DEV Community

Cover image for Amazon Inspector
Manu Muraleedharan for AWS Community Builders

Posted on • Edited on

Amazon Inspector

Inspector is a Vulnerability scanning tool for AWS workloads.
Here is an over view from AWS: https://www.youtube.com/watch?v=viAn4E7uwRU

Personal note: In the context of other law-enforcement terms used to name AWS Security services(Detective, Guard etc), Inspector is a bit different. In my country, a police inspector (the inspector that comes to my mind when I hear the title) is a law enforcement officer, who conducts investigations. I would say AWS Inspector is more like the vehicle inspector, who would verify if your vehicle is configured fine and is not causing pollution.

For an instance to be scanned by Inspector, it needs to be a managed instance in SSM, and the below prerequisites need to be met:

  • SSM Agent is installed on EC2 and it is running
  • The instance has an IAM role with the required permissions to talk to SSM.
  • 443 port is open outbound from EC2 instance so it can talk to SSM service.

Steps to follow if your EC2 is not coming as SSM Managed instance: https://repost.aws/knowledge-center/systems-manager-ec2-instance-not-appear

Types of scanning

  • EC2 scanning - An agent would be installed on the EC2 (SSM Agent) which would scan the EC2 for any vulnerability.
  • ECR Scanning - Scan images in ECR
  • Lambda scanning - Scan packages used in lambda
  • Lambda code scanning - scan code in lambda

For the vulnerabilities found, it will give relevant details like remediation steps, CVSS (Common Vulnerability Scoring System) Score, Inspector score etc which shows how critical this vulnerability is.

Suppression Rules
Say you have a web server. Then port 80, 443 being open is expected and you dont want to see warnings for that.
You can create suppression rules to avoid seeing specific vulnerabilities reported.

Vulnerability Database Search
Search CVE ID in vulnerability databases to get more info on the reported vulnerability.

Deep scan of EC2
In addition to OS packages, application packages would be inspected for vulnerabilities. You can specify which paths you need to be scanned.

Center of Internet Security (CIS) Benchmark assessments
Center of Internet Security, offers a suite of security benchmarks that serve as authoritative guidelines for securing IT systems, which are utilized extensively in the industry. On-demand/Scheduled scans can be run with CIS benchmark for specific operating systems. This will select resources based on the tags you specify.

Export Software BOMS
Export the Bill of Materials in the software packages analysed by inspector into industry standard formats. These BOMs contain a hierarchical list of all the individual components in a package. This functionality helps to check for vulnerabilities in a system not reachable from AWS.

Inspector Demo

EC2 scanning

Create an EC2 instance with an older version of Debian (version 10) from the marketplace.

https://aws.amazon.com/marketplace/pp/prodview-vh2uh3o4pdfow#pdp-overview

(This AMI is free to use)

Create a security group allowing traffic from anywhere(0.0.0.0/0) to 22. Attach this security group to the EC2.

SSH into the EC2, then install and start the SSM Agent.
Steps for this: https://docs.aws.amazon.com/systems-manager/latest/userguide/manually-install-ssm-agent-linux.html

Now the vulnerabilities from this EC2 would be detected by Inspector and shown in the console.

EC2scan

Security group with SSH from anywhere will also be detected as a vulnerability.

Container scanning
Pull a Debian 10 image from dockerhub and push it to the Amazon ECR.

docker pull debian:10.0

How to push to ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html

Now vulnerabilities from this docker image would be detected by Inspector and shown in the console. You can look at vulnerability per container repo or by container image.

Containerscan

Lambda scanning

Create a lambda with some vulnerabilities. For example, lambda below updates a reserved variable and has an insecure socket connection.

import os
import json
import socket

def lambda_handler(event, context):

    # print("Scenario 1");
    os.environ['_HANDLER'] = 'hello'
    # print("Scenario 1 ends")
    # print("Scenario 2");
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(('',0))
    # print("Scenario 2 ends")

    return {
        'statusCode': 200,
        'body': json.dumps("Inspector Code Scanning", default=str)
    } 
Enter fullscreen mode Exit fullscreen mode

Code needs to use runtimes supported by Inspector to be able to scan them. Many times this is not the latest, but the -1 version. For python, it is 3.11 as of writing this article, whereas latest version for lambda is 3.12.

You can check the supported versions here:
https://docs.aws.amazon.com/inspector/latest/user/supported.html

Now the vulnerabilities from the lambda code can be seen in the console.

Lambda

Top comments (0)