A Five Minute Overview of AWS Inspector

(If you would prefer to listen to this article, click this link to hear it using Amazon Polly. It will also be available in iTunes: search for LabR Learning Resources. )

Vulnerability assessment is a cornerstone of every information security program. This approach uses a variety of tools and techniques to understand the vulnerability footprint of a single machine, a single application or the entire enterprise. Methods include port scanning, dynamic security testing, penetration tests and source code analysis.

In previous articles, I introduced several AWS security services including Security Hub, and Guard Duty (with more to come).

Mind Map illustrating the AWS Security tools.

This article looks at AWS Inspector. What is it used for, how to set it up and generate reports. As a “Five Minute Overview”, I won’t be diving into all of the details.

What is AWS Inspector?

AWS Inspector is a Security vulnerability tool used to assess the network visibility and security vulnerability posture of your EC2 instances. This is an important consideration — AWS Inspector only examines EC2 instances.

AWS inspector Mind Map

AWS inspector is capable of both network and host level assessments. A host level assessment requires the installation of the AWS Inspector agent on the EC2 instances, while the network level assessments do not.

What are the Differences between Assessment Types?

The Network Assessment evaluates the EC2 instance protections for internet visible ports. This means, for connections from points outside the VPC. This type of assessment cannot examine the EC2 instance itself, unless the optional agent is installed.

The Host Assessment is significantly more thorough, as it evaluates the EC2 instances for vulnerable software (CVE), systems hardening (CIS) and security best practices. The agent can be installed using the AWS Systems Manager (formerly EC2 Systems Manager), or manually on each instance. Using AWS Systems Manager to install the Inspector Agent is not covered in this article.

Running an Assessment

Once you have signed up for AWS Inspector, and decided if you want to run a network or host assessment, click on one of the options to “Run the assessment weekly”, “Run once”, or enter advanced setup.

Selecting the Assessment Model and Configuration

If you select “Run weekly” or “Run Once”, AWS Inspector will install the Host Assessment Agent on the target instances, if it has the Systems Manager agent already installed.

Inspector then launches the assessment, the findings are visible from the dashboard as we shall see momentarily.

Note that AWS recommends using the “Run weekly” option to ensure your findings are up to date and account for periodic changes in the infrastructure you have deployed in your VPC.

Assessment Targets and Templates

The Assessment Targets define the specific instances an assessment is launched against. For example, you can create an assessment target which contains all of the internet facing instances, and apply a specific template to execute against those targets. The template defines the specific rules for the assessment.

The Inspector Dashboard

From the AWS Inspector Dashboard, you can create new assessments, new assessment targets, templates and view the findings from previous assessments.

AWS Inspector Dashboard

Inspector Finings

To see the findings for your assessment, access the AWS Inspector Dashboard and click on the “Findings” link.

The Findings view shows the severity of the finding, the date it was found and a summary of the finding. To see the details of the finding, click on the triangle next to the finding.

There is a lot of information generated in each of the detail lines in the assessment. This includes the details on the assessment itself as seen above, and the specific finding.

The details explain why this finding was generated, the rule set which created the finding, the details on the VPC and instance, along with an explanation of the finding and what you should do about it.

Pricing

AWS Inspector is a “pay for what you use” service, like the vast majority of those provided by AWS. The pricing model is based upon the assessment type, and the number of instances examined in the assessment.

Conclusion

Information security is very important for our individual workstations, servers in data centers or in the cloud. Regardless of where your servers and data are, a comprehensive information security program is essential.

AWS Inspector forms one part of that information security program through network and host based vulnerability assessments. The results from AWS Inspector can be viewed directly in the AWS Inspector console, or incorporated into AWS Security Hub.

Everyone creating EC2 instances in their VPC should subscribe to AWS Inspector to evaluate the security posture of their instances. When combined with the other AWS security products, or available third party products, you can create a comprehensive security program for your cloud resources.

References

AWS Inspector Overview

AWS Inspector Pricing

AWS Security Hub

AWS Security Hub User Guide

AWS Guard Duty

AWS Macie

AWS Config

AWS VPC Flow Logs

AWS CloudTrail

CIS AWS Foundations Announcement

CIS AWS Foundations Benchmark

Copyright 2019, Chris Hare

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store