DEV Community: Alanoud Alassaf

Automate scanning for vulnerabilities, network exposures & deviation from best practices in AWS

Alanoud Alassaf — Tue, 28 Dec 2021 17:43:01 +0000

Amazon Inspector

Is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities, automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

An Amazon Inspector assessment covers:

Network Reachability.
Common vulnerabilities and exposures (CVE).
Center for Internet Security (CIS) benchmarks – currently only with Amazon inspector classic.
Security best practices – currently only with Amazon inspector classic.

Source: Amazon Inspector Amazon Inspector Classic

In this demo I will walk you through a step-by-step guide on creating Linux and Windows EC2 instances, installing Inspector agent on them, enabling and configuring Amazon Inspector classic and Amazon Inspector then downloading a full report of all findings, so let’s get started!

First let’s create a new Linux EC2 instance.

It will take you to EC2 dashboard page.

On the left side of the screen you will find instances click on it, then click Launch instances.

For this demo, you can select one of the free tier Amazon Linux AMI’s.

For the instance type, you can select the free tier t2.micro then click Review and Launch.

You will get this security warning message because we did not change the security group rules and it is now widely open.

To change it click Edit security groups.

For now, you can allow only your IP address then click Review and Launch.

Once you click Launch, it will ask you to either create a new key pair or use an existing one - I will create a new key pair and name it Demo-KP.

You must download the key pair first, then launch the instance.

Now let’s create another instance with Windows image.

Click on Launch instances.

Search for Windows in the search bar, then select one of the free tier windows images.

For the instance type, you can select t2.micro as well.

Then click Review and Launch.

Again, you will see the security warning message.

Click Edit security groups and change it to your IP address, then click Launch.

It will ask you to create or use an existing key pair, you can use the one you created earlier.

Then check the box below and click Launch Instances.

Now we have two running EC2 instances; Linux and Windows.

Let’s add new tag to each one of them.

Select each instance and click Tags then Manage tags.

Add a new tag with the Key “Type” and Value “Production” then click Save.

Select the Linux instance and copy the IP address.

Now let’s open the terminal, login to the Linux instance and install Amazon Inspector’s agent.

To login, first you need to change the permissions for the Key file by running this command:

chmod 400 [your key file]

Then login to the instance by running this command:

ssh ec2-user@[Your EC2 instance IP address] -i  [your key file]

You are now logged in.

Next you will need to download Amazon Inspector’s agent script by running this command:

wget https://inspector-agent.amazonaws.com/linux/latest/install

Once it’s completed, you can install the agent by running this command:

sudo bash install

Amazon Inspector’s agent has been installed in the Linux instance.

Now let’s go back to the console and connect to the Windows instance.

In the EC2 instances page select the Windows instance then click Connect.

Select RDP client then Get password.

Browse to your key pair then click Decrypt password.

Copy the password as you will need it to access your Windows instance.

I will use Microsoft Remote Desktop to connect to the Windows instance.

Now that you are logged in, you will need to download Amazon Inspector’s agent using this URL:
https://inspector-agent.amazonaws.com/windows/installer/latest/AWSAgentInstall.exe

Once the download is completed, click on Run.

Check the box to agree to the license terms and conditions, then click Install.

Now that the installation is completed, let’s go back to the AWS console and enable Amazon Inspector.

You can find Inspector under the Security, Identity & Compliance section.

It will take you to Amazon Inspector’s main page, click Get Started.

Let’s start first with Inspector Classic.

You can click Switch to Inspector Classic on the left side of the screen and it will open a new tab.

Click on Get started.

It will ask you to setup your assessment; if you want to allow Network assessments, Host assessments or both, as well as the frequency of the scanning (weekly or once).

Once you chose the desired assessment runs, it will ask you to confirm it, click OK.

Then it will take you to Amazon Inspector classic dashboard.

Now let’s create a new assessment target.

Click Assessment targets on the left side of the screen then click Create.

Give it a name, then add the tag that is associated to the instances you want to run inspector on – you have the option to include all EC2 instances in your account and region as well - then save it.

Now let’s create a new assessment template.

Click Assessment templates on the left side of the screen then Create.

Name your assessment template, select the target that you created in the previous step, then add the rules packages that you want to include in this template and choose the duration to run the assessment (AWS recommends 1 hour) but for this demo I will choose 15 minutes.

You also have the option to connect it to SNS if you want to receive notifications.

Add the desired tags and you can check the box below to set a schedule to automatically run the assessment.

For this demo you can uncheck the box then click Create and run.

It will start the analysis, once it's completed it will show you the number of findings.

Click on Download report.

You can select whether you want only the findings report or the full report (the full report will also include the rules packages) then choose the desired format HTML or PDF.

You can see below some screenshots of the full report in PDF format.

Let’s go back to the console.

Click on Findings on the left side of the screen.

You will see all findings with details and you have the option to filter them based on severity level.

Lastly, let’s go back to the Inspector tab.

Click Enable Inspector.

You will see the dashboard which contains a summary, and on the left side of the screen you can check the findings based on vulnerability, instance, container image, repository, and all findings as well.

Now we can manage vulnerabilities, network exposure and deviation from security best practices in a centralized automated way!

We have configured both Amazon Inspector and Amazon Inspector classic, installed Inspector agents on Linux and Windows servers, and have a well-written organized full report with all details.

Getting Started with AWS Config, CloudTrail, CloudWatch, S3, SNS

Alanoud Alassaf — Fri, 16 Jul 2021 15:22:02 +0000

Security is one of the major concerns in any environment, whether you are planning to run a start-up or having an enterprise, you should always consider security before anything and have a zero-trust model.

It is better to be proactive and secure your resource than being a reactive and start implementing security after an incident, some of the reasons are:

Save money.
Save efforts.
Availability of your services.
Business reputation.
And many more.

What is AWS Config?

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
Source: AWS Config

In this demo, we will set up AWS Config, assign a rule to it, set up AWS CloudTrail, enable CloudWatch to monitor CloudTrail, set up S3 bucket to store our log files, and set up Simple Notification Service to receive notifications through email.

With all that being said, let’s open the console and start setting up AWS Config:

Click on all services, then you will find Config under Management & Governance Section, click it:

It will take you to AWS Config’s dashboard.

Click Get started.

Now you can start setting up your Config,
For the resource type; you can choose Record all resources in this region, this will allow config to record all your resources in the region you’re currently using, and you can check the box below which says “include global resources” this will also get the resources that operates in a global basis such as IAM.

Now you will need an S3 bucket to store your config log files,
you have the option to choose an existing one or create a new one directly from Config’s settings, and it will suggest a name for your S3 bucket as you can see in the screenshot below.

By checking the box for SNS topic you will set up a Simple Notification Service (SNS) topic to provide you with notifications related to your Config.
You have the option to create a new SNS topic or choose an existing one whether it’s from your account or another account.

For this demo, I will create a new SNS topic and give the topic a name: config-topic.

Then you can click next.

It will take you to step 2: to assign rules.
As you can see below there are more than 150 rules ready to use, provided and managed by AWS,
but of course, you have the option to create your own rules.

For this demo, I will choose an AWS managed rule.
Cloudtrail-enabled: this rule will periodically check whether AWS cloudtrail is enabled in your account or not.

Then click next and review your configurations then click confirm.

Your AWS Config Dashboard will open, this is where you can add/edit/delete rules, check compliances and basically manage everything.

Now let’s set up a CloudTrail, you can find it under Management and Governance.

Once you’re in the dashboard, click create trail.

Give it a name and select where do you want to store the logs;
You can use one of your existing S3 buckets, or create a new one directly from here,
I will create a new one and it will automatically provide a name for it (you can change it) you also have the option to encrypt log files using KMS, for this demo I will keep it as it is.

You can also enable Simple Notification Service (SNS) and associate it with this Trail.

And you have the option to enable CloudWatch logs; which will monitor your CloudTrail logs.
I will enable it and choose a new log group then give it a name (It will provide it automatically, but you can change it).

Then you will need to assign an IAM Role to enable communication between CloudTrail and CloudWatch, I will choose a new role and give it a name.

You will select the type of events that you want CloudTrail to log, I will select them all.
It will ask you to specify the kind of API activities to log for the management events, I will choose the read and write activates.

For the data events, it will ask you to select the source of data, I will keep it S3; you can select a specific S3 bucket, or all current and future S3 buckets, I will keep it for all S3 buckets.

In insights events, you can enable the API Call rate to measure any unusual activities.

Click next, review your settings, and click create trail.

Now you can see our trail “CloudTrail-test” is enabled and the status is Logging.

Let’s go to S3, you can find it under Storage.

You can see our S3 bucket has been created, and we can find all CloudTrail logs inside it

When you click on it you will find our folders that contains logs from CloudTrail.

Now let’s go to Simple Notification Service (SNS), you can find it under Application Integration.

You will find the Topic that we created earlier (while setting up Config) here -you will need the ARN in the next step-.

Let’s connect it to our email to receive notifications there.

Click on subscriptions (you can find it on your left-hand side of the screen) click create subscription and fill the necessary details.

Select the Topic that you want to connect to your email (your topic's ARN), and in the protocol section, select email.

For the endpoint, add your email address then create the subscription.

You will receive an email to confirm the subscription, click on the link that says “Confirm Subscription”.

It will open a new web page that confirms your subscription, with your subscription ID and an option to remove the subscription.

If you go back to SNS Subscriptions, you will find your subscription ID, your email address and the status is confirmed.

If you go back to AWS Config, you will find your cloudtrail-enabled rule compliant now.

Voila!

We now have a centralized configuration dashboard associated with chosen rules to evaluate our security, CloudTrail to audit API calls, S3 bucket to store all log files and receive notifications via email.