Now that we have secured our account with Security Hub, let’s have a look at managing vulnerabilities across EC2 instances, Lambda, Containers, CICD integration and CIS status of our instances using Amazon Inspector.
In this installment we’ll look at the setup of Inspector and getting started with EC2 OS scanning for both Vulnerabilities and CIS status.
Amazon Inspector
Amazon Inspector is a powerful automated security assessment tool designed to help you improve the security and compliance of applications deployed on AWS. By continuously scanning your workloads for vulnerabilities, configuration issues, and deviations from security best practices, Inspector provides actionable insights to identify and fix potential threats. Whether you’re managing a small application or a large-scale environment, Amazon Inspector simplifies the process of finding weaknesses, ensuring your infrastructure is secure and aligned with industry standards. In this post, we’ll explore how Amazon Inspector works and why it’s an essential tool for maintaining a secure AWS environment.
Enabling Amazon Inspector
Here is the documentation to follow to setup Amazon Inspector, or follow the instructions below.
This will take you to the all important activation screen which grants permission to AWS to scan your devices and code.
It did take a little while for Lambda, Container Images stored in ECR to start to shop, so don’t be surprised if this process takes a good few minutes if you have a lot functions, images and EC2 instances.
EC2 Scanning
EC2 Scanning will start automatically when using the Agent based method if you have the SSM agent installed and the OS is supported. It will then report every 30 minutes to compare against the Vulnerabilities database.
You can also use an agent-less approach which uses snapshots of your instances. This is slower and only supports certain filesystems.
Unless you have a very specific requirement to not use the SSM agent and thus agent-less, EBS snapshot based scanning, I’d recommend sticking with the agent scanning.
After a little while, you should get results.
In this specific scenario, I have an Oracle Linux 7 instance running and Inspector is reporting 3 critical vulnerabilities.
Let’s have a look at this in the OS, and see if we have some package updates.
Looks like this matches.
Let’s run yum upgrade httpd httpd-tools python-perf and see if the results reflect the changes. (remembering the scan completes about every 30 minutes).
Yes, no more httpd or python-perf vulnerabilities.
CIS Scanning
CIS isn’t enabled by default and can be performed automatically on a regular interval or performed ad-hoc.
I did run into an issue while writing this post. The OS’s supported for CIS scanning is not as exhaustive as for Inspector. Oracle Linux was not supported. No dramas, I used an Ubuntu instance instead.
CIS scanning uses tags to match against hosts. I used CIS_SCAN as the key and provided a value of L1 or L2 to correspond to which level I wanted to scan.
One thing I found more than once, was the first scan always timed out. Not sure what’s going on with that. Rerun the scan and it works.
It does take a while, and besides “IN_PROGRESS”, there really isn’t any output.
Once completed it looks something like this:
And the detail for the instance looks like this:
CIS Scanning can help make sure that you keep your instances compliant to Level 1 or Level 2 benchmarks.
Conclusion
Amazon Inspector is a powerful tool that simplifies the process of securing your EC2 instances by automatically scanning for vulnerabilities and ensuring compliance with the CIS benchmarks. It not only helps you identify potential security risks but also provides clear, actionable insights to address them quickly. Whether you’re running a handful of EC2 instances or managing a complex environment, Inspector enables you to stay proactive with your security posture. The ability to run continuous assessments means you’re always one step ahead, catching issues before they can escalate into serious problems.
With Inspector’s focus on real-time vulnerability detection and CIS compliance checks, it’s an essential part of any AWS security toolkit. And while EC2 instances are a critical component, Amazon Inspector’s capabilities go beyond just that. In the next post, we’ll explore how you can extend these benefits to your Lambda functions, containerized workloads, and CI/CD pipelines. With these integrations, you’ll have a more comprehensive security framework across your entire cloud infrastructure. So, stay tuned for more on securing your cloud beyond EC2!