Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instances Scanned by Amazon Inspector Classic

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-078

Ensure that all your Amazon EC2 instances are included in at least one Inspector Classic assessment target to make sure that Amazon Inspector Classic service can evaluate your EC2 instances for potential security issues and common vulnerabilities during assessment runs. An assessment target represents a collection of AWS cloud resources that can help you accomplish your business goals. An assessment template defines the scan frequency, rule packages, and SNS topics used in conjunction with an assessment target. The assessment run is the final scan, whose properties are defined by the assessment target and assessment template. Currently, your assessment targets can consist only of EC2 instances that run on supported operating systems.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Inspector Classic is an AWS service that helps you improve the security and compliance of your cloud resources. You can use Amazon Inspector Classic to evaluate whether your assessment targets (i.e. EC2 instances) have potential security issues that you should address. To make sure that all your EC2 instances are evaluated by Amazon Inspector, include all instances in the assessment runs by configuring the associated assessment targets and assessment templates.


Audit

To determine if your Amazon EC2 instances are properly scanned by Amazon Inspector Classic, follow the steps to ensure an Inspector Assessment Target is linked to an active Assessment Template and has at least one Assessment Run which successfully reached the instance:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard, choose Assessment targets.

04 Select the assessment target that you want to examine, choose Edit, and perform the following actions:

  1. Check the Include all EC2 instances in this AWS account and region checkbox available next to All instances. If the checkbox is not selected, the verified assessment target is not configured to include all EC2 instances available in the current AWS region.
  2. If the Include all EC2 instances in this AWS account and region checkbox is not selected, check the Use Tags section to see which instance tags will match to include certain EC2 instances in the assessment target.
  3. Choose Preview to see which EC2 instances will be included in the assessment target based on the defined tags. If an instance ID or Hostname is not listed, that instance won't be scanned using the selected assessment target.

05 Repeat step no. 4 to verify other Amazon Inspector assessment targets created within the current AWS region. If no Assessment targets match a given instance, that instance won't be scanned by Amazon Inspector.

06 In the navigation panel, under Dashboard, choose Assessment templates.

07 Select the assessment template you want to inspect by clicking on the expand button (i.e. right-facing arrow) available next to the resource checkbox, then perform the following:

  1. Next to Target name, check if the assessment target matches the expected result. You can click on the name to re-check the assessment target, or click on the Preview Target button to verify which instances will be included in the assessment template. If an instance ID or Hostname is not listed, that instance won't be scanned using the selected assessment template.
  2. Check the Rule packages defined in the assessment template to determine which security assessments will be evaluated during an assessment run using the selected assessment template. For more information on the Inspector rule packages, see the AWS documentation available here. Under the listed rule packages choose Preview Exclusions and check the Title and Description of each listed exclusion to determine the cause of the exclusion. You can also read more about exclusions in Amazon Inspector here. If an agent is included in the exclusions list, this means that the EC2 instance will not be included in the assessment run using this assessment template. A common exclusion is Agent not found, which means the instance in question does not have the Inspector agent properly installed. To read more about installing the Amazon Inspector agent on EC2 instances, see the AWS documentation available here.
  3. Next to Assessment Events, check the defined schedule for the scans using the selected assessment template. If no schedule has been defined, the chosen template will not periodically scan the defined EC2 instances using Inspector.

08 In the navigation panel, under Dashboard, choose Assessment runs to the view the outcome of recent Inspector scans.

09 Select the assessment run you want to inspect by clicking on the expand button (i.e. right-facing arrow) available next to the resource checkbox.

10 Along the top-level row, click on the number of exclusions to see any agents not included in that assessment run. The EC2 instances listed as exclusions were not scanned successfully in the completed run, and will include a description and recommendation. For more information about exclusions, see the AWS documentation available here. You can also choose to review the findings from the assessment run by clicking on the number of findings.

11 The possible types of assessment run exclusions for EC2 instances and the associated recommendations are available in the AWS documentation here.

12 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

01 Run list-assessment-templates command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all the Amazon Inspector assessment targets created in the selected AWS region:

aws inspector list-assessment-templates
  --region us-east-1
  --query 'assessmentTemplateArns[*]'

02 The command output should return an array with the requested ARNs:

[
	"arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd",
	"arn:aws:inspector:us-east-1:123456789012:target/0-1234abcd/template/0-abcd1234"
]

03 Run describe-assessment-templates command (OSX/Linux/UNIX) using the ARN of the Inspector assessment template that you want to examine as the identifier parameter, to describe the ARN of the associated assessment target:

aws inspector describe-assessment-templates
  --region us-east-1
  --assessment-template-arns arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd
  --query 'assessmentTemplates[*].assessmentTargetArn'

04 The command output should return the requested assessment target ARN:

[
	arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd
]

05 Run describe-assessment-targets command (OSX/Linux/UNIX) using the ARN returned at the previous step as the identifier parameter, to determine which EC2 instances will be scanned by Amazon Inspector. The presence of a resource group means that only a specified group of Amazon EC2 instances are included in the assessment target:

aws inspector describe-assessment-targets
  --region us-east-1
  --assessment-target-arns arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd
  --query 'assessmentTargets[*].resourceGroupArn'

06 The command output should return the ARN of the associated resource group:

[
	"arn:aws:inspector:us-east-1:123456789012:resourcegroup/0-1234abcd"
]

If the describe-assessment-targets command output returns the ARN of the associated resource group, as shown in the example above, the verified assessment target is not configured to include all EC2 instances available in the selected AWS region, therefore the Amazon Inspector service can't evaluate all your EC2 instances for potential security issues during assessment runs. If no resource group ARN is returned, then the assessment target is configured to target all instances in the chosen AWS region.

07 Run describe-resource-groups command (OSX/Linux/UNIX) using the ARN of the resource group returned at the previous step as the identifier parameter, to describe the tag definition of the selected resource group:

aws inspector describe-resource-groups
  --region us-east-1
  --resource-group-arns arn:aws:inspector:us-east-1:123456789012:resourcegroup/0-1234abcd
  --query 'resourceGroups[*].tags[]'

08 The command output should return the tag sets defined for the associated resource group:

[
	{
		"key": "TagKey1",
		"value": "Example"
	},
	{
		"key": "TagKey2",
		"value": "Example"
	}
]

If the tags match an EC2 instance, that instance will be included in the assessment target.

09 To confirm if an instance is included in a given assessment target, run the preview-agents command (OSX/Linux/UNIX) using the ARN of the assessment target as the identifier parameter:

aws inspector preview-agents
  --region us-east-1
  --preview-agents-arn arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd
  --query 'agentPreviews[*].{ID:agentId,agentHealth:agentHealth}'

10 The command output should return the preview status of the instances included in the assessment target:

[
	{
		"ID": "i-01234",
		"agentHealth": "UNKNOWN"
	},
	{
	"ID": "i-05678",
	"agentHealth": "UNKNOWN"
	}
]

If an "agentHealth" is set to "UNKNOWN", this may mean that Amazon Inspector can't reach the specified instance and this should be investigated further.

11 Re-run the describe-assessment-templates command using the ARN of your chosen assessment template, this time with the goal to retrieve the ARN of the last assessment run:

aws inspector describe-assessment-templates
  --region us-east-1
  --assessment-template-arns arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd
  --query 'assessmentTemplates[*].lastAssessmentRunArn'

12 The command output should return the ARN of the last assessment run:

[
	"arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd"
]

13 Run the list-exclusions command using the ARN of the last assessment run:

aws inspector list-exclusions
  --assessment-run-arn arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd

14 The command output should return a list of exclusion ARNs:

{
	"exclusionArns": [
		"arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd/exclusion/0-6VoS0tXp",
		"arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd/exclusion/0-MNNBzKHP"
	]
}

15 Run the describe-exclusions command using an exclusions ARN from the previous step to view the details of why the instance was excluded from the assessment run.

{
	"exclusions": {
		"arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd/exclusion/0-6VoS0tXp": {
			"arn": "arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd/run/0-abcdabcd/exclusion/0-6VoS0tXp",
			"title": "Agent not found",
			"description": "The Inspector agent was not found on this instance.  You can run agentless Network Reachability assessments on this instance but cannot run any assessments that need the agent.",
			"recommendation": "Install or re-install the Inspector Agent on this instance.",
			"scopes": [
				{
					"key": "instanceId",
					"value": "i-12345123452e70dbe"
				}
			],
			"attributes": [
				{
					"key": "INSTANCE_ID",
					"value": "i-12345123452e70dbe"
				}
			]
		}
	},
	"failedItems": {}
}

16 The possible types of assessment run exclusions for EC2 instances and the associated recommendations are available in the AWS documentation here.

17 Repeat steps no. 1 – 16 to check other Amazon Inspector assessment templates, targets, and assessment runs available in the selected AWS region.

18 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your existing Amazon Inspector assessment targets in order to evaluate all your EC2 instances during assessment runs, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector console at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard, choose Assessment targets.

04 Select the assessment target that you want to reconfigure and choose Edit.

05 On the assessment target configuration panel, perform the following actions:

  1. Select the Include all EC2 instances in this AWS account and region checkbox available next to All instances to configure the assessment target to include all the Amazon EC2 instances available within the current AWS region in the selected assessment target.
  2. Ensure that theInstall the Amazon Inspector Agent on all EC2 instances in this assessment target checkbox is also selected to install the required software agent. To use this option, make sure that your Amazon EC2 instances have the SSM Agent installed and an IAM role that allows "Run Command". Otherwise, follow the steps outlined in this conformity rule to implement the SSM Agent and the required IAM role.
  3. Choose Save to apply the changes.

06 Once the selected assessment target is successfully configured, choose Preview Target to check the resource health status for all the included EC2 instances. Each included EC2 instance should have the Agent Status set to HEALTHY. If status is still UNKNOWN, this may be because the agent was not properly installed on the instance, or the instance AMI was not pre-configured to include the inspector agent. To read more about installing the Amazon Inspector agent on EC2 instances, see the AWS documentation available on this page. You can also review the description and recommendation associated with the exclusion for the given resource, described in more detail here.

07 In the navigation panel, under Dashboard, choose Assessment templates.

08 If the assessment target investigated from steps 1 to 6 is not already linked to an assessment template, you will need to create a new assessment template. To create a new assessment template, click on the Create button available in the console top menu.

09 On the assessment template configuration window, perform the following actions:

  1. Enter a unique name for the template in the Name box.
  2. For Target name, select the assessment target you just updated.
  3. Select the Rule packages that you would like to include in your Inspector scans.
  4. (Optional) Use the Tags controls to add tags to the template and/or to the prospective findings that will be produced by future scans.
  5. Choose whether to set a recurring schedule for Inspector scans.
  6. To initiate the assessment run, you can either choose Create and run, select Create, then return to run the template manually later by selecting the checkbox to the left of the assessment template name and clicking the Run button available in the console top menu, or wait until the assessment run completes based on the defined schedule in the assessment template.

10 In the navigation panel, under Dashboard, choose Assessment runs.

11 Click on the expand button (i.e. right-facing arrow) available next to the assessment run that you want to inspect. Under Status you should see the value Analysis complete, if not then the assessment run may still be in progress.

12 Once completed, choose Show AWS Agents to show the individual statuses of EC2 instances scanned in the current assessment run. Under AWS agent health, a successfully scanned instance should display as HEALTHY.

13 Change the AWS cloud region from the navigation bar to repeat the entire Remediation process for other regions. Amazon Inspector can now evaluate all your EC2 instances for potential security issues.

Using AWS CLI

01 Run update-assessment-target command (OSX/Linux/UNIX) to update the selected Amazon Inspector assessment target in order to include all the Amazon EC2 instances available in the selected AWS region within the assessment target. To include all your EC2 instances, just skip adding the --resource-group-arn parameter to the update-assessment-target command request as shown in the example below. To make sure that the Inspector Agent is installed on the EC2 instances included in the selected assessment target,**you must have an IAM role that allows "Run Command" and the SSM Agent installed on your EC2 instances. Otherwise, follow the steps outlined in this conformity rule to implement the SSM Agent and the required IAM role (if successful, the command does not produce an output):

aws inspector update-assessment-target
  --region us-east-1
  --assessment-target-arn arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd
  --assessment-target-name cc-main-assessment-target

02 If no assessment template has yet been defined using the assessment target of choice, create a new assessment template using the create-assessment-template command (OSX/Linux/UNIX). Make sure to include the necessary parameters, e.g.:

aws inspector create-assessment-template
  --region us-east-1
  --assessment-target-arn arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd
  --assessment-template-name cc-main-assessment-template
  --duration-in-seconds 180
  --rules-package-arns arn:aws:inspector:us-east-1:123456789012:rulespackage/0-abcd1234

03 The command output should return the ARN of the new assessment template:

{
	"assessmentTemplateArn": "arn:aws:inspector:us-east-1:123456789012:target/0-abcd1234/template/0-1234abcd"
}

To add a schedule to an Amazon Inspector assessment template, please use the AWS Management Console. When you create a schedule, this creates an Amazon CloudWatch Events rule as described in the documentation regarding assessment templates and assessment runs available here.

04 Change the AWS region by updating the --region command parameter value and repeat the Remediation process for other regions. Amazon Inspector can now evaluate all your EC2 instances for potential security issues during assessment runs.

References

Publication date Dec 10, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Instances Scanned by Amazon Inspector Classic

Risk Level: Medium