Arijita Mitra
Posted on November 21, 2023
Amazon Inspector, as the name suggests, is a vulnerability management service which scans AWS workloads continuously for software vulnerabilities and unwanted network exposures.
It is equipped to automatically discover and scan the running EC2 instances, container images in Amazon ECR and AWS Lambda functions.
It creates a finding when it encounters a vulnerability or network configuration issue.
What is a finding?
- Describes a vulnerability
- Identifies the affected resources
- Provides a rating for the vulnerability
- Provides guidance for remediation
Key Features of Amazon Inspector
- Centrally manages multiple Amazon Inspector accounts
- Regional service
- Continuously scans software vulnerability and network exposures
- Assesses the risk accurately and provide a risk score
- The findings can be customized and downloaded as JSON or CSV format
- When Amazon Inspector is activated for the first time in any region, it creates a service-linked role globally for the account — AWSServiceRoleforAmazonInspector2. This role will include the trust policies and permissions required for the scanning.
- Amazon Inspector can be accessed from -
AWS management console, AWS CLI, AWS SDKs & Amazon Inspector REST API
This is the page we will see when we first go to Amazon Inspector activation:
After we activate the Inspector in any region, we see the following dashboard:
Scanning AWS Lambda functions with Amazon inspector
Amazon Inspector for Lambda scanning was released for use by AWS in November 2022. It is a fairly new service, and has proved to be a useful one too!
When Lambda scanning is activated, Amazon Inspector creates AWS CloudTrail service-linked channels in the account -
cloudtrail:CreateServiceLinkedChannel, cloudtrail:DeleteServiceLinkedChannel
Amazon Inspector itself manages these channels and uses them for monitoring the CloudTrail events for scans.
The Lambda functions need to meet few criteria to be eligible for scans -
- Must have been created or updated in the last 90 days
- Are not excluded from scans by tags
- Are marked $LATEST
- Have a supported runtime
It offers two types of scanning for Lambda -
- Amazon Inspector Lambda Standard Scanning
- Amazon Inspector Lambda Code Scanning
From the Account Management page, we need to activate the type of scanning we require -
So, let’s chalk down the key differences between Standard scanning and Code scanning:
Currently Lambda code scanning is available for these regions as it is in preview stage -
Once activated for Lambda scanning, the Inspector will be actively scanning the Lambdas for vulnerabilities in the packages, and in the code(for code scanning).
For the Lambdas which do not support the scans, the reasons will be displayed like this-
To exclude a lambda function from standard scanning, we have to tag the function with the following key -
Key : InspectorExclusion
Value : LambdaStandardScanning
To exclude a lambda function from code scanning, we have to tag the function with the following key -
Key : InspectorCodeExclusion
Value : LambdaCodeScanning
Understanding findings in Amazon Inspector
Amazon Inspector stores the findings and it is displayed in the Findings dashboard.
Findings are one of the following types:
Active
The finding is identified by Amazon Inspector and has not been remediated. Active findings are subject to suppression rules.
Suppressed
The finding meets one or more criteria of one or more suppression rules. Suppressed findings are hidden from most views, except for the Suppressed findings list.
Closed
After a vulnerability is remediated, Amazon Inspector automatically detects it and changes the state of the finding to closed. Closed findings are deleted after 30 days if there are no other changes.
For each finding, the file includes details such as -
Amazon Resource Name (ARN) of the affected resource, the date and time when the finding was created, the associated Common Vulnerabilities and Exposures (CVE) ID, and the finding’s severity, status, and Amazon Inspector and CVSS scores.
Here, one of my Lambda functions has been scanned and the scanning shows that it is in critical state due to hardcoded credentials in the code. Amazon Inspector will locate the part of the code where the issue lies and also provide a remediation for it.
_
Disclaimer: Code scanning captures code snippets from the lambda functions to highlight the detected vulnerabilities. These may show hardcoded credentials or other sensitive information in plain text.
_
Exporting the findings to S3 Bucket
We can export the findings into an S3 bucket and also download in JSON or CSV format. The steps to be followed are described below:
Create a bucket, and edit the bucket policy. Add this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-inspector",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:Region:111122223333:report/*"
}
}
}
]
}
Create a key with symmetric encryption and then update the key policy. Add this policy :
{
"Sid": "Allow Amazon Inspector to use the key",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:Region:111122223333:report/*"
}
}
}
Then, go to All Findings, and filter out the desired finding that you would like to export. Fill in the required fields and then click on Export.
Thus, we can see that the object Inspector-findings now has the json report of the finding from Amazon Inspector.
Pricing
When we activate an Amazon Inspector scan type, we are automatically enrolled for a 15 day free trial for that scan type. After that, the price is calculated by the total Amazon Inspector coverage hours for the scanned functions within a month. The number of hours means the duration from when the function was discovered by Amazon Inspector until the function was deleted or excluded from scanning.
With Amazon Inspector, we pay only for what we use, with no minimum fees and no upfront commitments!
Thus, we can see that using AWS Inspector helps us to have a secure cloud architecture and this service serves the purpose very efficiently indeed.
Happy learning!
Posted on November 21, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.