DEV Community

Alanoud Alassaf for AWS Community Builders

Posted on

Automate scanning for vulnerabilities, network exposures & deviation from best practices in AWS

Amazon Inspector

Is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities, automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

An Amazon Inspector assessment covers:

  • Network Reachability.

  • Common vulnerabilities and exposures (CVE).

  • Center for Internet Security (CIS) benchmarks – currently only with Amazon inspector classic.

  • Security best practices – currently only with Amazon inspector classic.

Source: Amazon Inspector Amazon Inspector Classic

In this demo I will walk you through a step-by-step guide on creating Linux and Windows EC2 instances, installing Inspector agent on them, enabling and configuring Amazon Inspector classic and Amazon Inspector then downloading a full report of all findings, so let’s get started!

First let’s create a new Linux EC2 instance.

Login to your AWS account, click Services and you will find EC2 under Compute section.

EC2

It will take you to EC2 dashboard page.

On the left side of the screen you will find instances click on it, then click Launch instances.

Ec2 instances page

For this demo, you can select one of the free tier Amazon Linux AMI’s.

Amazon Linux AMI

For the instance type, you can select the free tier t2.micro then click Review and Launch.

Instance Type

You will get this security warning message because we did not change the security group rules and it is now widely open.

To change it click Edit security groups.

security groups

For now, you can allow only your IP address then click Review and Launch.

security groups

Once you click Launch, it will ask you to either create a new key pair or use an existing one - I will create a new key pair and name it Demo-KP.

You must download the key pair first, then launch the instance.

Key pair

Now let’s create another instance with Windows image.

Click on Launch instances.

EC2

Search for Windows in the search bar, then select one of the free tier windows images.

EC2 instance

For the instance type, you can select t2.micro as well.

Then click Review and Launch.

EC2 instance type

Again, you will see the security warning message.

Click Edit security groups and change it to your IP address, then click Launch.

EC2 instance

It will ask you to create or use an existing key pair, you can use the one you created earlier.

Then check the box below and click Launch Instances.

EC2 instance key pair

Now we have two running EC2 instances; Linux and Windows.

Let’s add new tag to each one of them.

Select each instance and click Tags then Manage tags.

EC2 instance tags

Add a new tag with the Key “Type” and Value “Production” then click Save.

EC2 instance tags

EC2 instance tags

Select the Linux instance and copy the IP address.

EC2 instances

Now let’s open the terminal, login to the Linux instance and install Amazon Inspector’s agent.

To login, first you need to change the permissions for the Key file by running this command:

chmod 400 [your key file]
Enter fullscreen mode Exit fullscreen mode

Then login to the instance by running this command:

ssh ec2-user@[Your EC2 instance IP address] -i  [your key file]
Enter fullscreen mode Exit fullscreen mode

Linux EC2 instance

You are now logged in.

Next you will need to download Amazon Inspector’s agent script by running this command:

wget https://inspector-agent.amazonaws.com/linux/latest/install
Enter fullscreen mode Exit fullscreen mode

Download inspector agent

Once it’s completed, you can install the agent by running this command:

sudo bash install 
Enter fullscreen mode Exit fullscreen mode

install inspector agent

Amazon Inspector’s agent has been installed in the Linux instance.

Now let’s go back to the console and connect to the Windows instance.

In the EC2 instances page select the Windows instance then click Connect.

Windows EC2 instance

Select RDP client then Get password.

Connect to Windows EC2 instance

Browse to your key pair then click Decrypt password.

Copy the password as you will need it to access your Windows instance.

Decrypt password windows instance

I will use Microsoft Remote Desktop to connect to the Windows instance.

Microsoft remote desktop

Now that you are logged in, you will need to download Amazon Inspector’s agent using this URL:
https://inspector-agent.amazonaws.com/windows/installer/latest/AWSAgentInstall.exe

Download inspector agent

Once the download is completed, click on Run.

Run inspector agent

Check the box to agree to the license terms and conditions, then click Install.

AWS inspector agent setup

Now that the installation is completed, let’s go back to the AWS console and enable Amazon Inspector.

AWS inspector agent installation

You can find Inspector under the Security, Identity & Compliance section.

Amazon Inspector

It will take you to Amazon Inspector’s main page, click Get Started.

Amazon inspector main page

Let’s start first with Inspector Classic.

You can click Switch to Inspector Classic on the left side of the screen and it will open a new tab.

Amazon inspector classic

Click on Get started.

Amazon inspector classic main page

It will ask you to setup your assessment; if you want to allow Network assessments, Host assessments or both, as well as the frequency of the scanning (weekly or once).

Amazon Inspector classic setup

Once you chose the desired assessment runs, it will ask you to confirm it, click OK.

Amazon inspector classic assessment runs

Then it will take you to Amazon Inspector classic dashboard.

Amazon inspector classic dashboard

Now let’s create a new assessment target.

Click Assessment targets on the left side of the screen then click Create.

Amazon inspector assessment targets

Give it a name, then add the tag that is associated to the instances you want to run inspector on – you have the option to include all EC2 instances in your account and region as well - then save it.

Assesment target

Now let’s create a new assessment template.

Click Assessment templates on the left side of the screen then Create.

Amazon inspector assessment templates

Name your assessment template, select the target that you created in the previous step, then add the rules packages that you want to include in this template and choose the duration to run the assessment (AWS recommends 1 hour) but for this demo I will choose 15 minutes.

You also have the option to connect it to SNS if you want to receive notifications.

Add the desired tags and you can check the box below to set a schedule to automatically run the assessment.

For this demo you can uncheck the box then click Create and run.

Amazon inspector assessment template

It will start the analysis, once it's completed it will show you the number of findings.

Amazon inspector assessment run

Click on Download report.

You can select whether you want only the findings report or the full report (the full report will also include the rules packages) then choose the desired format HTML or PDF.

Download report

You can see below some screenshots of the full report in PDF format.

Screenshot of full report

Screenshot of full report

Screenshot of full report

Let’s go back to the console.

Click on Findings on the left side of the screen.

You will see all findings with details and you have the option to filter them based on severity level.

Amazon inspector findings

Lastly, let’s go back to the Inspector tab.

Click Enable Inspector.

Enable inspector

You will see the dashboard which contains a summary, and on the left side of the screen you can check the findings based on vulnerability, instance, container image, repository, and all findings as well.

Amazon inspector

Now we can manage vulnerabilities, network exposure and deviation from security best practices in a centralized automated way!

We have configured both Amazon Inspector and Amazon Inspector classic, installed Inspector agents on Linux and Windows servers, and have a well-written organized full report with all details.

Discussion (0)