Streamlined Security for AWS Well-Architected solutions using Inspector & Guard Duty

Improving security is always a good idea. Some people still think only about static security, such as Security Groups, SSL or VPNs.

Consideration should also be given to the application vulnerability .  Adding a regular scanning process adds another layer of defence. Remember; Test is best.

AWS Inspector

AWS Inspector  has been around since October 2015 so its not new, but its implementation and use make it easy to get started – even if you haven’t tried it yet.

It uses an awsagent installed inside the AMI to allow the Inspector service to connect and perform the scan. Results are rated as High, Medium, Low and Informational severity, via the Inspector console and Findings tab.

Benefits for each Well-Architected pillar are;

  • Improve Security, easy and early detection of security issues for your applications, a streamlined compliance approach and an overall better security position
  • Gain Performance Efficiency, integrate with DevOps through your CI/CD pipeline and increase your development agility
  • Ensure Reliability, as Inspector can be run it as often as needed, in parallel (but only 1 concurrent scan per agent), with repeatable and measurable results
  • Improve Operational Excellence, by using a suitable managed service, your operating burden is a reduced and by leveraging expertise of security experts with preconfigured tests. You also save time by not having to submit a request to AWS Support for approval to vulnerability scan whic is needed as part of the Acceptable Use Policy for Security.
  • Cost Optimisation, its cost is certainly justified in most cases compared with a roll-your-own solution

A Use Case study – Hardening a custom AMI to verify CIS Benchmark compliance

  • Build your own custom AMI
  • Patch and secure it using CIS Benchmark best practices.
  • Tag instances (I used InspectorReady:yes)
  • Download and install inspector agent with these commands
# install Inspector Agent software
sudo bash install 
sudo /opt/aws/awsagent/bin/awsagent status    # check agent status
  • Go to Inspector console, create a IAM Role for Inspector to use (if not already done)
  • Create/Select targets for assessment based on the tag you created
  • Create Assessment Template, adding multiple Rules Packages (will take longer to scan the more you add)  
    • CIS Operating System Security Configuration Benchmarks-1.0
    • Security Best Practices-1.0
  • Run Inspector Assessment on Assessment Targets
  • Review Findings, they can be downloaded as CSV as well
  • Remediate High risk issues as a priority using the Findings as a task list.

Using the Common Vulnerability and Exposure 1.1 rules package, a scan took around an hour to complete, using a (poor choice!) t2.micro instance.  A faster instance type (M5 or C5) would yield quicker results.

Inspector Findings, on a new Bitnami WordPress install showed (52 overall) 30 High risk issues.


Pricing is reasonable. 25 runs x $0.30 = $7.50. You also get the first 250 free in the initial 90 days as part of the AWS Free Tier service. So it’s basically free to give it a try and then start to incorporate it into your CI/CD pipeline.

AWS Guard Duty

Further compliment your good work with Inspector by enabling AWS Guard Duty for all your accounts. Unlike Inspector which checks for threats within the AMI or at the OS level via an agent, Guard Duty does the same for your AWS account activity – continuously without agents.  Within 30 minutes of enabling Guard Duty (and launching a new test instance with unrestricted ports), I checked the Findings.  It showed these results; GuardDuty Results

Guard Duty has associated costs, based on number of CloudTrail events and GB/logs assessed.  Once you sign up you get 30 days free.  Via the Guard Duty console, you can check you Free Tier usage progress as well as a estimate of monthly costs you could expect after your free tier offer expires.  Helps you to make informed cost decisions.

Another good idea is to subscribe to a Vulnerability Notification list for your applications to ensure you are staying up to date with potential issues. It’s good practice to patch security often.

As a champion for a Well-Architected system, these tools ticks all the boxes for the 5 pillars, not just security.



awscli – Advanced Query Output

Advanced JMESPath Query – good help and examples here.

Use these combinations of awscli commands to generate the JSON output you need.

Let me know via comments or twitter if you need some help 🙂  HTH.

# @shallawell
# Program Name:
# Purpose: Demonstrate JMESPath Query examples
# version 0.1
# The awscli uses JMESPath Query expressions, rather than regex.

#Advanced JMESPath Query - good help and examples here.

# List all users, (basic query)
aws iam list-users --output text --query "Users[].UserName"
# List all users, NOT NULL
aws iam list-users --output text --query 'Users[?UserName!=`null`].UserName'
# list users STARTS_WITH "a"
aws iam list-users --output text --query 'Users[?starts_with(UserName, `a`) == `true`].UserName'
# list users CONTAINS "ad"
aws iam list-users --output text --query 'Users[?contains(UserName, `ad`) == `false`].UserName'

# get the latest mysql engine version
aws rds describe-db-engine-versions \
--query 'DBEngineVersions[]|[?contains(Engine, `mysql`) == `true`].[Engine,DBEngineVersionDescription]' \
| sort -r -k 2 | head -1

How to display a static Google Map


If you have ever needed a static Google Maps image, here is the URL to use:

The bold values can be changed to suit your requirements.,lonsdale,st,melbourne,%20Australia&zoom=15&size=800×600&format=gif&sensor=false

Handy if you need a simple version to print and take with you.

You can do much more than described above like add markers and routes, just visit the Google Developers site