- Enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues.
- You can define a collection of AWS resources, create an assessment template and launch a security assessment run of assessment target.
Amazon Inspector Terminology and Concepts
- AWS agent
○A software agent that you must install on all Amazon EC2 instances that are included in the assessment target, the security of which you want to evaluate with Amazon Inspector.
○Monitors the behavior of the EC2 instance on which it is installed, including network, file system, and process activity
○Collects a wide set of behavior and configuration data (telemetry), which it then passes to the Amazon Inspector service.
- Assessment run
○The process of discovering potential security issues through the analysis of your assessment target’s configuration and behavior against specified rules packages.
○During an assessment run, the agent monitors, collects, and analyzes behavioral data (telemetry) within the specified target, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services.
- Assessment target
○In the context of Amazon Inspector, a collection of AWS resources that work together as a unit to help you accomplish your business goals.
○Amazon Inspector evaluates the security state of the resources that constitute the assessment target.
○To create an Amazon Inspector assessment target, you must first tag your EC2 instances with key-value pairs of your choice, and then create a view of these tagged EC2 instances that have common keys or common values.
- Assessment template
○A configuration that is used during your assessment run, including rules packages against which you want Amazon Inspector to evaluate your assessment target, the duration of the assessment run, Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings.
- Finding : A potential security issue discovered during the Amazon Inspector assessment run of the specified target.
- Rule: A security check that the agent performs during an assessment run.
- Rules package :A collection of rules : A rules package corresponds to a security goal that you might have.
- Telemetry: Data such as records of network connections and process creations, collected during an assessment run and passed to the Amazon Inspector service for analysis.
Setting up Amazon Inspector
- To sign up for AWS
○Open https://aws.amazon.com/, and then choose Create an AWS Account.
○Follow the online instructions.
- Create a Role
○On the Inspector prerequisites page, choose Select/Create Role.
- Create Assessment Targets with EC2 instance Tags
○Amazon Inspector evaluates whether your assessment targets have potential security issues.
- Install the AWS Agent
- To assess the security of the EC2 instances that make up your Amazon Inspector assessment targets, you must install the AWS agent on each instance.
- The agent monitors the behavior (including network, file system, and process activity) of the EC2 instance on which it is installed, collects behavior and configuration data (telemetry), and then passes the data to the Amazon Inspector service.
- Once authenticated, the agent sends heartbeat messages to the service and receives instructions from the service as responses to the heartbeat messages.
- If an assessment has been scheduled, the agent receives the instructions for that assessment.
- During an assessment, the agent gathers telemetry data from the system to send back to Amazon Inspector over a TLS-protected channel.
- Telemetry Data Lifecycle
○The telemetry data stored in S3 is retained only to allow for assistance with support requests and is not used or aggregated by Amazon for any other purpose.
○After 30 days, telemetry data is permanently deleted per a standard Amazon Inspector-dedicated S3 bucket lifecycle policy.
Amazon Inspector Assessment Targets
- You can use Amazon Inspector to evaluate whether your AWS assessment targets have potential security issues that you need to address.
- To create an assessment target for Amazon Inspector to assess, you start by tagging the EC2 instances that you want to include in your target.
- Every AWS tag consists of a key and value pair of your choice.
Amazon Inspector Assessment Templates
- An assessment template allows you to specify a configuration for your assessment runs, including the following:
○Rules packages that Amazon Inspector uses to evaluate your assessment target
○Duration of the assessment run
- Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings.
- After you create an assessment template, you can use it to start assessment runs.
- You can start multiple assessment runs using the same template as long as you stay within the assessment runs limit per AWS account.
- If you use the Amazon Inspector console, you must start the first run of your new assessment template from the Assessment templates page.
- After you start the run, you can use the Assessment runs page to monitor the run’s progress.
Amazon Inspector Findings
- Findings are potential security issues discovered during the Amazon Inspector’s assessment of the selected assessment target.
- Findings contain both a detailed description of the security issues and recommendations for resolving them.
- Once Amazon Inspector generates the findings, you can track them by assigning Amazon Inspector-specific attributes to them.
- An assessment report is a document that details what is tested in the assessment run, and the results of the assessment.
- The results of your assessment are formatted into standard reports, which can be generated to share results within your team for remediation actions, to enrich compliance audit data, or to store for future reference.
Amazon Inspector Rules Packages and Rules
- In Amazon Inspector, rules are grouped together into distinct rules packages either by category, severity, or pricing.
- High, Medium, and Low levels all indicate a security issue that can result in compromised information confidentiality, integrity, and availability within your assessment target.
- The Informational level simply highlights a security configuration detail of your assessment target.