Wednesday, 27 November 2024

Comprehensive Guide on Amazon - Inspector

Hi, folks Ashish this side. In this article, we’ll tour “Amazon Inspector”, So let’s hop into it.


What is an Amazon Inspector?

Amazon Inspector is an automated service for vulnerability management that scans Amazon EC2

instances, container images in Amazon ECR, and Lambda functions to detect software vulnerabilities and unintended network exposures. Upon identifying an issue, it provides a detailed findings report describing the vulnerability or exposure.



Features of Amazon Inspector:

Perform continuous scanning of the environment to detect vulnerabilities and network exposures:


Amazon Inspector automatically discovers and scans eligible resources, continuously monitoring the

environment. It automatically re-scans resources throughout their lifecycle whenever changes occur that might introduce new vulnerabilities, such as installing a new package on an EC2 instance, applying a patch, or the release of a new Common Vulnerabilities and Exposures i.e. CVE affecting the resource.


Amazon Inspector generates a comprehensive finding for investigation when it detects vulnerabilities or exposed network paths. Each finding provides in-depth information about the vulnerability, the impacted resource, and recommended remediation steps.


Manage multiple Amazon Inspector accounts centrally for streamlined administration


Amazon Inspector can be enabled across the entire organization with just one click.


Accurately evaluate vulnerabilities using the Amazon Inspector risk score


Amazon Inspector gathers data about the environment through scans and provides customized severity scores. It evaluates the security metrics from the National Vulnerability Database (NVD) base score for a vulnerability and adjusts them based on your specific computing environment.


Score 

Rating

0

Informational

0.1 - 3.9

Low

4.0 - 6.9

Medium

7.0 - 8.9

High

9.0 - 10.0

Critical


Types of automated scans in Amazon Inspector:



Amazon Inspector provides various scan types tailored to different resource types within your AWS environment.


1) Amazon EC2 Scanning:


When you enable Amazon EC2 scanning, Amazon Inspector examines your EC2 instances for:

● Common vulnerabilities and exposures. (CVEs)

● Operating system and programming language package vulnerabilities.

● Network reachability and exposure risks.

● It analyzes metadata from your EC2 instance and assesses it against rules based on security behaviors.


Amazon Inspector investigates by utilizing the SSM agent installed on the instances or by examining Amazon EBS snapshots of the instances.



2) Amazon ECR Scanning:


Amazon Inspector analyzes container images stored in Amazon Elastic Container Registry identifies software vulnerabilities and generates findings related to package security.

● It performs scans at the registry level to identify vulnerabilities in operating system and programming language packages.

● Amazon Inspector upgrades all Basic scanning container repositories in your private registry to Enhanced scanning, allowing for continuous monitoring.



3) Lambda Function Scanning:


A. Lambda Standard Scanning:


By default scanning technique for Lambda functions is Lambda Standard Scanning.

After being enabled, Amazon Inspector automatically identifies the Lambda functions in your account and promptly begins vulnerability scans. It also scans newly deployed Lambda functions and layers, rescans them upon updates, and performs additional scans when new Common Vulnerabilities and Exposures  i.e CVE's are published.


B. Lambda Code Scanning:


Lambda Code Scanning examines the custom application code found within Lambda functions. Once activated, it scans all Lambda functions in your account to identify code vulnerabilities.


Comprehensive Insights:


Package Vulnerability:


Package vulnerability findings highlight software packages within the AWS environment that are susceptible to Common Vulnerabilities and Exposures i.e CVE's Attackers may exploit these unpatched vulnerabilities to compromise data confidentiality, integrity, or availability, or to gain unauthorized access to other systems.



Code Vulnerability:


Code vulnerability findings pinpoint specific lines of code that may be vulnerable to exploitation by attackers. These vulnerabilities can include injection flaws like SQL injection, LDAP injection, Log injection, also XSS, SSRF, CSRF, Improper Input Validation, Unsanitized Inputs, Unrestricted upload of dangerous file type, data leaks, weak cryptography, or missing encryption. Amazon Inspector assesses the Lambda function application code using automated reasoning and machine learning techniques to evaluate overall security compliance. It detects policy violations and vulnerabilities by leveraging internal detectors, developed in collaboration with Amazon CodeGuru.


Network Reachability:


Network reachability findings reveal the Amazon EC2 instances present in the environment have open network paths, exposing TCP and UDP ports through VPC edges such as internet gateways, load balancers, VPC peering connections, or VPNs via virtual gateways. These findings suggest that certain network configurations, like security groups, access control lists (ACLs), ALB, ELB, Route Tables or internet gateways, may be overly permissive and could allow unauthorized or malicious access.



This section provides instructions for reviewing the details of the Amazon Inspector findings.


To view the details for a finding


1. Sign in using credentials, and open the Amazon Inspector service.

2. Click on Dashboard > Finding


Amazon Inspector Dashboard


  1. Findings Summary: Highlights the total number of findings categorized by severity (critical, high, medium, etc.).


  1. Resource Coverage: Displays the percentage of resources being scanned across services like EC2, EBS, and Lambda.


  1. Vulnerability Trends: Shows trends in vulnerabilities over time, helping to track progress in addressing security issues.


  1. Actionable Insights: Offers recommendations and links to detailed findings for immediate remediation.


  1. Filters and Reports: Allows you to filter findings by account, resource type, severity, or Track status and generate reports for compliance and auditing purposes.




➢ Inspector Findings: By Vulnerability.




➢ Inspector > Vulnerability Details




A typical finding might look like this:


Finding ID: f-1234abcd

Title: "EC2 Instance Vulnerable to CVE-2021-12345"

Severity: High

Description: An EC2 instance running the Apache web server is vulnerable to CVE-2021-12345, which allows remote code execution due to improper handling of requests.

Affected Resource: i-0abcd1234efgh5678 (EC2 instance ID)

Recommended Action: Upgrade Apache to version 2.4.46 or later to address this vulnerability.

Conclusion:

Amazon Inspector helps to identify vulnerabilities and misconfigurations in your AWS environment. The findings provide actionable insights into potential security risks and offer mitigation recommendations. It’s important to regularly assess your environment and take prompt action on the findings to ensure that your AWS resources are secure.

./Keep_Hacking :)

Written by Ashish Khare (Junior SOC Analyst @ cloud.in) 

No comments:

Post a Comment

Amazon Macie: Identifying Sensitive Information in S3 Objects

Amazon Macie: An Overview Amazon Macie is an AWS service designed to help detect sensitive information, such as Personally Identifiable Info...