In this blog post , We will see how to perform a security assessment on AWS services.

Related article:

Audit AWS Resources using AWS Config

Track User Activity & API usage using Cloudtrail

What is AWS Inspector?

AWS Inspector

It is an automated security assessment service which helps us to improve the security and compliance of applications deployed in amazon web services.

It automatically perform assessments of applications for vulnerabilities , exposures and other security concerns.

Once the assessment is completed , A detailed report having the lists of findings prioritized by the level of security.

The Priority levels as follows:

  • HIGH
  • MEDIUM
  • LOW
  • INFORMATIONAL

The assessment report can be directly reviewed using the AWS console and We can download the reports.

Amazon Inspector checks for unintended network accessibility of EC2 instances and the vulnerabilities on the EC2 instances.

The pre-defined rules packages are used for checking access to EC2 instances from the internet , remote root login being enabled , or any vulnerable softwares installed on the system.

These pre-defined rules packages are mapped to common security best practices and vulnerability definitions and these packages are updated regularly by AWS.

Benefits of using AWS Inspector

  • Integrate security into Devops
  • Enforce security standards
  • Leverage AWS security expertise
  • Streamline security compliance
  • Identify application security Issues
  • Increase development Agility

Supported AWS Regions

Following are the list of AWS region currently supports AWS Inspector

  • US East (Ohio)
  • US East (N.Virginia)
  • US West (N.California)
  • US West (Oregon)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Seoul)
  • Asia Pacific (Sydney)
  • Asia Pacific (Tokyo)
  • Europe (Frankfurt)
  • Europe (Ireland)
  • Europe (London)
  • Europe (Stockholm)
  • AWS GovCloud (US East)
  • AWS GovCloud (US)

Service Quotas

The service limit per AWS region are as follows:

RESOURCES DEFAULT
Running agents 500
Assessment runs 50,000
Assessment templates 500
Assessment targets 50

Supported Operating Systems

Following are the lists of suppported Linux and Windows operating systems.

LINUX OS WINDOWS OS
Amazon Linux 2 Windows Server 2008 R2
Amazon Linux Windows Server 2012
Ubuntu (18.04 , 16.04 , 14.04) LTS Windows Server 2012 R2
Debian (8.0 – 8.7 , 9.0 – 9.5) Windows Server 2016 Base
Centos (6.2 – 6.9 , 7.2 – 7.x)  
Redhat Linux (6.2 – 6.9 , 7.2 – 7.x)  

Components of AWS Inspector

The Key components of Inspector are as follows.

  • Amazon Inspector Agent : Inspector agent is a software tat should be installed on the EC2 instance so that it can be included in the assessment target.
  • Assessment Run : It is the process of discovering security issues through the analysis of assessment target’s configuration against the specific rule packages.
  • Assessment Target : For this , First the EC2 instances should be tagged with Key-Value pairs.It’s actually a collection of AWS resources.
  • Assessment Template : The configurations that is used during the assessment run.The template includes the following : Rules packages , SNS Topic , Tags , Duration of assessment.
  • Findings : A potential security issue that is discovered during the assessment run of the specified targets.
  • Rule : A security check performed during an assessment run.If the rule finds the potential security issue , The issue will be described in the findings.
  • Rules Package : It is a collection of rules.
  • Telemetry : The installed packages information and the software configuration of the EC2 Instances.

PreRequisites

Before implementing the assessments on the target EC2 instances , The following requirements must be there.

  • SSM agent should be installed on the EC2 instances.
  • EC2 Role for SSM – IAM Role should be attached with the EC2 Instances.

Installing SSM Agent:

ssm-agent is the software which can be installed on all the servers for the systems manager to update , configure and run commands remotely.

For Instances such as Amazon Linux , Ubuntu 16.x & Ubuntu 18.x SSM agent will be available by default.

SSM agent will be installed based on the Operating systems.You can install either using debian installer packages or using snap packages on Ubuntu servers.

To install using snap:

You can check if ssm-agent is already installed using snap using the below command:

Here is the lists of commands to install and start the ssm-agent service.

snap list amazon-ssm-agent

snap install amazon-ssm-agent --classic

sudo systemctl start amazon-ssm-agent

sudo systemctl services amazon-ssm-agent

To install install using debian installer package:

Download the .deb package and install using the below command,

wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb

dpkg -i amazon-ssm-agent.deb

systemctl start amazon-ssm-agent

systemctl status amazon-ssm-agent

Once you have ssm-agent installed on the EC2 instances , Lets go ahead and create necessary IAM role and attach it with the EC2 Instances.

If you want to configure the same in Amazon Linux 2 , RHEL 7 , Centos 7 Instances,Use the below commands.

sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
sudo systemctl status amazon-ssm-agent

Lets create an IAM role for the Systems manager to grant privileges to manage EC2 Intances.

Configuring IAM Role:

Open the IAM Console,

https://console.aws.amazon.com/iam/

In the left navigation panes , Choose Roles and then click Create role.

On select the type of identity page , Choose EC2 service , click Next:Permissions

AWS Inspector

On Attach permissions policy page , Choose SSMFullaccess role and then add a tag.

AWS Inspector

and then give a name to the role and click Create role.

AWS Inspector

We have created a role for the EC2 instance to communicate with SSM Manager.

Attach IAM Role to EC2 Instance:

Once the role is created, We have attach the IAM role with the respective EC2 Instance.

Go to EC2 console,

https://console.aws.amazon.com/ec2/v2/home

Refer these articles to create EC2 instance using Console and Terraform.

CREATE EC2 INSTANCE USING CONSOLE

CREATE EC2 INSTANCE USING TERRAFORM

Choose the instance , Under Actions , Click Instance settings,

Choose Attach / replace IAM role.

AWS Inspector

Select the role which you have created and click apply.

AWS Inspector

Now we have an IAM role attached to the EC2 Instance.

Now the Systems Manager has the ability to run tasks in the EC2 instances and automate the process using the maintenance window.

For more details on Running commands using Systems Manager , Check this

Setup Amazon Inspector

Once the minimum requirements are implemented , Now Lets create Amazon Inspector and perform assessments against EC2 Instances.

Login to Amazon Inspector Console , Choose the supported region where your resources are running.

Click Get Started.

Under Assessment setup , We have to choose the type of assessment that should be performed against EC2 instances.

Network Assessments , Analyze the network configurations of the AWS environments which does not require inspector agents to be installed.

Host Assessment , It will analyse the software installed on the EC2 instances and its configurations , Hence the inspector agent is required and should be installed.

We can let the assessments run Once or Weekly Once.

If you wish to perform customized assessments against the target EC2 instances , Choose Advanced setup

First We are going to define the assessment targets , Provide a name for the Assessment targets.

We can either include all the EC2 instances running in this AWS region or we can choose particular instances based on the Tags.

To perform assessments on specific EC2 instances , Unchecked All Instances and provide the Key – Value pair of the EC2 Instances.

AWS Inspector

For Install Agents , To analyze the softwares and its configurations within the instances for security best practices .

Inspector agents will be installed on the target EC2 instances using AWS Systems Manager.This is why we have installed SSM-agent and Attached IAM Role with the EC2 Instances.

AWS Inspector

and Click Next,

We are going to define the assessment template.

Provide a name for the assessment template and then Choose the rules packages that runs assessment against the target EC2 instances.

AWS Inspector

Depending on the Number of Target instances (assessment targets) , Choose the duration for the assessment template. Recommended is 1 Hour , We can set maximum of 24 hrs.

If you wish to run this assessment once every particular days if needed.

The initial assessment will start to run once , after the assessment template is created.

AWS Inspector

Click Next and Review the assessment targets and assessment templates and then click Create.

In the Left navigation pane , Choose Assessment templates ,

We can see that the assessment is started.

AWS Inspector

Choose the Assessment runs , to check the status of the assessment and the findings from the Target EC2 instances.

AWS Inspector

If any potential security issues are found , Then they will be listed based on the severity level.

In the navigation pane , Choose Findings , To see all the findings by the assessment run and filter depending on the priority levels.

This is the current status of the Assessment run.

AWS Inspector

AWS Inspector

Click Download report to download the assessment report.

We can either download the full report or only the findings in HTML or PDF format.

AWS Inspector

Conclusion

Once the assessment is completed , We can download the report in PDF format and tak necessary action to follow the security best practices.

Hope you find it helpful.Please do check out my other publications.