS web management console, go to 'Amazon Inspector'. Create a new target. Add target name 'Demo Target', then select appropriate key value pair from tags list. This is the tag you created in second step. For this example, you can select key value pair of 'Name' and 'Demo Inspector'. All ec2-intaces, which have this tag, become part of this target and will be scanned in every run.
- Create new 'Assessment Template'. Enter template name, then select target name which was created in last step and then select all rules packages against which you want to scan your targets.
- Now that Target and Template have been created, you can run the template and Inspector will scan all targets. However, it might be a good idea to run your template on recurring basis. For example, you might want to perform security scan of infrastructure weekly or monthly. This can be achieved by creating a scheduled cloud watch event and invoke Inspector template run on that event.
- On AWS web management console, go to Cloud Watch, click on 'Events' and then click on 'Create rule'. Select 'schedule', and then select 'Fixed Rate' and set desired frequency e.g. 7 days. Then click on add target and select 'inspector assessment template'. Enter arn of inspector template and that is it. For the first time event gets triggered whenever you create event. Following iterations will depend on frequency you selected while creating scheduled event.
- If you go to Amazon Inspector, you should be able to see that your template is running. Findings will appear after some time. Every finding will be highlighted based on severity and corresponding action will also be suggested by Inspector.