Amazon Inspector is an automated, agent-based security and vulnerability assessment service for your AWS resources. As of now, it supports only EC2 instances. It essentially complements devops culture in an organization, and it integrates with continuous integration and continuous deployment tools.
To begin with, you install an agent in your EC2 instance, prepare an assessment template, and run a security assessment for this EC2 instance.
Amazon Inspector will collect data related to running processes, the network, the filesystem and lot of data related to configuration, the traffic flow between AWS services and network, the secure channels, and so on.
Once this data is collected, it is validated against a set of predefined rules known as the rules package, that you choose in your assessment template, and you are provided with detailed findings and issues related to security, categorized by severity.
The following figure shows the Amazon Inspector splash screen with three steps for getting started with Amazon Inspector:
Figure 6: Amazon Inspector splash screen
Amazon Inspector goes hand in hand with the continuous integration and continuous deployment activities that are essential part of the DevOps life cycle. It helps you integrate security with your DevOps by making security assessment part of your deployment cycle. Amazon Inspector has several important features that make it one of the most preferred security assessment services for any infrastructure in AWS. Let's look at these features:
- Enforce security standards and compliance: You can select a security best practices rules package to enforce the most common security standards for your infrastructure. Ensure that assessments are run before any deployment to proactively detect and address security issues before they reach the production environment. You can ensure that security compliance standards are met at every stage of your development life cycle. Moreover, Amazon Inspector provides findings based on real activity and the actual configuration of your AWS resources, so you can rest assured about the compliance of your environment.
- Increasing development agility: Amazon Inspector is fully automatable through API. Once you integrate it with your development and deployment process, your security issues and your vulnerabilities are detected and resolved early, resulting in saving a huge amount of resources. These resources can be used to develop new features for your application and release it to your end users, thus increasing the velocity of your development.
- Leverage AWS Security expertise: Amazon Inspector is a managed service, so when you select a rules package for assessment, you get assessed for the most updated security issues and vulnerabilities for your EC2 instance. Moreover, these rules packages are constantly updated with ever evolving threats, vulnerabilities, and best practices by the AWS Security organization.
- Integrated with AWS services and AWS partners: Amazon Inspector integrates with AWS partners, providing security tools through its public-facing APIs. AWS partners use Amazon Inspector's findings to create email alerts, security status dashboards, pager platforms, and so on. Amazon Inspector works with a network address translation (NAT) instance, as well as proxy environments. It also integrates with the AWS Simple Notification Service (SMS) for notifications and AWS CloudTrail for recording all API activity.
The following figure shows the Amazon Inspector integration with AWS CloudTrail. All activities related to Amazon Inspector are captured by AWS CloudTrail events.
Figure 7: Amazon Inspector CloudTrail events
Amazon Inspector publishes real-time metrics data to AWS CloudWatch so you can analyze metrics for your target (EC2 instance) as well as for your assessment template in AWS CloudWatch. By default, Amazon Inspector sends data to AWS CloudWatch in interval of five minutes. It could be changed to a one minute interval as well.
There are three categories of metrics available in AWS CloudWatch for Amazon Inspector, as follows:
- Assessment target
- Assessment template
- Aggregate
The following figure shows metrics available for assessment targets in AWS CloudWatch:
Figure 8: Amazon Inspector CloudWatch metrics
Amazon Inspector is accessible the through AWS Management Console, the AWS Software Development Kit (SDK), AWS Command Line Tools, and Amazon Inspector APIs, through HTTPS. Let's look at the major components of this service, as shown in the following figure:
Figure 9: Amazon Inspector dashboard
- AWS agent: This is a software agent developed by AWS that must be installed in your assessment target, that is, your EC2 instance. This agent monitors all activities and collects data for your EC2 instance, such as the installation, configuration, and filesystem, as per the rules package selected by you for assessment. It periodically sends this data to the Amazon Inspector service. AWS Agent simply collects data; it does not change anything in the EC2 instance it is running.
- Assessment run: You will periodically run assessments on your EC2 instance based on the rules package selected. Once your AWS agent performs assessment, it discovers any security vulnerabilities in your EC2 instance. Once you have completed the assessment, you will get findings, with a list of potential issues and their severity.
- Assessment target: Amazon Inspect or requires you to select an assessment target; this is your EC2 instance or a group of EC2 instances that will be assessed for any potential security issues. These instances should be tagged with key value pairs. You can create up to 50 assessment targets per AWS account.
- Finding: A finding is a potential security issue reported by Amazon Inspector service after running an assessment for your target EC2 instance. These findings are displayed in the Amazon Inspector web console or can be accessed through API. These findings contain details about the issue, along with its severity and recommendations to fix it.
- Assessment report: This is a document that details what all was tested for an assessment, along with the results of those tests. You can generate assessment reports for all assessments once they are completed successfully. There are two types of assessment reports:
- The findings report
- The full report
- Rules package: Amazon Inspector has a repository of hundreds of rules, divided under four rules packages. These rules packages are the knowledge base of the most common security and vulnerability definitions. Your assessment target is checked against the rules of a rules package. These rules packages are constantly updated by the Amazon security team, as and when new threats, security issues, and vulnerabilities are identified or discovered. These four rules packages are shown in the following figure:
Figure 10: Amazon Inspector rules packages
- Rules: Amazon Inspector has predefined rules in the rules packages; as of now, custom rules cannot be defined for a rules package. A rule is a check performed by an Amazon Inspector agent on an assessment target during an assessment. If a rule finds a security issue, it will add this issue to findings. Every rule has a security level assigned to it. There are four security levels for a rule, as follows:
- High
- Medium
- Low
- Informational
A high, medium, or low security level indicates an issue that might cause an interruption in the ways in which your services are required to run. An informational security level describes the security configuration for your instance.
- Assessment template: This is your configuration for running an assessment. You will choose your targets, along with one of the four predefined rules packages that you want to run; you will also choose a duration, from 15 minutes to 24 hours, and other information, as shown in the following figure:
Figure 11: Amazon Inspector assessment template