Profile Applicability:

  • Level 1

Description:

Amazon Inspector 2 is an automated security assessment service that continuously monitors and assesses AWS resources for vulnerabilities and compliance violations. When an assessment run is conducted, findings (issues or vulnerabilities) are generated, and they need to be reviewed and addressed. Active findings refer to issues that have been identified but not yet resolved.

This SOP ensures that active findings from Amazon Inspector 2 assessments are identified, providing insight into current security vulnerabilities or compliance issues. Checking for active findings allows security teams to prioritize remediation efforts.

Rationale:

Checking for active findings is important for:

  • Security Posture Management: Identifying potential vulnerabilities that could be exploited by attackers.

  • Compliance: Ensuring that your environment is in compliance with regulatory and organizational security standards.

  • Incident Response: Quickly responding to identified issues before they can cause significant harm.

  • Prioritization: Helps prioritize which vulnerabilities or misconfigurations should be addressed first, based on their severity.

Impact:

Pros:

  • Early Detection: Enables prompt detection of security vulnerabilities, reducing the time it takes to address and mitigate issues.

  • Improved Security: By addressing active findings, you enhance the overall security of your environment.

  • Compliance: Ensures that your resources are assessed regularly for compliance and security issues.

Cons:

  • Overhead: Requires regular checks and continuous monitoring of findings.

  • Volume of Findings: In large environments, the volume of active findings could become overwhelming, requiring triaging and prioritization.

Default Value:

By default, Amazon Inspector 2 generates findings for any active assessments. However, these findings need to be actively monitored and reviewed to ensure issues are addressed promptly.

Pre-requisite:

  • AWS IAM Permissions:

    • inspector2:ListFindings

    • inspector2:GetFindings

    • inspector2:DescribeFindings

  • AWS CLI installed and configured.

  • Basic knowledge of Amazon Inspector 2 and understanding of how to address vulnerabilities identified in assessments.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Inspector under Services.

  3. In the Amazon Inspector 2 Dashboard, go to the Findings section.

  4. Review the list of findings:

    • Check for findings marked as active or unresolved.

    • Filter by severity (Critical, High, Medium, Low) to prioritize issues.

  5. For each active finding, verify the details to understand the nature of the issue and any recommended actions.

Using AWS CLI:

To list all active findings in your environment, run the following command:

aws inspector2 list-findings --filter "status=ACTIVE" --query 'findings[*].{FindingID:FindingId, Severity:Severity, ResourceName:ResourceName}'

This will return a list of active findings with details such as:

  • Finding ID

  • Severity

  • Resource Name (the resource affected by the finding)

To get detailed information about a specific finding, use:

aws inspector2 describe-findings --finding-arns <finding-arn>

Review the output to understand the details of each active finding.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon Inspector.

  2. Under the Findings section, ensure that active findings are being reported and reviewed.

  3. Review the severity of the findings to prioritize remediation efforts.

  4. For each finding, consider using automated actions, such as:

    • Applying patches for vulnerable EC2 instances.

    • Modifying security configurations for misconfigured services.

    • Removing or updating ECR container images with vulnerabilities.

Using AWS CLI:

Run the following command to list active findings:

aws inspector2 list-findings --filter "status=ACTIVE" --query 'findings[*].{FindingID:FindingId, Severity:Severity, ResourceName:ResourceName}'

For each finding, you can describe its details using the describe-findings command:

aws inspector2 describe-findings --finding-arns <finding-arn>

Review the findings and decide on the necessary actions to remediate them based on their severity and impact.

Backout Plan:

If checking for active findings results in issues (e.g., missing findings or incorrect severity levels):

  1. Ensure that Amazon Inspector 2 is properly configured to assess the relevant resources.

  2. Check that assessment targets for EC2 instances, ECR images, and Lambda functions are defined and active.

  3. If findings are not being generated, verify that active assessment runs have been completed successfully.

  4. If any changes were made to address findings and caused issues, revert those changes and monitor the results again.

Note :

  • Automation: Consider automating the remediation of certain findings (e.g., using AWS Lambda or CloudWatch Events) for commonly recurring vulnerabilities.

  • Notification: Set up CloudWatch Alarms or SNS notifications to alert security teams when active findings exceed a threshold or require immediate attention.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.