09 Aug 2022
This article looks at AWS Inspector. What is it used for, how to set it up and generate reports I won’t be diving into all of the details:
What is an AWS Inspector?
AWS Inspector is a Security vulnerability tool used to assess the network visibility and security vulnerability posture of your EC2 instances. This is an important consideration — AWS Inspector only examines EC2 instances.
AWS inspector is capable of both network and host level assessments. A host level assessment requires the installation of the AWS Inspector agent on the EC2 instances, while the network level assessments do not.
It uses an on-host agent (Inspector Agent) to analyze the configuration and behavior of operating systems and applications to identify potential security exposures like common vulnerabilities and insecure configuration settings.
It can basically carry out two (02) main functions:
- Network Assessment : [Network Reachability]
- Host Assessment : [Common vulnerabilities and exposes, CIS benchmarking, Security Best Practices, Runtime behavior analysis]
As you can see on Figure 1, in order to do this assessments, especially the host assessment, you are required to install the Inspector Agent on the assessed EC2 instance.
Inspector Agent Installation
There are two ways you can activate Inspector on your EC2 instances.
- Manual Installation on EC2
- Using the Inspector Target
What are the Differences between Assessment Types?
The Network Assessment evaluates the EC2 instance protections for internet visible ports. This means, for connections from points outside the VPC. This type of assessment cannot examine the EC2 instance itself, unless the optional agent is installed.
The Host Assessment is significantly more thorough, as it evaluates the EC2 instances for vulnerable software (CVE), systems hardening (CIS) and security best practices. The agent can be installed using the AWS Systems Manager (formerly EC2 Systems Manager), or manually on each instance. Using AWS Systems Manager to install the Inspector Agent is not covered in this article.
Running an Assessment
Once you have signed up for AWS Inspector, and decided if you want to run a network or host assessment, click on one of the options to “Run the assessment weekly”, “Run once”, or enter advanced setup.
If you select “Run weekly” or “Run Once”, AWS Inspector will install the Host Assessment Agent on the target instances, if it has the Systems Manager agent already installed.
Inspector then launches the assessment, the findings are visible from the dashboard as we shall see momentarily.
Note that AWS recommends using the “Run weekly” option to ensure your findings are up to date and account for periodic changes in the infrastructure you have deployed in your VPC.
Assessment Targets and Templates
The Assessment Targets define the specific instances an assessment is launched against. For example, you can create an assessment target which contains all of the internet facing instances, and apply a specific template to execute against those targets. The template defines the specific rules for the assessment.
The Inspector Dashboard
From the AWS Inspector Dashboard, you can create new assessments, new assessment targets, templates and view the findings from previous assessments.
To see the findings for your assessment, access the AWS Inspector Dashboard and click on the “Findings” link.
The Findings view shows the severity of the finding, the date it was found and a summary of the finding. To see the details of the finding, click on the triangle next to the finding.
There is a lot of information generated in each of the detail lines in the assessment. This includes the details on the assessment itself as seen above, and the specific finding.
The details explain why this finding was generated, the rule set which created the finding, the details on the VPC and instance, along with an explanation of the finding and what you should do about it.
AWS Inspector is a “pay for what you use” service, like the vast majority of those provided by AWS. The pricing model is based upon the assessment type, and the number of instances examined in the assessment.
Information security is very important for our individual workstations, servers in data centers or in the cloud. Regardless of where your servers and data are, a comprehensive information security program is essential.
AWS Inspector forms one part of that information security program through network and host based vulnerability assessments. The results from AWS Inspector can be viewed directly in the AWS Inspector console, or incorporated into AWS Security Hub.
Everyone creating EC2 instances in their VPC should subscribe to AWS Inspector to evaluate the security posture of their instances. When combined with the other AWS security products, or available third party products, you can create a comprehensive security program for your cloud resources.