Amazon Inspector is a security assessment service that allows you to improve the security and compliance of applications running on your EC2 instances. It automatically assesses applications for vulnerabilities against the predefined best practices. Once you perform an assessment, Amazon Inspector gives you a detailed list of security findings along with the prioritized level of severity. After that, you can decide what vulnerabilities are critical and need to be fixed.
Using Amazon Inspector to Scan EC2 Instances
In order to use Amazon Inspector to scan your EC2 instances, you need to perform the following steps:
- Open the Amazon Inspector using the AWS console.
- If you are accessing it first time, you will see the Getting Started page as shown in the following figure.
- On the prerequisites page, you need to specify the following three options:
- An IAM Role: You need to create an IAM role that will grant permission to AWS inspector to perform vulnerability test on the defined EC2 instances. AWS inspector can create an IAM role for you if you have not created it already.
- Tag Name: Tag name will be used to filter the instance names on which you will perform the vulnerability test.
- An AWS Agent: In order to communicate with your EC2 instances, AWS Amazon Inspector requires an agent on your EC2 instances.
Installing AWS Amazon Inspector Agent
Installing the Amazon Inspector agent is a pretty straightforward and should be an easy task. Depending on your EC2 instance platform, you need to download and install the Amazon Inspector agent. Here, we are going to install Amazon Inspector agent on a Linux-based EC2 instance. Click here for Amazon Inspector agent installation on a Windows-based machine.
On a Linux EC2 instance, execute the following commands to install the AWS Inspector agent.
- wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
- sudo bash install
If you are interested, click here to know more about the AWS Inspector Agent Installation.
Defining an Assessment Target
On the Define an assessment target page, type the target name and specify the key of your instance such Name and value such as instance name. Make sure your instance that you wish to scan has the same tag key assigned.
Selecting Rules Packages
Rules packages specifies what services, modules, and ports etc. going to be scanned. There are various vendor-specific rules packages that you may like to use while scanning your EC2 instances. Visit the following links to know more about the various types of rules packages.
- On the Define an assessment template page, you need define a template name.
- Select the rules packages and the duration till when you plan to run the test. For example, select the Security Best Practices-1.0 rule package and 1 Hour as duration time.
- On the Review page, click the Create button. The target will be created.
- On the next page, select the target you have created and then click Run.
Once your assessment test is completed, you will see all the vulnerabilities found by the Amazon Inspector. Amazon inspector will also guide you the recommendations that you can consider to address the mentioned vulnerabilities issues.
That’s all you need to perform the scanning on your AWS cloud hosted instances using the Amazon Inspector. The best thing using the Amazon Inspector is that you don’t need to take any approval from the AWS security team to scan your AWS EC2 instances. Otherwise, in the case of scanning from an external source, first you need to provide source and destination IP addresses, scanning time, and few other information to AWS security team and then they may or may not provide you approval to perform the scanning on your EC2 instances.
If you perform the scanning from an external location (outside from the AWS network) to your EC2 instances (without consulting with AWS security team), AWS security team may treat this traffic as a threat traffic and may shutdown your EC2 instances, even if they are your production server.