Description:
This policy enables vulnerability scanning for the complete production IT infrastructure. This will help to identify and remediate security vulnerabilities, which can help to protect the organization from cyberattacks.
Rationale:
Vulnerability scanning is an important part of any security program. By identifying and remediating vulnerabilities, organizations can reduce their risk of being hacked. This policy is important because it ensures that all of the organization's production IT infrastructure is scanned for vulnerabilities on a regular basis.
Impact:
The impact of enabling vulnerability scanning for the complete production IT infrastructure will vary depending on the specific vulnerabilities that are found. However, in general, this policy will help to improve the security of the organization's infrastructure and reduce the risk of cyberattacks.
Default Value:
AWS will initially recommend that vulnerability scanning be enabled for all production IT infrastructure. However, organizations may choose to disable vulnerability scanning for certain resources, such as those that are not exposed to the internet.
Pre-requisites:
To enable vulnerability scanning for the complete production IT infrastructure, the following pre-requisites must be met:
- The organization must have an AWS account.
- The organization must have the appropriate permissions to enable vulnerability scanning.
- The organization must have a vulnerability scanner configured.
Remediation Steps:
If any vulnerabilities are found during the vulnerability scan, the organization must take steps to remediate them. The remediation steps will vary depending on the specific vulnerability.
Test Plan:
The organization should develop a test plan to verify that the vulnerability scan is working properly. The test plan should include steps to verify that all of the production IT infrastructure is being scanned and that any vulnerabilities that are found are being properly remediated.
Implementation Plan:
The organization should develop an implementation plan to enable vulnerability scanning for the complete production IT infrastructure. The implementation plan should include steps to configure the vulnerability scanner, schedule the vulnerability scans, and notify the appropriate personnel of any vulnerabilities that are found.
AWS CLI Process:
To enable vulnerability scanning for the complete production IT infrastructure using the AWS CLI, the following command can be used:
aws inspector enable-scan --scan-name "Production IT Infrastructure Scan"
Using AWS GUI:
To enable vulnerability scanning for the complete production IT infrastructure using the AWS GUI, the following steps can be followed:
- Go to the AWS Inspector console.
- Click on the "Scans" tab.
- Click on the "Create scan" button.
- Enter a name for the scan.
- Select the "Production IT Infrastructure" scan template.
- Click on the "Create" button.
Backout Plan:
If the vulnerability scan is not working properly or if any vulnerabilities are found that cannot be remediated, the organization may need to back out of the policy. To do this, the organization can disable vulnerability scanning for the complete production IT infrastructure.
Note:
- This policy is not intended to be a comprehensive guide to vulnerability scanning. For more information, please refer to the AWS Inspector documentation.
- This policy is subject to change.
Reference:
- AWS Inspector documentation: https://docs.aws.amazon.com/inspector/latest/userguide/
Section 2:
- Tags and Keywords: vulnerability scanning, production IT infrastructure, security