Over the last few years, we have seen a lot of high-profile data breaches in organizations that are using cloud-based infrastructure. A cloud-based service provider, such as AWS, gives the flexibility to create an infrastructure in just a few clicks, but at the same time it opens many opportunities for attackers if you miss any security checkpoint. To fill these gaps, Amazon Web Services (AWS) provides several different services which can be used to maintain and ensure the security of the cloud infrastructure.
About AWS Inspector
Amazon Inspector is an automated security assessment service which evaluates the security loopholes in deployed resources, per the compliance in the Amazon cloud. AWS Inspector is a very important security assessment service, as it generates automatic reports with detailed findings on the selected resources. It prioritizes the vulnerabilities according to their severity level, making it simple to understand which pieces of software need to be patched immediately.
In this article, we will try to understand how AWS Inspector communicates with the EC2 instances to assess the servers. We will also learn to configure the AWS inspector to operate automatically.
Before we start, I would like to mention that this is not a penetration testing tool because penetration testing specifically breaks the system from the outside. AWS inspector, by comparison, is a process in which we install an agent in all the EC2 instances which will then check all the vulnerabilities internally and provide a detailed report with suggested mitigations.
The summary of the steps involved to configure AWS Inspector are given below:
- Log into the EC2 instance
- Configure inspector agent on the EC2 instance
- Configure the assessment target through AWS console
- Configure assessment template
- Configure assessment rules
- Run an assessment
- Analyze reports
The first step is log into the EC2 instance and configures the AWS agent. In our case, I am assuming that our readers have a basic knowledge of AWS and the EC2 instance and it is already running in the AWS account.
First, we log into the running EC2 instance and install the Inspector as follow [CLICK IMAGES TO ENLARGE]:
In the highlighted area of the above screenshot, we can see that we have first used the wget utility to download the inspector agent on the EC2 instance. When the package is downloaded into the system, we can view the same by using the ls command.
Now we need to change the permission of this file to be able to install it. In order to do this, I used the chmod command to give the executable permission and start the installation process by using the command which can be seen in the following screenshot.
- << chmod +x install >>
- << ./install >>
After starting the installation process, it will take some time and a very large output will be generated by the installation process, but it should end at a “complete” message which confirms that AWS Inspector has been successfully configured into the EC2 machine. The compete message can be seen in the following screenshot.
In the above screenshot, we can see that AWS Inspector Agent has successfully been installed on the EC2 instance.
So far, we have configured AWS Inspector Agent on the EC2 Instance. After the installation, we need to log into the AWS account and search for AWS Inspector. When we open the Inspector in the console, it opens a webpage which can be seen in the following screenshot.
In the above screenshot, we can see that there are three steps mentioned. The first step is to install an agent, which we have already completed in the previous step. The second step is to run an assessment for your target, so let’s click on the “Get Started” button to proceed to further steps.
After clicking on the “Get Started” button, another page will open, which can be seen in the following screenshot.
We can see that further information is given in the above screenshot. Some of the important information which we need to understand and make a note of is given below.
- The first line states there are three frequencies at which we can set the Inspector scan. The first is to run weekly, the second is to run once, and the third is an advanced setup
- The second item to note is Network Assessments, which can be disabled and does not require the agent installation. The cost of using this service is also given in that section. As an example, we can see that the cost of running a weekly scan on 100 instances would be approximately $61 per month. This means we can do four scans in a month on these 100 instances
- Another concept to note is the Host Assessment, which will check the server with best security practice guidelines. This will utilize the agent which we installed in the previous step. The cost of this service is also given; it says that if we run weekly scans over the 100 allotted, the monthly cost would be $120
The summary of the above information shows that if we have an infrastructure via AWS in which we have approximately 100 servers and we want to monitor the security status of patch management and server hardening benchmarks, the monthly cost would be approximately $181 as per the example given by the AWS.
Note: This may not be your actual cost; AWS has provided the calculator for this. The calculator URL is given in the reference section of this article.
So, after understanding all of this, let’s click on the Advanced Setup, which will open another page.
In the above screenshot, we can see that we must define the assessment target, so we have entered “infosec-test” as name of this assessment. The next box defines the scope of the assessment. By default, the entire instances will be added in the scope which are added in this account. If we do not want to include all instances, then uncheck the “all instances” option which will enable another input box in which we can define the limited assessment scope.
After disabling the “all instances” option, a new input box appears which can be seen in the following screenshot.
In the above screenshot we can see that, with the help of tags, we can define the scope of the assessment. So, let’s open the EC2 console to check the tag for the instance which we wanted to add in the scope of the Inspector assessment. It can be seen in the following screenshot.
In the highlighted area, we can see that the name of the running instance is “infosec.”
The value of the key is the name. In our case, the value should be “infosec.” Let’s add the key. When we click on the input box, it will automatically suggest all available values for the fields, so the name can be searched in the suggestions.
We have selected the key value as a name and when we click on the value it will also suggest the server name. This is because we have only one server with this key value name, so in the suggestions we can see “infosec.”
After selecting “infosec,” we must uncheck the Install Agent option, as we have already installed the agent manually. This option will help us to automatically install the agent if we have many instances.
Now we have defined the assessment scope, which can also be seen by clicking on the preview button. It is shown in the screenshot given below.
In the highlighted area, we can see that there is one instance on which Inspector will run. When we click on the “next” button, it takes us to another page for configuring the assessment policies.
In the highlighted area, we can see the rules/policies which can be added or removed as per the requirements, but by default all the rules have been selected. Let’s go with all the rules.
Another thing to be configured is the duration. We can increase the duration of the assessment as per our requirement. By default, the value is defined for one hour as per the AWS recommendation. We will be using “recommended duration” and it will run as per the next schedule.
There is one more check button which can be marked if we want to re-run the assessment automatically after a predefined number of days. We can define the days, or, if we do not want to run automatically, we can uncheck the box and click the Next button.
In the above screenshot, we can see the review page which shows all the settings which we have configured up ‘til now. After checking the settings, click on the “Create” button. It will create an assessment, which can be seen in the following screenshot.
We can now see that everything is set. Let’s select the template and click on the Run button. It will start the assessment. Since we have defined the duration of this activity as one hour, it will take one hour to complete the assessment.
In the above screenshot, we can see that there are 108 findings reported by the Inspector. The detailed report can also be downloaded by clicking on the “download report” button. We can either download the report or we can see the findings by click on the “findings” button.
I download the PDF report, which gives a nice presentation with the executive summary of the identified findings. It can be seen in the following screenshot.
We can now see the findings categorized as High, Medium and Low, as per the configured policies/rules. This completes the configuration of the AWS Inspector.
I will be happy to answer any questions you may have about this walkthrough.