Improving security is always a good idea. Some people still think only about static security, such as Security Groups, SSL or VPNs.
Consideration should also be given to the application vulnerability . Adding a regular scanning process adds another layer of defence. Remember; Test is best.
AWS Inspector has been around since October 2015 so its not new, but its implementation and use make it easy to get started – even if you haven’t tried it yet.
It uses an awsagent installed inside the AMI to allow the Inspector service to connect and perform the scan. Results are rated as High, Medium, Low and Informational severity, via the Inspector console and Findings tab.
Benefits for each Well-Architected pillar are;
- Improve Security, easy and early detection of security issues for your applications, a streamlined compliance approach and an overall better security position
- Gain Performance Efficiency, integrate with DevOps through your CI/CD pipeline and increase your development agility
- Ensure Reliability, as Inspector can be run it as often as needed, in parallel (but only 1 concurrent scan per agent), with repeatable and measurable results
- Improve Operational Excellence, by using a suitable managed service, your operating burden is a reduced and by leveraging expertise of security experts with preconfigured tests. You also save time by not having to submit a request to AWS Support for approval to vulnerability scan whic is needed as part of the Acceptable Use Policy for Security.
- Cost Optimisation, its cost is certainly justified in most cases compared with a roll-your-own solution
A Use Case study – Hardening a custom AMI to verify CIS Benchmark compliance
- Build your own custom AMI
- Patch and secure it using CIS Benchmark best practices.
- Tag instances (I used InspectorReady:yes)
- Download and install inspector agent with these commands
# install Inspector Agent software
sudo bash install
sudo /opt/aws/awsagent/bin/awsagent status # check agent status
- Go to Inspector console, create a IAM Role for Inspector to use (if not already done)
- Create/Select targets for assessment based on the tag you created
- Create Assessment Template, adding multiple Rules Packages (will take longer to scan the more you add)
- CIS Operating System Security Configuration Benchmarks-1.0
- Security Best Practices-1.0
- Run Inspector Assessment on Assessment Targets
- Review Findings, they can be downloaded as CSV as well
- Remediate High risk issues as a priority using the Findings as a task list.
Using the Common Vulnerability and Exposure 1.1 rules package, a scan took around an hour to complete, using a (poor choice!) t2.micro instance. A faster instance type (M5 or C5) would yield quicker results.
Inspector Findings, on a new Bitnami WordPress install showed (52 overall) 30 High risk issues.
Pricing is reasonable. 25 runs x $0.30 = $7.50. You also get the first 250 free in the initial 90 days as part of the AWS Free Tier service. So it’s basically free to give it a try and then start to incorporate it into your CI/CD pipeline.
AWS Guard Duty
Further compliment your good work with Inspector by enabling AWS Guard Duty for all your accounts. Unlike Inspector which checks for threats within the AMI or at the OS level via an agent, Guard Duty does the same for your AWS account activity – continuously without agents. Within 30 minutes of enabling Guard Duty (and launching a new test instance with unrestricted ports), I checked the Findings. It showed these results;
Guard Duty has associated costs, based on number of CloudTrail events and GB/logs assessed. Once you sign up you get 30 days free. Via the Guard Duty console, you can check you Free Tier usage progress as well as a estimate of monthly costs you could expect after your free tier offer expires. Helps you to make informed cost decisions.
Another good idea is to subscribe to a Vulnerability Notification list for your applications to ensure you are staying up to date with potential issues. It’s good practice to patch security often.
As a champion for a Well-Architected system, these tools ticks all the boxes for the 5 pillars, not just security.