a
AllCode Vulnerability Management AWS Inspector

Vulnerability Scanning with AWS Inspector

Performing Vulnerability Scanning with AWS Inspector on AWS EC2, ECS, and Lambda Introduction AWS Inspector is a powerful security assessment service that helps you identify security vulnerabilities and compliance issues in your AWS resources. In this document, we will guide you through the process of using AWS Inspector to perform vulnerability scanning on three key […]

Performing Vulnerability Scanning with AWS Inspector on AWS EC2, ECS, and Lambda

Introduction

AWS Inspector is a powerful security assessment service that helps you identify security vulnerabilities and compliance issues in your AWS resources. In this document, we will guide you through the process of using AWS Inspector to perform vulnerability scanning on three key AWS services: EC2 instances, ECS clusters, and Lambda functions.

AllCode Vulnerability Management AWS Inspector

Prerequisites

Before you begin, ensure that you have the following prerequisites in place:

  • AWS Account: You should have an active AWS account with appropriate permissions to access AWS Inspector.
  • Inspector Agent (for EC2): For EC2 instances, you may need to install the AWS Inspector Agent on the instances running your applications. This agent collects data about your instances and sends it to the Inspector for analysis. However, this is not required for ECS or Lambda.

Steps to Perform Vulnerability Scanning

EC2 Instances

  • Create an Assessment Target:
    • Log in to the AWS Management Console.
    • Navigate to AWS Inspector and select “Assessment targets.”
    • Click “Create assessment target” and select “EC2 instances.”
    • Choose the EC2 instances you want to assess.
  • Create an Assessment Template:
    • In the AWS Inspector console, go to “Assessment templates.”
    • Click “Create assessment template” and select “Security findings.”
    • Choose the assessment target created in the previous step.
    • Configure the assessment template with your desired rules packages and duration.
  • Start an Assessment Run:
    • Go to “Assessment runs” in the AWS Inspector console.
    • Click “Start an assessment run” and select the assessment template created earlier.
    • Review and confirm the settings, then start the assessment run.
  • Review Assessment Findings:
    • Wait for the assessment run to complete.
    • Once finished, view the findings in the Inspector console.
    • Address and remediate the identified vulnerabilities in your EC2 instances.

ECS Clusters

  • Create an Assessment Target:
    • In the AWS Inspector console, select “Assessment targets.”
    • Click “Create assessment target” and select “ECS clusters.”
    • Specify the ECS cluster you want to assess.
  • Create an Assessment Template:
    • Navigate to “Assessment templates.”
    • Click “Create assessment template” and select “Security findings.”
    • Choose the assessment target created in the previous step.
    • Configure the assessment template with your preferred rules packages and duration.
  • Start an Assessment Run:
    • Access “Assessment runs” in the AWS Inspector console.
    • Click “Start an assessment run” and pick the assessment template from step 2.
    • Confirm the settings and launch the assessment run.
  • Review Assessment Findings:
    • Monitor the assessment run status until it is completed.
    • Examine the assessment findings in the Inspector console.
    • Take necessary actions to mitigate any security issues discovered in your ECS cluster.

Lambda Functions

  • Create an Assessment Target:
    • In the AWS Inspector console, select “Assessment targets.”
    • Click “Create assessment target” and select “Lambda functions.”
    • Specify the Lambda functions you want to assess.
  • Create an Assessment Template:
    • Navigate to “Assessment templates.”
    • Click “Create assessment template” and select “Security findings.”
    • Choose the assessment target created in the previous step.
    • Configure the assessment template with your desired rules packages and duration.
  • Start an Assessment Run:
    • Visit “Assessment runs” in the AWS Inspector console.
    • Click “Start an assessment run” and pick the assessment template from step 2.
    • Confirm the settings and launch the assessment run.
  • Review Assessment Findings:
    • Wait for the assessment run to conclude.
    • Access the Inspector console to review the findings.
    • Act on the identified vulnerabilities to secure your Lambda functions.

What about managed database services like RDS and Elasticache?

As of September 2021, AWS does not allow direct vulnerability scanning of RDS (Relational Database Service) instances using AWS Inspector or other vulnerability scanning tools. AWS RDS is a managed database service, and the underlying infrastructure and security configurations are managed by AWS, limiting the ability for customers to perform traditional vulnerability scanning on these instances.

However, AWS provides security features and recommendations to help secure your RDS instances, including network security through Amazon VPCs, encryption at rest and in transit, and database-specific security features such as authentication and authorization.

To ensure the security of your RDS instances, consider the following best practices:

  • VPC Security Groups and Network Access Control Lists (NACLs): Configure security groups and network ACLs to control inbound and outbound network traffic to your RDS instances.
  • Encryption: Enable encryption at rest and in transit for your RDS instances to protect data both at rest and during transmission.
  • Authentication and Authorization: Implement strong authentication and authorization mechanisms to control who can access your RDS databases and what actions they can perform.
  • Parameter Groups: Use parameter groups to fine-tune database engine settings to meet your security and performance requirements.
  • Database Auditing: Enable database auditing features to monitor and log database activities for security and compliance purposes.
  • AWS Identity and Access Management (IAM): Use IAM to manage access to AWS resources, including RDS, by creating IAM database authentication.
  • Regular Backup and Patching: Regularly back up your databases and apply database engine patches and updates to address security vulnerabilities.

 

Joel Garcia

Joel Garcia

Joel Garcia has been building AllCode since 2015. He’s an innovative, hands-on executive with a proven record of designing, developing, and operating Software-as-a-Service (SaaS), mobile, and desktop solutions. Joel has expertise in HealthTech, VoIP, and cloud-based solutions. Joel has experience scaling multiple start-ups for successful exits to IMS Health and Golden Gate Capital, as well as working at mature, industry-leading software companies. He’s held executive engineering positions in San Francisco at TidalWave, LittleCast, Self Health Network, LiveVox acquired by Golden Gate Capital, and Med-Vantage acquired by IMS Health.

Related Articles

Navigating AWS Complexity

Navigating AWS Complexity

Amazon’s Web Services is a very complex platform. Streamlining and optimizing production workflows can be challenging for inexperienced users. However, the benefit of learning grants options for better efficiency, reliability, security, and cost-effectiveness for operations run on AWS.

While complexity can be difficult to navigate, it’s not impossible. With the right level of expertise, AWS complexity can be navigated with ease.

What is Amazon Managed Grafana?

What is Amazon Managed Grafana?

Grafana stands out as a widely embraced open-source analytics and visualization platform, celebrated for its versatility in handling diverse data sources and delivering compelling dashboards and graphs. Renowned for its user-friendly interface, Grafana simplifies the process of data interpretation and enhances the overall experience by providing interactive visualizations.

AWS and re:Invent 2023

AWS and re:Invent 2023

There are plenty of AWS enthusiasts around the world such as ourselves with ideas on how to apply the Cloud in new and innovative ways. It’s a keynote where these enthusiasts come together, network, and share innovations and new methodologies with the public. Even for people less familiar with AWS, it is a great place to get first-hand experience with the platform either unguided or with professional help to see what opportunities the platform has.

Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.