Security and Identity
Welcome to the Security Fundamentals of AWS for Cloud Practitioner course. Roughly one quarter of the AWS Certified Cloud Practitioner exam focuses on AWS security concepts, as well as security services, so we've included a course covering the basic services, and how they protect AWS cloud solutions.
This course covers a range of different services, including:
- AWS Identity and Access Management
- AWS Directory Services
- AWS Web Application Firewall
- Amazon Inspector
- AWS Organizations
This course also covers a fundamental AWS concept, the Shared Responsibility Model.
- Describe the basic functions that each security service performs within a cloud solution
- Recognize basic components and features of each service
- Understand how each offers a layer of security to the AWS cloud
- Summarize the Shared Responsibility Model is
- Apply the Shared Responsibility Model to different components of the AWS cloud
This course is designed for:
- Anyone preparing for the AWS Certified Cloud Practitioner
- Managers, sales professionals and other non-technical roles
Before taking this course, you should have a general understanding of basic cloud computing concepts.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
- [Instructor] Hello and welcome to this lecture on the Amazon Inspector service. Following this lecture you'll be able to recognize and explain what the Amazon Inspector service is and how it can be used to help improve the security and compliance of applications you've deployed on AWS. Let's start by better understanding what the Amazon Inspector is and does. The Amazon Inspector is an automated security assessment service that can be set up to run within your AWS account. Once enabled the Amazon Inspector service performs security assessments on applications about an EC2 or Elastic Compute Cloud.
The benefits of Amazon Inspector is that it can help improve the security posture of applications you've deployed on AWS. The Inspector service does this by identifying security vulnerabilities or deviations from security best practices in your applications. The inspector can do this by monitoring before applications are deployed and while they are running in your production environment. As the Amazon Inspector is agent based, API driven, and delivered as a service it can be included in your DevOps workflow.
This makes it easy to add an automated security assessment into your deployment process. AWS has made a large amount of their in-house security knowledge available for us in the form of the Inspector service. Inspector is comprised of a knowledge base that maps hundreds of rules to vulnerability definitions and common best practices. These libraries are continually updated, making it easier for you to meet and maintain security compliance and best practices. AWS has created a lot of automated tests to run against cloud resources.
The inspector looks for security and compliance problems using these dynamic libraries. With respect to security it will look for vulnerabilities. With respect to compliance it will help us adhere to security best practices. Before we see how this actually works we need to define a few key concepts. The first concept is the Agent. The Inspector Agent needs to be installed on the EC2 instances that run your application. The Agent is tasked with monitoring your instance and sending the data to the Inspector service. Currently the Agent's available for EC2 instances running many versions of Amazon Linux, Ubuntu, Red Hat Enterprise Linux, CentOs and Windows.
The application from the Inspector's perspective is a collection of resources named an assessment target. An assessment target represents a collection of AWS resources that work together as a unit to help you accomplish your business goals. Amazon Inspector evaluates the security state of the resources that constitute the assessment target. You can create an assessment target by using Amazon EC2 tags, and you can define these tagged resources as an assessment target for an assessment run defined by the assessment template. The Inspector's assessments are based on a set of rules. You can specify a duration for each assessment.
Even though there is an option to stop the assessments, setting the duration as an upper limit is handy in case you neglect to do so. The assessment will not continue after the defined duration, so you can start an assessment and leave it running without fear it will never end. Inspector assessments are integrated with AWS Simple Notification Service so notifications can be sent out based on assessment results. Each assessment will produce some findings.
Basically findings are the result of an assessment run that revealed potential security issues. Findings include detailed descriptions of the problem along with recommended solutions, so you don't have to be an expert in order to take action. Some findings reveal good news too. For example, in the upcoming demonstration we'll see informational messages to advise us that no security issues were found. Each finding will be displayed relative to a rule. However, you don't have to select and view them rule by rule. AWS has grouped them together in order to improve the user experience.
These groups are called rule packages. Rule packages include common vulnerabilities and exposures, CIS operating system configuration benchmarks, and security best practices. Each rule has a severity level associated with it. Severity is intended to help you prioritize your responses to findings. The severity levels are high, medium, low, or informational. Telemetry is the metadata about the Inspector application data metrics that's been collected by the Agent.
This is the information the Agent sends to the Inspector service. Amazon Inspector is priced per agent assessment per month. Amazon does offer a free trial for the inspector service and that is certainly worth looking into. So, now that we've defined all the key concepts, let's take a look to see how it all works together. As mentioned earlier each EC2 instance that runs your application needs to have the Inspector Agent installed on it.
Tagging EC2 instances that you want to be part of your security assessment is a prerequisite. Inspector requires you to use Amazon EC2 instance tags in order to run an assessment. We'll use tags to aggregate our instances into applications. Every instance in our application will be sending telemetry to Inspector service. The Inspector service will aggregate the collective data into an assessment. When an assessment finishes the service will check each of the defined rules. Any rule anomalies, good or bad, it will detail in its findings.
We can define more than one rule package to be assessed at the same time. All the findings will then be published. There is an AWS Lambda blueprint available for you to create recurring scheduled events. Once you've created an assessment template for the security assessment you want to run go to AWS Lambda from the AWS management console.
In AWS Lambda click on "Create a Lambda Function" and select the "Inspector Schedule Run" blueprint. Let's go through the steps required when working with Inspector. First, there is some setup involved. Mostly that entails setting up an IAM role, tagging all EC2 instances that will be part of an assessment run, and installing the agent software on those same instances. Preparing for the assessment run involves tapping into the right rule package, such as the publicly available common vulnerabilities and exposures The CVE is also part of the key data you must provide your assessment template along with the test duration.
At this point you're ready to run the assessment, look over the findings, and apply recommended fixes if needed. That concludes our introduction to the Amazon Inspector service. Let's summarize what we know. Inspector Service is an automated security assessment service that can be setup to run within your AWS account. Inspector can assess security vulnerabilities and compliance issues in applications you've installed on EC2 instances, which collectively are called an assessment target.
Inspector requires you to install an agent onto any EC2 instances you want to have included as a target in your monitoring. Instances need to be tagged to be included in an assessment. Assessments are comprised of rules. Assessments create findings. Each finding will be displayed relative to a rule. Each rule has a severity level associated with it. Groups of rules are called rule packages. Rule packages include common vulnerabilities and exposures, CIS operating system configuration benchmarks, and security best practices.
Rules packages are comprised of the latest security best practices, threat assessments, and known exploits, which are compiled from many sources including AWS security libraries. The Inspector service combined with these libraries provides a significant benefit to us as users as it helps us keep our environment secure and compliant. That brings our Amazon Inspector lecture to a close. Thank you for your attention. Please address any comments or feedback to us at email@example.com
Head of Content
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.