Amazon Inspector

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301518

Amazon Inspector - Overview

🔧 Scans compute resources for security issues and generates reports
- Supported compute resources:
  - EC2 instances (their NW configuration as well as their OS)
  - Containers registered in ECR
  - Lambda functions
- Scans for vulnerabilities, exposure, and deviations from best practices
  - Analyzes unusual traffic or configurations
Security assessments (scans)
- Varying length: 15 mins, 1h, 8h, 12h, or 1 day
- Rules packages determine what is checked in an assessment
Generates report of findings ordered by severity/priority/risk score
- Integration with AWS Security Hub and Amazon EventBridge
Inspector Agent → SW that can be installed on a host to provide host assessments as well as richer NW assessments
- 💡 It's an AWS System Manager (SSM) agent
Amazon Inspector - Diagram

NW assessment → checks NW configurations → uses NW reachability rules package
- No Agent required, but Agent can provide additional OS visibility
- Checks end-to-end reachability to other EC2 instances, ELB, ALB, DX, ENIs, IGW, ACLs, RTs, SGs, subnets, VPCs, VGWs, VPC Peering…
- Findings returned:
  - UnrecognizedPortWithListener
  - RecognizedPortWithListener (recognized port = well-known port)
  - RecognizedPortNoListener
  - RecognizedPortNoAgent (well-known port exposed, but no agent, so can't check if there's an OS listener on the port)
Host assessment → checks OS-level vulnerabilities
- Requires Agent
- Supported rules packages:
  - Common Vulnerabilities and Exposure (CVE)
    - DB of known cybersecurity vulnerabilities (each have a CVE number)
  - Center for Internet Security (CIS) benchmarks
    - Well-defined, unbiased, consensus-based industry best practices
  - Security best practices for Amazon Inspector
    - e.g. disable root login over SSH, use modern SSH, password complexity…
    - Provided by Amazon