With the ever-increasing threat of attacks against the integrity, confidentiality, and availability of your data within your organization, the need to ensure strict security procedures and processes is paramount, and learning how to use Amazon Inspector is key.
AWS offers a wide range of security services to help you achieve the level of security that you need to enforce within your environment, and the Amazon Inspector service is just one of those that can help.
This service is used to help you find security vulnerabilities within your EC2 instances and any applications running on them, during any stage of development and deployment.
With its ability to automatically detect known and common security issues across a range of rules of compliance, Amazon Inspector can also provide details on how to remediate these potential weaknesses in your infrastructure. This makes the service a key asset within your security toolset.
This course looks at what the service is and does, and how it does it by going into detail about all components involved. Demonstrations will also be provided in its configuration.
Course Lectures
- What is Amazon Inspector?: This lecture explains at a high level what Amazon Inspector is and why you may want to use it
- Components of Amazon Inspector: This lecture defines the main components of the service and how these fit together
- Demonstration: How to Configure Amazon Inspector: This demonstration shows how to get started and how to configure the service
- Demonstration: Working with findings: This lecture demonstrates how to view the different Amazon Inspector findings following an assessment
- Integration with CloudWatch & CloudTrail: This lecture explains how Amazon Inspector can be monitored with CloudWatch and CloudTrail
- Service Limitations and Costs: This lecture explains the limitations of the service in addition to how costings are calculated
- Summary: This lecture summarizes points learned from the previous lectures within the course
Hello and welcome to this lecture. What I want to show you, how to work with Findings from your Assessment Runs, that you may find. I thought that this lecture might be easier if we continue on from the previous demonstration, so let's get back to the environment.
Okay, so we're back in the console, looking at our two Assessment Runs, that we had and just as a quick reminder, for the Linux template, we had four Findings and for the Windows, we had 230, so I just kind of want to run through how you can look at the Findings in a bit more detail and the information that they provide.
If we go across to the left-hand side here under Findings, there's a number of Severity Filters, High, Medium, Low and Informational, so if we take a look at the High Severity Findings first. Now, we can see that there's 227 of these, that the Assessment has found and we can see that the majority of them are against the Windows template, so let's have a look at one of these Findings, just to see what information we have.
So, if we expand the Finding and get a bit more detail, this will give us the ARN of the Finding, the Run Name, the Target Assessment, that the Finding was run against and which template was used within the Assessment as well and the Start and End Time of the Assessment Run and the Current Status. As we scroll down, we can also see which Rules Package that this Finding came from, so this came from the CIS Benchmarks and it also gives the ID of the Instance as well, I mean, if we was to click on this, for example, it'll take us straight to that Instance, as we can see there, it's the Windows box, so there's a number of hyperlinks, that you can kind of access the Target etc and the template, if you needed to to get more information.
Right, in this section here, the Finding, this is actually the issue that it found and then it raised, so here you can see, it explains that this Instance is not compliant with a specific rule within the Rules Package and it explains that you need to ensure there's a minimum password age is set to one or more days and this is a requirement against the CIS Benchmark for this Windows server, 2012, so that's been highlighted as Severity of High.
If we go down to the Descriptions section, it gives us further details again and again, this talks about the minimum password age, it needs to be set to more than one day, it says you can go up to a maximum of 999 days and it also gives a rationale behind the reasoning for this Finding, so there's a quite a lot of information there to get an understanding of why the Finding has been found and why there should be Recommendations to rectify it and then finally with regards to Recommendations, it does give a Recommendation on what you should do to resolve the issue and here it says you need to establish the recommended configuration, you need to set the following UI path to one or more days and then here, it's also given us the path as well, so it's very easy for us to get an understanding of what the issue is, why it's an issue and what we need to do to remediate the problem.
So, it's quite a lot of detail within the Findings. Let's close that one up and again, if we go through any other Finding, it'll be similar kind of information, again a Description, a rationale and a Recommendation as well.
So, if we look at some of the Medium Severities, so it's only found one Medium Severity issue here against the Linux box, so if we take a look at that, again we have the ARN, the Run Name, Target and template name and again, what's important is to know which Rules Package this has come from, so it's come from the Security Best Practices and against which Agent as well and the Finding here explains that it's configured to allow users to log in with root credentials over SSH, which increases the likelihood of a brute force attack and again it's given a Recommendation as to what to do to resolve the issue and it explains here a couple of commands to disable SSH root logins, so again, very good information, very useful and a Recommendation on how to resolve the problem.
So, let's take a look at if we've got any Low Findings and yes, we have a couple, we have one for Windows and one for Linux against Behavior Analysis, Runtime Behavior Analysis, so let's take a quick look. Again, all very similar information, we have the Rules Package there, the Agent and the Finding as well, it's saying that there are insecure protocols used to connect to the remote host and again, a Recommendation of replacing those insecure protocols with encrypted versions and if we look at the Linux Finding, we can also see here that it's the same issue, that insecure protocols were used to connect to the remote host.
So that's just a couple of Low Findings there, but if it was in a production environment, then you would definitely look to resolve all the High Severities first and then the Mediums and then work on the Lows afterwards and then finally we have Informational and we have a couple of items here for both boxes, Windows and Linux, so if we take a look at one of the Windows, let's see what it says here. It just explains in the Finding, that this agent was listening on TCP ports, but no connections were using those ports during the Assessment Run, so the Recommendation is to disable any network services, that we don't use, so we don't expose those ports and we can reduce the attack surface area of our deployment.
So again, these are just Informational, we can take action upon that, if we need to, but it's not a great risk to us.
What you can also do as well is download this information by clicking on this button here and it will export the data as a CSV file, so let's export all columns and take a look. So this opens the CSV file of a lot of the Findings information stood, Severity, Date, the actual Finding itself, which is the important part, which Targets these were found on and which template and against which Rules Package and again, we have the ARN Rule, agent ID, etc. So you might want to export some of those Findings into a CSV file to kind of work against them and maybe track them a little easier and pass this document around to other members within the team.
So let's go back to the console. So that's essentially it for Findings, they'll all be found on this left-hand side in this menu under Findings and then you can Filter them as required against specific Targets or templates or even Rules Packages as well, if you're just interested in a particular Rules Package, then you can just break those down individually.
Okay, then that's the end of the demonstration.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.