AWS Inspector - How to configure and run a scan

Amazon has recently announced a bunch of new and exciting additions to their already awesome cloud arsenal and Amazon Inspector is one of them.

The importance of running regular audits at infrastructure level often to asses security, identify and fix potential issues can not be overstated. We run regular audits for all our managed services customers and Nessus has been our go to tool for it so far. AWS Inspector aims to do what Nessus does so we took it for a spin. While Inspector is still new and it will get a lot better, it doesn't replace Nessus immediately. It is currently only supported on Amazon Linux and Ubuntu instances. But we were impressed with Inspector and the ease of use. Below are the steps to configure a scan for an application.

Prerequisites

You need an IAM role that grants access to Inspector. Create one.
Click on Select/Create Role

Tag all the instances that will be scanned by Inspector. Example, we have tagged our instances as Environment:Prod

Nest, we need Inspector's agent running on all target EC2 instances. Download the agent and install it

wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install  
sudo bash install  

Define An Application

  1. Give an application name
  2. Provide the Tag Key and Value for the instances which you need to scan and click Next.

Define an Assessment

  1. Choose a name for your assessment
  2. Select the Rule packages like Authentication Best Practices, Application Security Best Practices etc.
  3. Choose the duration as 1hr

Review and Run

1.Review the Inspector Configuration
2. Click on Create & Run
3. Wait for an hour for the scan reports to generate.

Checking status

If you are restless like us, you might want to check what's really happening in there. You can actually check the status from the console and also log on to the servers and see:
1. Check the Assessment status
2. Go to the Assessment page and click on the scan that we initiated
The status should be COLLECTING_DATA
You may login to the server(s) and check the status too -
Before the scan initiated, the collecting will be false

/etc/init.d/inspector status | grep Collecting

After the scan initiated, the collecting will be true

/etc/init.d/inspector status | grep Collecting

The Report

Go to Findings page and download the scan report

We hope you found this helpful. If you need help with running Infrastructure and Application VAPT, please get in touch and we will be happy to help.

Manoj Kumar

Manoj is our Principal Cloud Architect. An AWS and Linux geek who takes extreme pleasure in lording servers, tightening security screws and learning new things.

comments powered by Disqus