How to Configure Amazon Inspector
Start course

With the ever-increasing threat of attacks against the integrity, confidentiality, and availability of your data within your organization, the need to ensure strict security procedures and processes is paramount, and learning how to use Amazon Inspector is key.

AWS offers a wide range of security services to help you achieve the level of security that you need to enforce within your environment, and the Amazon Inspector service is just one of those that can help.

This service is used to help you find security vulnerabilities within your EC2 instances and any applications running on them, during any stage of development and deployment.

With its ability to automatically detect known and common security issues across a range of rules of compliance, Amazon Inspector can also provide details on how to remediate these potential weaknesses in your infrastructure. This makes the service a key asset within your security toolset.

This course looks at what the service is and does, and how it does it by going into detail about all components involved. Demonstrations will also be provided in its configuration.

Course Lectures

  • What is Amazon Inspector?: This lecture explains at a high level what Amazon Inspector is and why you may want to use it
  • Components of Amazon Inspector: This lecture defines the main components of the service and how these fit together
  • Demonstration: How to Configure Amazon Inspector: This demonstration shows how to get started and how to configure the service
  • Demonstration: Working with findings: This lecture demonstrates how to view the different Amazon Inspector findings following an assessment
  • Integration with CloudWatch & CloudTrail: This lecture explains how Amazon Inspector can be monitored with CloudWatch and CloudTrail
  • Service Limitations and Costs: This lecture explains the limitations of the service in addition to how costings are calculated
  • Summary: This lecture summarizes points learned from the previous lectures within the course

Hello, and welcome to this lecture where I'm going to demonstrate how to configure Amazon Inspector.

For the purpose of this demonstration, I have a single Linux instance, and a single Windows instance running within a public subnet of a VPC. The instances already have the agents installed as per a previous demonstration.

I have also tagged the instances with the key of OperatingSystem, and value of Windows and Linux respectively. In this demonstration, I'm going to complete the following steps. I shall create and confirm the Amazon Inspector rule. Create two assessment targets. Define two assessment templates. Run two assessment runs simultaneously. Generate an assessment report for the assessment run. And automatically schedule future assessment runs via an AWS lambda function. So let's get started.

Okay so as I just explained, I've already created two EC2 instances. A Linux box, and a Windows box. And they both have the agents installed already. And I've set up another tag called OperatingSystem with Linux and Windows tagged respectively.

So now I want to go across to Amazon Inspector to start configuring the service. So I go up to services, I've got a shortcut here already to get us in Inspector. But it's also under the security identity and compliance section here. Okay so I'm now at the Amazon Inspector dashboard. And as you can see, I don't have any findings or any assessments kind of running or completed at the moment.

If we go down to the account settings here, to manage the Amazon Inspector service rule, then we can see here that we can choose or create a new Amazon Inspector rule with the required permissions. So if we click on choose or create rule, it then takes us to a screen where it states that Amazon Inspector is requesting permission to use resources in your account. And all we need to do here is click allow in the bottom right-hand corner. But before we do, let's take a look at the details.

So it gives it a rule description. Gives it a rule name of Inspector. And it will create a new policy when we click on allow. So let's take a look at the policy document. As you can see, it allows the action of EC2 describe instances to all resources.

So effectively, read-only access to your EC2 instances. Okay, so that's the policy document that'll be associated with the rule. Then we click on allow. And that will go ahead and validate the IAM rule for Amazon Inspector. Okay so now we have the rule configured. If we click on cancel. Okay so the first thing to do is to set up some assessment targets.

Now I want to set up two assessment targets. One for the Windows boxes, and one for the Linux boxes. So if you click on create, and give it a name. Call this one Linux Assessment Target. And then we have the tags here. So we want all EC2 instances with the OperatingSystem key and a value of Linux to be included in this assessment target.

Then click on save. And we want to set up another one for the Windows box as well. So Windows Assessment Target. Again, OperatingSystem, but this time the value of Windows. So that will search all EC2 instances within my AWS account with the tag of OperatingSystem with a value of Windows. Click on save. So now we have our two assessment targets.

Now we'll need to create our assessment templates. So if we click on assessment templates up here, go to create. Give this a name. So we'll just call this one Linux. And here we can select our targets that we just created. So I want to select the Linux assessment target. Now here we can select which rule's packages we want to run against our targets. So I'm going to select all of them here, all four. And then we can select the duration of the assessment run. AWS recommends that it's run for an hour. The longer the better. But you can run it for up to 24 hours. For the sake of this demonstration, I'm just going to leave it at 15 minutes. We should pick up a few findings with that.

And like I mentioned earlier as well, you can associate an SNS topic to be notified of any events. So let me associate this topic I created earlier. And I want to see events for when the assessment run is started. When it's finished, when the state has changed, and any findings that are reported. And then down here we have attributes added to findings. So I'm going to say here assign to Linux Security Team. So if any findings are found, I want a tag to be associated with them with the key of assign to and a value of the Linux Security Team. So let's create that.

And then we have our template with the target names, and those packages, and the SNS topics, et cetera.

Now I want to create another one for Windows. So I'll call this one Windows. Set a target of the Windows assessment target. So now I'll select the rules packages, and we know security best practices doesn't run on Windows, so I'll select all the other packages other than that one. Again, duration for 15 minutes.

And again, the SNS topic. And here I'm going to say assign to Windows Security Team. And create. Okay, so we now have two assessment templates. One for Windows, and one for Linux. Each with different rules packages assigned.

So now I want to run the assessment, and I want to run them both at the same time just because I know the EC2 instances do not overlap.

So I'm able to run them both. So I've selected the assessment templates. And then I click on run. And I have a message there saying assessment run started. And as you can see, we have information here saying it is now collecting data. And the number of runs, so it's the first time this is running. So what you should do now is actively use both of those boxes for your applications, for loggin in, just as you would kinda stress test those boxes to try and uncover and unearth as many security flaws as possible.

So use them as much as you can within the assessment run. And that should uncover as many security flaws as possible. So what I'll do now, I'll pause the video, and I'll come back to this when the assessment has finished.

Okay so the assessment run is now completed. And we can see that there are four findings for our Linux box and our Windows box has 230. So if we click on the four findings for the Linux boxes, that will take us over to our Findings section here. And we can see that we have one with a severity of medium, one at low, and two informational. And similarly if we go back to our Windows box, we can see all of our findings here and like I said, we have 230 of them.

So we have quite a lot of severity high which should be rectified immediately. I won't go through on how to analyze the findings just yet. I'll be doing that in a later lecture. So I just wanted to show you at this stage that the assessment has complete. And it's found a number of findings for both assessment targets.

But what I will show you quickly is the reports. So as you can see on the far side here, we have reports, and we have an icon for each. So if we click on the one for Linux, here we can see, we can have two different reports. A findings report, or full report. The findings report just shows information about the findings.

Whereas the full report will contain all that same information plus all the rules that were passed as well. So let's just have a look at the findings report as a PDF. So if we generate this report. We can see here that it's formatted with a nice front cover. Gives you the date of which the report was generated and what assessment template was run, and the start and finish times as well. And it will just give you a quick summary of what happened during the assessment, and which rules packages we used. And also what was tested as well within those rules packages. So it's a nice report to present to any auditors or internal security teams to nicely demonstrate what was found, what was run, and all the detailed information in between.

So let's just go back to Amazon Inspector. So that's how you configure Amazon Inspector, and how you create the assessment targets, the assessment templates, and generate an assessment run as well and view the reports.

Okay so what I want to show you now is how to automatically schedule your assessment runs based off your assessment templates.

And to do this, we need to use a different service. We need to use AWS Lambda. So let's go across to the Lambda service. We will click on Dashboard. Then we need to create a Lambda function. From here, we need to select a blueprint. And if we just type in inspector, then it will filter out all the blueprints that AWS has already created for us.

And here we've got the Inspector scheduled run. Which schedules a recurring Amazon Inspector assessment run. So that's what we need. We'll need to create a rule name. So create a new rule. And we'll call this Amazon Inspector demo. Description, daily run. And then we need to enter a scheduled expression. So I want this to run everyday. And there's a couple of examples under here on how to represent days and times, et cetera. And if we enable the trigger. Then go to next.

Give this Lambda function a name. We'll call this AI demo. We can leave the description as is. Leave the runtime as NodeJS. And this is all the code within the Lambda function based off of the template that we selected.

But we do need to add an environment variable here. So we need to look for our assessment template ARN. So if we go back to Amazon Inspector. Select our Windows assessment template. And we can see here, we have an ARN for this template. So if we copy and paste that into the variable. If we then go down to the handler, we'll leave the handler as index-handler as the default. We'll then need to create a rule for permissions to run this function. So if we create a new rule from template, then Lambda will automatically create an SO permissions for us. We'll give this rule a name. Lambda demo. And then all we need to do at this point now, is click on next.

This is just a review of the options. We create the function. And that's it. It's created. Congratulations, your Lambda function has been successfully created. So now everyday, my Windows assessment target will be automatically run for me.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.