Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Days since last Amazon Inspector run

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Inspector-002

Check to ensure that Amazon Inspector has run for a given Assessment template every n days. Amazon Inspector is an AWS service that helps improve the security and compliance of your AWS resources. Amazon Inspector Findings are potential security issues found during the service evaluation of the selected resources (also known as Amazon Inspector assessment targets).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With Inspector Findings you can evaluate your operating system environments and applications deployed on AWS for potential security issues and common vulnerabilities in an automated way.

Note 1: As of April 2017, the Amazon Inspector assessment targets can consist only of EC2 instances that run on certain Linux-based and Windows-based operating systems.
Note 2: As an example, this conformity rule will demonstrate how to analyze and solve a finding (security vulnerability) generated automatically by Amazon Inspector after evaluating a group of EC2 instances (Amazon Inspector assessment target).


Audit

To check for AWS Inspector assessment runs within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard section, choose Assessment Templates. This will display a list of assessment templates.

04 Each row in the table shown, will contain an assessment template and additional metadata regarding that template. Under the Last Run column, is the status of the last assessment run for that template.

Show/Hide Details

05 For a given assessment template, click the status described above. This will show the last assessment run for that assessment template.

06 Analyse the metadata associated with that assessment run, one of which is the Start time of that assessment run. Compare this to the daily threshold you have set and the current date.

07 Repeat steps no. 4 – 6 to each assessment template.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-assessment-templates command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all AWS Inspector assessment templates:

aws inspector list-assessment-templates

02 The command output should return an array of assessment template ARNs:

{
    "assessmentTemplateArns": [
      "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
      "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh"
    ]
}

03 Run list-assessment-runs command (OSX/Linux/UNIX) using the ARN returned at the previous step as identifier, a completed timestamp range (to determine if assessment runs are within the time threshold set) and a "COMPLETED" state to list the completed assessment runs that occurred in your time threshold:

aws inspector list-assessment-runs \
	--assessment-template-arns \
    'arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh' \
  --filter \
	  'states="COMPLETED",completionTimeRange={beginDate="1604534400",endDate="1604188800"}'

04 The command output returns an empty array of assessmentRunArns then no assessment runs were completed between the timestamps entered.

05 Repeat steps no. 3 – 4 to verify other Inspector assessment templates.

Remediation / Resolution

To add a schedule to a AWS inspector template, complete the following steps:

Note: As example, this rule will provide step by step instructions on how to configure your EC2 instances running on a Linux-based OS distribution to prevent root account logins over SSH.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the left navigation panel, under Dashboard section, choose Assessment Templates. This will display a list of assessment templates.

04 Each row in the table shown, will contain an assessment template and additional metadata regarding that template. Next to the name of the assessment template, there is a drop down icon, click this icon to reveal more details of this assessment template.

Show/Hide Details button

05 Under the Assessments Events section of the assessment template, is a section to add a schedule. Entering a number in this field will ensure that the assessment template is run once for every number of those days. Once the desired number has been entered, click the Add Schedule button to add this schedule.

06 Repeat steps 4 and 5 for each assessment template.

Using AWS CLI

01 Run list-assessment-templates command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all AWS Inspector assessment templates:

aws inspector list-assessment-templates

02 The command output should return a table with the requested IDs:

{
    "assessmentTemplateArns": [
      "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw",
      "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-Uza6ihLh"
    ]
}

03 Run put-rule command (OSX/Linux/UNIX) using for the events resource, providing a schedule expression, name, description and state:

aws events put-rule \
  --name "Inspector assessment template trigger" \
  --schedule-expression "rate(5 days)" \
  --description "A schedule for my assessment template" \
  --state "ENABLED"

04 After this, a target needs to be associated with the rule created above, run the following command to create a target. The target flag needs the following parameters:

  1. Arn - the ARN of the inspector assessment template.
  2. RoleArn - A role that may have been previously created. This role will need the 'inspector:StartAssessmentRun' permission on all resources:
  3. aws events put-targets \
      --rule "[Name of rule created in step 3]" \
      --targets "Id"="1","Arn"="arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-4r1V2mAw","RoleArn"="arn:aws:iam::0123456789012:role/AWS_InspectorEvents_Invoke_Assessment_Template"
    

05 Repeat steps no. 3 – 4 to verify other Inspector assessment templates.

References

Publication date May 2, 2016