Amazon Inspector

Abimuktheeswaran Chidambaram
6 min readAug 29, 2023

--

AWS Inspector

Amazon Inspector is a vulnerability management service that scans your AWS workloads such as EC2 instances, ECS containers, and Lambda functions for finding security vulnerabilities and unintended network exposure. Amazon Inspector creates finding when it discovers vulnerability. The term CVE stands for Common Vulnerability and Exposure is used to allow vulnerability databases and other tools linked together. It acts like a database of known vulnerabilities and exposures.

In this article, we will cover the following chapters

  • Works with EC2 instances
  • Works with ECS containers & images
  • Works with lambda functions
  • Works with findings
  • Vulnerability database search

1. Works with EC2 instances

Amazon Inspector scans your EC2 instances ( both Windows and Linux instances) and Programming languages along with SSM and SSM agents. It uses SSM to collect information about software application inventory.

Configure the SSM agent

So what is an SSM agent and why do we need it? The SSM agent is used to automate the following operations such as update, manage, and configure in instances. To detect the vulnerability for the EC2 instance, the instance should be the managed instance ( the machine (or) instance configured for system manager) in Amazon EC2 SSM. By default, the SSM agent is installed on SSM managed EC2 instance. If not pre-installed, we want to install it manually. We want to activate and grant the permissions for instance. You can automate SSM management of all your EC2 instances using the default host management configuration. To verify the status of the SSM agent, you may check via Amazon CLI using Linux commands.

EC2 Scanning with Windows instances

Amazon Inspector scans EC2 Windows instances every 6 hours by default. You can set custom schedules to change scanning time from 6 hours to 12 hours. To scan your Windows instance, Amazon Inspector needs the following requirements. The instance must have an SSM plug-in. The instance should be managed instance. The instance should be one of the Windows-supported operating systems.

EC2 Scanning with Linux instances (Deep Inspection)

Amazon Inspector scans programming language packages in EC2 Linux instances every 6 hours by default. In scanning, the default path is the programming language library. You can set custom paths also. You can set 5 custom paths for individual accounts and 10 custom paths per account in the organization. To scan your Linux instance, Amazon Inspector needs the following requirements such as The instance must have an SSM plug-in and it should be a managed instance. The instance should be one of the Linux-supported operating systems.

Scanning Behaviours

Generally after the activation of scanning, it scans all the SSM managed EC2 instances. It performs a re-scan of SSM-managed instances for vulnerability in the following situation.

  • When you launch a new SSM-managed EC2 instance.
  • When you install new software on the existing instance (Linux only).
  • When the AWS inspector adds a new item (Common Vulnerability and Exposure) to its database and that item is related to your instance.

You can check the last scanned time for your EC2 instance in the Account Management page -> Instances tab →Last Scanned field.

2. Works with ECS containers & images

Amazon Inspector scans your container images stored in ECS to generate package vulnerability findings. There are two types of scanning in ECS. They are Basic Scanning and Enhanced Scanning.

Basic Scanning is the default scanning. It scans only the operating system, so there is no charge. When the Basic Scanning is complete, it sends the event to Event Bridge and you can get a summary of your scanning results.

Enhanced Scanning is used to scan the Operating system and Programming language at the registry level. You can review and findings discovered at the image level. The scanning duration is Lifetime(default), 180 days, 30 days. Enhanced Scanning is charged. It integrates with AWS Security Hub, Organization, and Event Bridge. Enhanced Scanning gives the choice between continuous scanning and on-push scanning. continuous scanning includes automated rescans and on-push scans. on-push scanning scans when you initially push the image. Enhanced Scanning sends the following events to the Event bridge in the following situation. They are

  • Event for a repository scan frequency change
  • Event for an initial image scan (equivalent to a Basic scanning)
  • Event for an image scan finding update (created, updated, closed).

Scanning Behaviour

When you activate the Amazon ECR Scanning, initially it scans all the eligible images pushed in the last 30 days. By default, all the images are scanned lifetime. After the activation of ECR scanning, it automates the re-scan of all the images continuously. Generally, AWS Inspector performs a scan for vulnerability in the following situation.

  • When you push the new image.
  • When the AWS inspector adds a new item (Common Vulnerability and Exposure) to its database that item is related to your image.

You can check the last scanned time for your ECR image in the Account Management page -> Container images tab →Last Scanned field.

3. Works with lambda function

Amazon Inspector scans your lambda functions as lines of code to provide continuous, automated security vulnerability assessments. There are two types of scanning in ECS. They are Standard Scanning and Code Scanning.

Standard Scanning is the default scanning. It scans the application dependencies in lambda functions and its layer for package vulnerabilities. You can activate and de-activate Standard Scanning at any time. If Amazon Inspector detects vulnerability it produces package vulnerability. Note: De-activating the Standard Scanning will also de-activate the Code Scanning.

Code Scanning scans the custom application code in lambda functions for code vulnerabilities. You can activate and de-activate Code Scanning at any time. If Amazon Inspector detects vulnerability it produces code vulnerability.

4. Works with findings

finding is used to describe the vulnerability details and give the remediation guidelines. finding is a detailed report about a vulnerability that affects one of your AWS resources.

finding states in Amazon Inspector are Active findings, Suppressed findings, and Closed findings. Active findings are vulnerability is detected but not remediated. Suppressed findings are Active findings that you have excluded using suppression rules and Closed findings are vulnerability is detected and remediated and closed after 30 days.

finding types in Amazon Inspector are Package Vulnerability, Code Vulnerability, and Network reachability. Package Vulnerability is used to identify the vulnerabilities in software packages. CVE detections (database) for Windows are added to AWS inspector within 48 hours by Microsoft. CVE detections (database) for Linux are added to the AWS inspector within 24 hours by vendor security advisories. Code Vulnerability is used to identify the vulnerabilities in lambda functions (in lines of code). CodeGuru is a tool to identify vulnerabilities and improve security in code. Network reachability identifies the vulnerabilities in the network path for EC2 resources. AWS Inspector performs network reachability for EC2 instances in every 24 hours without an SSM agent.

Security levels in finding There are some numerical scores of security levels in finding 0 means informational, 0.1–3.9 means low, 4.0–6.9 means medium, 7.0–8.9 means high, and 9–10 means critical.

4. Vulnerability database search

Amazon Vulnerability database search is used to check that the AWS Inspector scan covers the Common Vulnerability and Exposure. If the Amazon Inspector covers the CVE, it contains the details about CVE and threat intelligence data from Amazon and the Cybersecurity and Infrastructure Security Agency (CISA).

For more information about AWS Inspector click here. Your opinion is valuable regarding information missing (or) that needs to be updated and improved.

Have a great day… Thanks for reading

Last Updated: 07-Jan-2024

--

--

No responses yet