Profile Applicability:
- Level 1
Description:
Amazon Inspector 2 is an automated security assessment service that helps identify security vulnerabilities and compliance violations in your AWS resources, including Amazon EC2 instances, Amazon ECR container images, and AWS Lambda functions. By enabling Amazon Inspector 2, you can continuously monitor these resources for potential vulnerabilities, including operating system misconfigurations, software vulnerabilities, and insecure coding practices.
This SOP ensures that Amazon Inspector 2 is enabled and actively monitoring EC2 instances, ECR container images, and Lambda functions in your AWS environment.
Rationale:
Enabling Amazon Inspector 2 for EC2 instances, ECR images, and Lambda functions ensures:
Vulnerability Detection: Helps detect known security vulnerabilities in the software running on EC2 instances, container images, and Lambda functions.
Continuous Monitoring: Provides automated, continuous security assessments to quickly identify and remediate issues.
Improved Compliance: Supports compliance with standards such as SOC 2, PCI-DSS, and CIS by identifying security gaps and improving overall security posture.
Risk Reduction: Mitigates risks by automatically flagging security issues and providing recommendations for fixes.
Impact:
Pros:
Enhanced Security: Identifies vulnerabilities across EC2 instances, Lambda functions, and container images, improving overall security.
Continuous Monitoring: Provides automated, ongoing assessments that allow organizations to quickly detect issues and take action.
Automated Remediation: Helps organizations automate responses to vulnerabilities, improving efficiency.
Cons:
Cost: Amazon Inspector 2 may incur additional charges for assessments based on the number of resources being monitored.
Complex Configuration: Requires proper setup and configuration to ensure coverage for EC2, Lambda, and ECR resources.
Default Value:
By default, Amazon Inspector 2 is not enabled for EC2 instances, ECR container images, or Lambda functions. It must be manually activated and configured to begin assessments.
Pre-requisite:
AWS IAM Permissions:
inspector2:CreateAssessmentTarget
inspector2:ListFindings
inspector2:StartAssessmentRun
inspector2:GetAssessmentReport
lambda:ListFunctions
ec2:DescribeInstances
ecr:DescribeImages
AWS CLI installed and configured.
Basic understanding of Amazon Inspector 2, EC2, Lambda, and ECR services.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon Inspector under Services.
In the Amazon Inspector 2 Dashboard, check if EC2 instances, ECR container images, and Lambda functions are being scanned.
Ensure that:
EC2 instances are included in the assessment targets.
ECR container images are being assessed for vulnerabilities.
Lambda functions are being monitored for security issues.
Review the assessment findings and verify if any vulnerabilities or security issues are flagged.
Using AWS CLI:
To check if Inspector 2 assessments are enabled for EC2 instances, run:
aws inspector2 list-assessment-targets --query 'assessmentTargetArns[]'
Ensure that your EC2 instances are listed as part of the assessment targets.
To check if ECR container images are assessed by Inspector 2, run:
aws inspector2 list-findings --resource-type "AWS::ECR::ContainerImage"
This will list any vulnerabilities found in your ECR container images.
To check if Lambda functions are included in the assessment, run:
aws inspector2 list-findings --resource-type "AWS::Lambda::Function"
Verify that your Lambda functions are monitored for security issues.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console and navigate to Amazon Inspector.
In the Inspector 2 Dashboard, go to the Assessment Targets section.
Create or confirm the existing assessment targets for EC2 instances, ECR images, and Lambda functions.
Set up assessment runs to evaluate the resources periodically.
Review findings for any vulnerabilities detected in EC2 instances, ECR container images, and Lambda functions.
Using AWS CLI:
To enable Amazon Inspector 2 assessments for EC2 instances, run:
aws inspector2 create-assessment-target --resource-group-name "MyResourceGroup" --resource-group-type "EC2"
To start an assessment for ECR container images, use:
aws inspector2 create-assessment-target --resource-group-name "MyResourceGroup" --resource-group-type "ECR"
To include Lambda functions in the assessment:
aws inspector2 create-assessment-target --resource-group-name "MyResourceGroup" --resource-group-type "Lambda"
Start an assessment run to scan the defined resources:
aws inspector2 start-assessment-run --assessment-target-arn <target-arn> --assessment-template-name <template-name>
Review the findings for each resource type to ensure there are no vulnerabilities:
aws inspector2 list-findings --resource-type <resource-type>
Backout Plan:
If enabling Amazon Inspector 2 for EC2 instances, ECR images, or Lambda functions causes issues (e.g., performance impacts, cost overruns):
Identify the affected resource or service.
Disable Inspector 2 assessments for that resource using the following command:
aws inspector2 delete-assessment-target --assessment-target-arn <target-arn>
Verify that the assessment is no longer running for that resource by listing the targets:
aws inspector2 list-assessment-targets
Note :
Cost Monitoring: Be aware of the costs associated with running assessments for EC2, ECR, and Lambda. Check the Amazon Inspector Pricing page to understand the cost structure.
Automated Remediation: Consider setting up automated remediation actions, such as running security patches or alerts when findings are detected in ECR container images or Lambda functions.
