AWS Inspector for Vulnerability and Image Scanning

AWS Inspector is a fully managed, automated security assessment service that enables you to improve the security and compliance of your applications deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances. It analyzes your EC2 instances and identifies potential security vulnerabilities, deviations from best practices, and exposure to common attack vectors. With AWS Inspector, you gain valuable insights to help you mitigate risks and build more secure applications.
June 2, 2022
min read
Yehonatan Rumyantsev
Cloud Specialist
Tags
No items found.
Related Resources
No items found.

TL;DR

What is AWS Inspector?

AWS Inspector is a fully managed, automated security assessment service that enables you to improve the security and compliance of your applications deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances. It analyzes your EC2 instances and identifies potential security vulnerabilities, deviations from best practices, and exposure to common attack vectors. With AWS Inspector, you gain valuable insights to help you mitigate risks and build more secure applications.

Vulnerability Scanning

Vulnerability scanning is the process of identifying and analyzing potential security vulnerabilities in your infrastructure. AWS Inspector performs this task by running assessments against your EC2 instances, comparing them to an extensive library of known vulnerabilities, and generating detailed findings.

AWS Inspector's vulnerability scanning capabilities include:

  1. Continuous Monitoring: AWS Inspector automatically monitors your instances for any changes in configurations or newly discovered vulnerabilities. This ensures that you are always aware of potential risks and can take appropriate action to mitigate them.
  2. Customizable Assessment Templates: You can create assessment templates based on your organization's specific security requirements, helping you to focus on the most critical vulnerabilities.
  3. Comprehensive Reports: AWS Inspector generates comprehensive reports with detailed findings, recommended remediations, and severity ratings for each identified vulnerability. This information enables you to prioritize your security efforts and effectively address vulnerabilities in your infrastructure.

Image Scanning

In addition to vulnerability scanning, AWS Inspector also offers image scanning capabilities. This feature allows you to scan your Amazon Machine Images (AMIs) and Amazon Elastic Container Registry (ECR) images for known vulnerabilities, providing an additional layer of security for your instances.

Key features of image scanning include:

  1. Pre-deployment Security: By scanning AMIs and ECR images before deployment, you can identify and remediate vulnerabilities before they become part of your running infrastructure.
  2. Continuous Updates: AWS Inspector continuously updates its vulnerability database, ensuring that your image scanning is always up-to-date with the latest security information.
  3. Integration with AWS Services: Image scanning integrates with other AWS services, such as AWS Systems Manager, AWS Security Hub, and Amazon ECR, providing a comprehensive view of your security posture across your entire AWS infrastructure.

ECR Scanning

Amazon Elastic Container Registry (ECR) is a fully-managed container registry that makes it easy to store, manage, and deploy container images. AWS Inspector integrates with ECR to scan your container images for vulnerabilities, allowing you to ensure the security of your containerized applications.

ECR scanning capabilities include:

  1. Automated Scanning: AWS Inspector can automatically scan ECR images whenever they are pushed to the registry, providing continuous security monitoring for your container images.
  2. Image Vulnerability Findings: Detailed findings for each identified vulnerability are provided, along with recommended remediations and severity ratings, helping you to prioritize and address potential security issues.
  3. Integration with AWS Services: ECR scanning integrates seamlessly with other AWS security services, providing a unified security monitoring and management experience.

To enable AWS Inspector and start using it for vulnerability assessments, follow these steps:

  1. Sign in to the AWS Management Console

Sign in to the AWS Management Console using your AWS account credentials. If you don't have an account yet, create one and complete the sign-up process.

  1. Access the AWS Inspector console

Navigate to the AWS Inspector console by searching for "Inspector" in the "Services" search bar or by visiting the following URL: https://console.aws.amazon.com/inspector/

  1. Install the AWS Inspector Agent (optional)

For more in-depth assessments and better visibility into your instances, you can install the AWS Inspector Agent on your Amazon EC2 instances. The agent helps gather more information about the instances and provides better results in the assessment reports. Detailed instructions for installing the agent can be found in the official AWS documentation: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html

  1. Create an IAM role for AWS Inspector

AWS Inspector requires an IAM role with the necessary permissions to access your resources and perform security assessments. To create the role:

  • Go to the IAM console: https://console.aws.amazon.com/iam/
  • In the navigation pane, click "Roles," then "Create role."
  • Choose "AWS service" as the trusted entity type and select "Inspector" as the service.
  • Click "Next: Permissions," then attach the "AmazonInspectorServiceRolePolicy" policy.
  • Click "Next: Tags" to add optional tags.
  • Click "Next: Review," provide a role name (e.g., "InspectorRole"), and click "Create role."
  1. Define a target assessment

In the AWS Inspector console, click "Get Started" or "Create an assessment target" to define which instances should be assessed. Provide a name for the assessment target and select the instances you want to include in the assessment. You can select instances based on tags or manually pick them from the list.

  1. Create an assessment template

An assessment template defines the rules packages and assessment duration. To create an assessment template:

  • In the AWS Inspector console, click "Create an assessment template."
  • Select the assessment target you created in step 5.
  • Choose the desired rules packages (e.g., "Common Vulnerabilities and Exposures," "Center for Internet Security (CIS) Benchmarks," etc.).
  • Set the assessment duration (minimum 1 hour).
  • Configure SNS notifications if you want to receive assessment results via email or other notification channels.
  • Click "Create."
  1. Start the assessment

To start the assessment, go to the "Assessment templates" tab in the AWS Inspector console, select the template you created in step 6, and click "Run." AWS Inspector will begin assessing your instances based on the rules packages and settings you defined.

  1. Review the findings

The Newly Released "Side Scanning" Feature

The "side scanning" feature is a significant enhancement to AWS Inspector. It represents a new methodology in vulnerability scanning that offers several benefits:

  1. Non-Intrusive Scanning: Unlike traditional vulnerability scanning that requires running an agent within the host, side scanning performs the assessment externally. This approach reduces the performance impact on the host system.
  2. Comprehensive Coverage: Side scanning can assess both running and stopped EC2 instances, providing a more comprehensive view of the security posture.
  3. Efficiency in Scanning: This method is faster and more efficient, as it doesn't rely on the traditional, time-consuming processes associated with agent-based scanning.
  4. Improved Accuracy: By scanning from the side, this feature can potentially detect vulnerabilities that might be missed by in-host scanning methods due to various limitations or configurations.
  5. Easy Integration: Side scanning integrates seamlessly with existing AWS workflows and services, making it easy for users to adopt without major changes to their current processes.