How To Perform Security Analysis On AWS Resources Using AWS Inspector
In this blog post , We will see how to perform a security assessment on AWS services.
Related article:
Audit AWS Resources using AWS Config
Track User Activity & API usage using Cloudtrail
What Is AWS Inspector?
It is an automated security assessment service which helps us to improve the security and compliance of applications deployed in amazon web services.
It automatically perform assessments of applications for vulnerabilities , exposures and other security concerns.
Once the assessment is completed , A detailed report having the lists of findings prioritized by the level of security.
The Priority levels as follows:
- HIGH
- MEDIUM
- LOW
- INFORMATIONAL
The assessment report can be directly reviewed using the AWS console and We can download the reports.
Amazon Inspector checks for unintended network accessibility of EC2 instances and the vulnerabilities on the EC2 instances.
The pre-defined rules packages are used for checking access to EC2 instances from the internet , remote root login being enabled , or any vulnerable softwares installed on the system.
These pre-defined rules packages are mapped to common security best practices and vulnerability definitions and these packages are updated regularly by AWS.
Benefits Of Using AWS Inspector
- Integrate security into Devops
- Enforce security standards
- Leverage AWS security expertise
- Streamline security compliance
- Identify application security Issues
- Increase development Agility
Supported AWS Regions
Following are the list of AWS region currently supports AWS Inspector
- US East (Ohio)
- US East (N.Virginia)
- US West (N.California)
- US West (Oregon)
- Asia Pacific (Mumbai)
- Asia Pacific (Seoul)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Europe (Frankfurt)
- Europe (Ireland)
- Europe (London)
- Europe (Stockholm)
- AWS GovCloud (US East)
- AWS GovCloud (US)
Service Quotas
The service limit per AWS region are as follows:
| RESOURCES | DEFAULT |
| Running agents | 500 |
| Assessment runs | 50,000 |
| Assessment templates | 500 |
| Assessment targets | 50 |
Supported Operating Systems
Following are the lists of suppported Linux and Windows operating systems.
| LINUX OS | WINDOWS OS |
| Amazon Linux 2 | Windows Server 2008 R2 |
| Amazon Linux | Windows Server 2012 |
| Ubuntu (18.04 , 16.04 , 14.04) LTS | Windows Server 2012 R2 |
| Debian (8.0 – 8.7 , 9.0 – 9.5) | Windows Server 2016 Base |
| Centos (6.2 – 6.9 , 7.2 – 7.x) | |
| Redhat Linux (6.2 – 6.9 , 7.2 – 7.x) |
Components Of AWS Inspector
The Key components of Inspector are as follows.
- Amazon Inspector Agent : Inspector agent is a software tat should be installed on the EC2 instance so that it can be included in the assessment target.
- Assessment Run : It is the process of discovering security issues through the analysis of assessment target’s configuration against the specific rule packages.
- Assessment Target : For this , First the EC2 instances should be tagged with Key-Value pairs.It’s actually a collection of AWS resources.
- Assessment Template : The configurations that is used during the assessment run.The template includes the following : Rules packages , SNS Topic , Tags , Duration of assessment.
- Findings : A potential security issue that is discovered during the assessment run of the specified targets.
- Rule : A security check performed during an assessment run.If the rule finds the potential security issue , The issue will be described in the findings.
- Rules Package : It is a collection of rules.
- Telemetry : The installed packages information and the software configuration of the EC2 Instances.
PreRequisites
Before implementing the assessments on the target EC2 instances , The following requirements must be there.
- SSM agent should be installed on the EC2 instances.
- EC2 Role for SSM – IAM Role should be attached with the EC2 Instances.
Installing SSM Agent:
ssm-agent is the software which can be installed on all the servers for the systems manager to update , configure and run commands remotely.
For Instances such as Amazon Linux , Ubuntu 16.x & Ubuntu 18.x SSM agent will be available by default.
SSM agent will be installed based on the Operating systems.You can install either using debian installer packages or using snap packages on Ubuntu servers.
To install using snap:
You can check if ssm-agent is already installed using snap using the below command:
Here is the lists of commands to install and start the ssm-agent service.
snap list amazon-ssm-agent
snap install amazon-ssm-agent --classic
sudo systemctl start amazon-ssm-agent
sudo systemctl services amazon-ssm-agent
To install install using debian installer package:
Download the .deb package and install using the below command,
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb
dpkg -i amazon-ssm-agent.deb
systemctl start amazon-ssm-agent
systemctl status amazon-ssm-agent
Once you have ssm-agent installed on the EC2 instances , Lets go ahead and create necessary IAM role and attach it with the EC2 Instances.
If you want to configure the same in Amazon Linux 2 , RHEL 7 , Centos 7 Instances,Use the below commands.
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
sudo systemctl status amazon-ssm-agent
Lets create an IAM role for the Systems manager to grant privileges to manage EC2 Intances.
Configuring IAM Role:
Open the IAM Console,
https://console.aws.amazon.com/iam/
In the left navigation panes , Choose Roles and then click Create role.
On select the type of identity page , Choose EC2 service , click Next:Permissions
On Attach permissions policy page , Choose SSMFullaccess role and then add a tag.
and then give a name to the role and click Create role.
We have created a role for the EC2 instance to communicate with SSM Manager.
Attach IAM Role To EC2 Instance:
Once the role is created, We have attach the IAM role with the respective EC2 Instance.
Go to EC2 console,
https://console.aws.amazon.com/ec2/v2/home
Refer these articles to create EC2 instance using Console and Terraform.
CREATE EC2 INSTANCE USING CONSOLE
CREATE EC2 INSTANCE USING TERRAFORM
Choose the instance , Under Actions , Click Instance settings,
Choose Attach / replace IAM role.
Select the role which you have created and click apply.
Now we have an IAM role attached to the EC2 Instance.
Now the Systems Manager has the ability to run tasks in the EC2 instances and automate the process using the maintenance window.
For more details on Running commands using Systems Manager , Check this
Setup Amazon Inspector
Once the minimum requirements are implemented , Now Lets create Amazon Inspector and perform assessments against EC2 Instances.
Login to Amazon Inspector Console , Choose the supported region where your resources are running.
Click Get Started.
Under Assessment setup , We have to choose the type of assessment that should be performed against EC2 instances.
Network Assessments , Analyze the network configurations of the AWS environments which does not require inspector agents to be installed.
Host Assessment , It will analyse the software installed on the EC2 instances and its configurations , Hence the inspector agent is required and should be installed.
We can let the assessments run Once or Weekly Once.
If you wish to perform customized assessments against the target EC2 instances , Choose Advanced setup
First We are going to define the assessment targets , Provide a name for the Assessment targets.
We can either include all the EC2 instances running in this AWS region or we can choose particular instances based on the Tags.
To perform assessments on specific EC2 instances , Unchecked All Instances and provide the Key – Value pair of the EC2 Instances.
For Install Agents , To analyze the softwares and its configurations within the instances for security best practices .
Inspector agents will be installed on the target EC2 instances using AWS Systems Manager.This is why we have installed SSM-agent and Attached IAM Role with the EC2 Instances.
and Click Next,
We are going to define the assessment template.
Provide a name for the assessment template and then Choose the rules packages that runs assessment against the target EC2 instances.
Depending on the Number of Target instances (assessment targets) , Choose the duration for the assessment template. Recommended is 1 Hour , We can set maximum of 24 hrs.
If you wish to run this assessment once every particular days if needed.
The initial assessment will start to run once , after the assessment template is created.
Click Next and Review the assessment targets and assessment templates and then click Create.
In the Left navigation pane , Choose Assessment templates ,
We can see that the assessment is started.
Choose the Assessment runs , to check the status of the assessment and the findings from the Target EC2 instances.
If any potential security issues are found , Then they will be listed based on the severity level.
In the navigation pane , Choose Findings , To see all the findings by the assessment run and filter depending on the priority levels.
This is the current status of the Assessment run.
Click Download report to download the assessment report.
We can either download the full report or only the findings in HTML or PDF format.
Conclusion
Once the assessment is completed , We can download the report in PDF format and tak necessary action to follow the security best practices.
Hope you find it helpful.Please do check out my other publications.