How to set up and use the AWS Amazon Inspector connector in RiskSense.
Amazon Web Services (AWS) Amazon Inspector Connector Overview
The Amazon Web Services (AWS) Amazon Inspector Connector allows users to ingest Amazon Inspector data from their AWS cloud instance. Amazon Inspector tests the network accessibility of Amazon EC2 instances and the security state of applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings organized by severity level.
This connector pulls security-findings data based on the assessments configured on the AWS account. The data from Amazon Inspector scans is pulled into the RiskSense platform and can be used to prioritize and remediate those findings.
AWS Amazon Inspector Overview
AWS Amazon Inspector security assessments help check your Amazon EC2 instances for unintended network accessibility and vulnerabilities on those EC2 instances. Amazon Inspector assessments are presented as predefined rule packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the Internet, enabled remote root login, or installed vulnerable software versions. These rules are regularly updated by AWS security researchers.
More details on Amazon Inspector can be found here:
AWS Amazon Inspector Connector Setup Prerequisites
User Access and Permissions
To set up the connector, the user needs API access to an AWS account with full access to the Amazon Inspector service. The user needs the following:
- Access Key: Have an AWS admin create and provide an access key for your AWS User ID.
- Secret Key: Have an AWS admin create and provide the secret key associated with your access key.
- AmazonInspectorFullAccess: Have an AWS admin provide AmazonInspectorFullAccess permissions to your AWS User ID.
AWS Amazon Inspector Role Permissions
AWS Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector. The AWSServiceRoleForAmazonInspector service-linked role trusts Amazon Inspector to assume the role.
The role’s permissions policy allows Amazon Inspector to complete the following action on the specified resources:
- Action: iam:CreateServiceLinkedRole on arn:aws:iam::*:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector
To successfully create the AWSServiceRoleForAmazonInspector role, the IAM identity (user, role, or group) used when working with Amazon Inspector must have the required permissions. To grant the required permissions, attach the AmazonInspectorFullAccess managed policy to the IAM user, group, or role.
Amazon Inspector Configuration in AWS
To scan your AWS resources and ingest that data into RiskSense, configure at least one Amazon Inspector Assessment. Navigate to the Amazon Inspector Dashboard to create targets, templates, and schedule assessment runs.
Steps to create a template are available here: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_getting-started.html. Use either the one-click setup or advanced setup to create an assessment template.
The following example template is set up to run on four EC2 instances and includes all four rules packages.
Amazon Inspector Rules and Rules Packages
Amazon Inspector provides four rules package to allow users option to pick and choose the rules package(s) to run against their EC2 instances. More information is available here: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html
|Network Reachability||Network Assessments||The rules in the Network Reachability package analyze your network configurations to find your EC2 instances’ security vulnerabilities. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.|
|Common Vulnerabilities and Exposures||Host Assessments||The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data.|
|Center for Internet Security (CIS) Benchmarks||Host Assessments||The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.|
|Security Best Practices for Amazon Inspector||Host Assessments||Use Amazon Inspector rules to help determine whether your systems are configured securely.|
Configuring the AWS Amazon Inspector Connector in RiskSense
Log into the RiskSense platform.
Navigate to Automation > Integrations.
Using the search bar in the upper-right corner of the Integrations page, type AWS to find the connector.
This connector appears in both the Network and Compliance categories, which operate the same. Since it has both kinds of data based on the assessment’s rules packages, it appears under two categories.
Locate the AWS card on the page and click Configuration.
Complete the following fields. These fields include:
- Name: Connector name.
- Location: AWS Amazon Inspector URL. Visit the following link to obtain your AWS Amazon Inspector URL: https://docs.aws.amazon.com/general/latest/gr/inspector.html
- Access Key and Secret Key: AWS Amazon Inspector access key and secret key credentials for accessing the AWS Amazon Inspector API endpoints.
- Network: Network name in RiskSense. Ingested data will be associated with this network.
Once the fields are complete, click Test Credentials to verify the credentials are correct and can connect to the AWS instance.
Configure the desired schedule for the connector to retrieve results from the AWS Amazon Inspector instance and optionally turn on Enable auto URBA (Update Remediation by Assessment).
Under Connector Specific Options, select the assessment templates for which AWS Inspector should run the connector.
Note: While editing a connector, you are unable to edit or update assessment templates.
RiskSense pulls the latest assessment associated with each of the assessment templates. Once connector configuration is complete, click Save to create the connector.
As soon as the connector is created, it will begin pulling data from the AWS Amazon Inspector platform. When the connector is set up, a new entry for it appears at the top of the Integrations page. The connector’s card will also show the next scheduled time and date results will be fetched. Check the connector’s status by clicking the History button.
To run the connector on demand, click the Sync icon.
Files pulled from AWS Inspector are viewable on the Uploads page.
AWS Amazon Inspector Data Visualization in RiskSense
Scan data pulled from AWS via the connector can be viewed on the Network > Hosts and Network > Host Findings pages. Assets discovered from the scan data are added to the Network > Hosts page.
The Network > Host Findings page displays all identified vulnerability details, as shown below.
Clicking any of the listed vulnerabilities provides additional details regarding that finding (exploits and malware associated) and possible solutions in the Host Findings Detail pane. Instance related data is available in the Cloud Information section under Asset Information in the Host Finding Detail pane.