Analysis of AWS Inspector

AWS Inspector is an agent-based tool that enables you to analyse your AWS resources and to identify potential security issues.

Launching and Configuring AWS Inspector

First of all you have to setup AWS Inspector and create a specific role for it. This is described on AWS QuickStart guide.

AWS Inspector role is of type Read-Only, because it only contains the ability to list all the instances on your AWS account. Principle of least privileges has been applied.

AWS Inspector is done in 4 steps:

  1. Create Assessment Targets: In this step, you have to define which resources you want to analyse for security issues. This step include a basic step where you define a specific AWS Tag on each of the instance you want to analyze. Your instance will appear in the console, after having being tagged.
  2. Install AWS Agent on Targets: You have to install the AWS agent on any of the target you want to analyze.
    • This agent send all the information to the AWS Inspector. The agent is in charge of establishing the connection to AWS Inspector.
      • NB: At the time speaking, AWS Agent is available for a very limited set of Operating Systems (AWS Linux 2015.03 or later, Ubuntu 14.04 LTS, RHEL 7.2, CentOS 7.2, Windows Server 2008R2 and 2012) in 4 AWS Regions (US-West Oregon, US-East N. Virginia, EU Ireland, Asia Pacific Tokyo).
  3. Create Assessment Template: In this step, you create your template for analyzing your instance. There are 4 rules packages that can be selected.
  4. Run your selected Assessment Template: In this step, you just launch the analyse of all of your instances that have been tagged and where you have installed the AWS Agent.

 

Analysis of AWS Inspector and its findings

AWS Inspector is a vulnerability assessment tool that makes a white-box assessment on instances. Moreover, it requires to install an agent and add an AWS Tag to the instance you want to scan. You can make a white-box scan without providing any AWS KeyPair due to the presence of the AWS Agent.
AWS Inspector

AWS Inspector has a basic web interface based on AWS console and an API such as all other AWS services. Basically, AWS Inspector as 4 levels of Severity: Informational, Low, Medium, High.

You can filter using the AWS Agent ID (which is the same as your Instance ID) or using one of the column of the table. You can export, but you do not have any information on the issue and its associated recommendation. You can not use the tool to build your remediation spreadsheet without spending time on it.

I did my test with the following instances:

  • Linux Ubuntu 14.04 LTS: Latest AMI available (ami-fce3c696) without any specific software
  • MS Windows 2008R2: Outdated version of MS Windows 2008R2 (ami-3bd17a50) without any specific software

I got the following results:

  • Common Vulnerabilities and Exposures-1.1
    • Found CVE related to Operating System
  • CIS Operating System Security Configuration Benchmarks-1.0
    • Nothing found except that the instance where not running Amazon Linux Operating System
  • Security Best Practices-1.0
    • Detect root login via SSH
    • NB: This is currently only available for Linux based Operating System
  • Runtime Behavior Analysis-1.0
    • Manage to find that we have HTTP port 80 opened
    • NB: No analyse on this HTTP port such as version of web server
  • CIS Operating System Security Configuration Benchmarks-1.0
    • Nothing found except that the instance where not running Amazon Linux Operating System

 

AWS Inspector Pros & Cons

Pros:

  • Automation and availability of the API
  • API Logs available in CloudTrail
  • Fully integrated with AWS: you can retrieve your instance using AWS Tags
  • Principle of least privileges
  • White-box analysis

Cons:

  • Agent-Based solution: Not available for any of the instances and only 4 AWS Regions
  • All data sent out of my AWS premises
  • Small set of rules package
  • Not able to audit stopped instances (instances left behind)
  • Impact on production instances
  • Only Available for AWS instances

 

Conclusion

AWS Inspector is a new service from AWS and if fully integrated in AWS Console.

I’m very surprised that the leader in IaaS Cloud Computing has chosen an agent-based scanning solution. AWS has made so much integration with Linux and Windows system in order to be fully automated, (SecurityGroup for hots-based firewalling, etc…), to use meta-data server and avoid any specific deployment on any instance. In my point of view, they’ve lacked of innovation on this part.

As a security expert, I really like the fact that AWS Inspector can do white-box analysis automatically. I would rather have an agent-less solution and to give Temporary Access with Temporary Keys to the instance just like Elastic Detector does (Elastic Detector even has a Cloning mode where you do not have to specify anything). Moreover, AWS Inspector and its agent sends out all the critical information on my instances. I would have preferred that everything would have been kept on my premises, even launching an instance in my own account (just like AWS VPC does).

The second thing that is a little bit annoying, is the lack of rules packages and operating system supported for the Agent. There is always some old servers in a real infrastructure and you can not discard them from your vulnerability assessment. This means that at the time speaking, you must use a second vulnerability assessment tools to do the job properly. Elastic Detector is fully integrated with any of Cloud infrastructure AWS, GCE, Azure, …, Virtualized environment (VMware, XenCitrix, …) or physical system, which is more than a requirement to my point of view.

AWS Inspector is very limited in terms of reporting, therefore it’s a bit difficult to use the results of an assessment run in order to build your remediation spreadsheet. Nowadays, a clear and usable reporting is more than mandatory on vulnerability assessment tools. As a security expert, I do not want to waste my time parsing reports and giving the right information to the right guy in the company. Moreover, the guys in charge of the remediation should immediately understand what he has to do in order to fix the issue.

/Fred

Leave a Reply