Hands-On AWS Security Lab: Detecting and Remediating Vulnerabilities with Amazon Inspector, Security Hub, and Systems Manager

Security is a shared responsibility in AWS, and one of the most important skills for cloud engineers is learning how to identify and remediate vulnerabilities before they become security incidents.

In this hands-on lab, you'll learn how to:

• Create a vulnerable EC2 instance
• Introduce a known security vulnerability
• Scan resources using Amazon Inspector
• Aggregate findings in AWS Security Hub
• Configure AWS Config
• Remediate security issues using AWS Systems Manager Automation
• Validate that vulnerabilities have been successfully fixed

By the end of this lab, you'll have practical experience with AWS-native security services and automated remediation workflows.

---

Architecture Overview

The lab uses the following AWS services:

• Amazon EC2
• Amazon Inspector
• AWS Systems Manager
• AWS Config
• AWS Security Hub
• AWS IAM

The workflow follows this sequence:

1. Deploy an EC2 instance.
2. Introduce network and application vulnerabilities.
3. Enable Inspector and scan the instance.
4. Aggregate findings through Security Hub.
5. Use Systems Manager Automation to remediate vulnerabilities.
6. Verify the remediation results.

---

Step 1: Create a Vulnerable EC2 Instance

First, launch an Ubuntu EC2 instance that will serve as the target for security scans.

Launch the Instance

1. Navigate to EC2.
2. Select Instances.
3. Click Launch Instance.
4. Name the instance:

Vulnerable_Server

1. Under Quick Start, select Ubuntu.
2. Choose Proceed without a key pair.
3. Click Launch Instance.

Introduce a Network-Level Vulnerability

After the instance launches:

1. Open the instance details.
2. Navigate to the Security tab.
3. Open the attached Security Group.
4. Select Edit Inbound Rules.
5. Add a new rule:

Setting	Value
Type	Custom TCP
Port	21
Source	Anywhere-IPv4

1. Save the rule.

This creates a publicly accessible FTP service port, which will later be flagged by AWS security services.

---

Step 2: Connect to the Instance

1. Return to the EC2 console.
2. Select the instance.
3. Click Connect.
4. Use EC2 Instance Connect.
5. Click Connect.

You should now have terminal access to the Ubuntu server.

---

Step 3: Create a High-Severity Vulnerability

In this section, we'll intentionally misconfigure an FTP server to create a vulnerability associated with anonymous access.

Update Packages

sudo apt update

Install VSFTPD

sudo apt install vsftpd

When prompted:

Y

Modify the Configuration

Open the configuration file:

sudo nano /etc/vsftpd.conf

Make the following changes:

anonymous_enable=YES
local_enable=NO
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES

Add the following at the end of the file:

anon_root=/srv/ftp
no_anon_password=YES
hide_ids=YES

Save and exit.

Apply Permissions

sudo chmod 755 /srv/ftp/

Restart the Service

sudo systemctl restart vsftpd

Verify the service:

sudo systemctl status vsftpd

Exit the status view:

Q

Test Anonymous Access

ftp localhost

Login using:

anonymous

If configured correctly, you'll see:

Login successful.

Exit FTP:

exit

At this point, you've successfully introduced a high-severity vulnerability into the environment.

---

Step 4: Configure AWS Systems Manager

To allow Systems Manager to manage the EC2 instance, we need to enable host management and assign the appropriate IAM role.

Enable Host Management

1. Open Systems Manager.
2. Select Quick Setup.
3. Click Get Started.
4. Under Host Management, click Create.

1. Review and create the configuration.
2. Acknowledge the setup.

Wait until deployment completes successfully.

---

Create an IAM Role

Navigate to IAM and create a role:

Trusted Entity

EC2

Permission Policy

Attach:

AmazonSSMManagedInstanceCore

Role Name

Inspector

Create the role.

---

Attach the Role to EC2

1. Return to EC2.
2. Select the instance.
3. Choose:

Actions → Security → Modify IAM Role

1. Select:

Inspector

1. Save changes.

The EC2 instance can now communicate with Systems Manager.

---

Step 5: Run Amazon Inspector

Amazon Inspector automatically discovers and scans workloads for vulnerabilities.

Enable Inspector

1. Open Amazon Inspector.
2. Click Get Started.
3. Select Activate Inspector.

After activation:

Welcome to Inspector. Your first scan is underway.

Wait approximately 10 minutes for findings to appear.

---

Review Findings

Navigate to:

Amazon EC2 Instances with Most Critical Findings

Open the findings list and inspect the:

Port 21 High Severity Finding

This finding identifies the publicly exposed FTP service configured earlier.

---

Step 6: Enable AWS Config

AWS Config is required for Security Hub controls.

Setup

1. Open AWS Config.
2. Choose 1-Click Setup.
3. Confirm the configuration.

AWS Config will begin evaluating resources across the account.

---

Step 7: Centralize Findings with Security Hub

AWS Security Hub aggregates findings from multiple AWS security services.

Enable Security Hub

1. Open Security Hub.
2. Select Security Hub CSPM.
3. Click Get Started.
4. Choose Enable Security Hub CSPM.

Wait several minutes for findings to populate.

---

Review Critical Findings

Navigate to:

Findings by Region

Open the Critical findings section and select:

Security groups should not allow unrestricted access to ports with high risk

You'll observe that Security Hub highlights the exposed ports, including:

• Port 21 (FTP)
• Port 22 (SSH)

This demonstrates how Security Hub consolidates security insights from multiple AWS services.

---

Step 8: Remediate the Vulnerability with Systems Manager

Instead of manually editing the security group, we'll use Systems Manager Automation to perform remediation.

Create an Automation Runbook

1. Open Systems Manager.
2. Navigate to Automation.
3. Select Create Runbook.
4. Close any pop-ups.

---

Import AWS Template

Choose:

Actions → Use Runbook as Template

Filter by:

Security

Import:

AWS-DisablePublicAccessForSecurityGroup

---

Customize the Runbook

Delete every step except:

DisableSSHFromIpV4

Rename the remaining step:

RemoveFTPAccess

Modify the input values:

Parameter	Value
FromPort	21
ToPort	21

Rename the runbook:

FTP_Removal

Create the runbook.

---

Execute the Runbook

Copy the Security Group ID attached to your EC2 instance.

Run the automation and provide:

GroupId = <Security Group ID>

Click:

Execute

Wait until the status shows:

Success

---

Step 9: Validate the Fix

Return to EC2.

Refresh the instance details and review the Security Group inbound rules.

You should see that:

✅ Port 21 has been removed

This confirms that Systems Manager successfully remediated the vulnerability.

---

Key Takeaways

In this lab, you learned how to:

• Deploy and intentionally misconfigure an EC2 workload
• Detect vulnerabilities using Amazon Inspector
• Aggregate security findings in AWS Security Hub
• Enable AWS Config for compliance monitoring
• Configure Systems Manager for managed instances
• Create and execute automated remediation workflows
• Validate security fixes after remediation

These AWS-native security services work together to provide continuous monitoring, centralized visibility, and automated remediation capabilities that help organizations maintain a secure cloud environment at scale.