Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Amazon Inspector v2 Findings

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Mixed (should be achieved)
Rule ID: Inspector2-002

Proactively identify and remediate your Amazon Inspector v2 findings to strengthen the security and compliance posture of your AWS cloud environment.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Inspector v2 findings identify security issues and vulnerabilities in your AWS cloud resources, such as Amazon EC2 instances, ECR container images and repositories, and Lambda functions. These findings provide details on severity, affected resources, and recommended actions to enhance security and compliance. By using Inspector v2, you can automatically evaluate your operating system environments and applications deployed on AWS cloud for potential security issues and common vulnerabilities. Addressing these findings helps protect your AWS resources from security threats, ensures regulatory compliance, reduces the risk of breaches, and strengthens your overall cloud security posture.

Audit

To check for Amazon Inspector v2 findings within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Inspector console available at https://console.aws.amazon.com/inspector/v2/home.

03 In the left navigation panel, under Dashboard, choose Findings, and select All findings. If no potential security issues were found during your assessment runs, the Findings list is empty. Otherwise, it contains all the issues found based on their severity.

04 Select the Amazon Inspector v2 finding that you want to examine to show the panel with the finding details.

05 Examine the selected finding using the following attributes:

  1. Title: the name of the finding, e.g., "Port 22 is reachable from an Internet Gateway - TCP".
  2. Description: a concise summary of the finding, e.g., "On the instance i-0abcd1234abcd1234, the port range 22-22 is reachable from the InternetGateway igw-0abcd1234abcd1234 from an attached ENI eni-01234123412341234".
  3. Severity: the severity of the finding, e.g., "Medium". Possible values are Critical, High, Medium, Low, Informational, and Untriaged.
  4. Affected resource(s): the information required to identify the affected AWS resource(s). This information can contain the resource identifier, type, platform, etc.
  5. Remediation: the recommended steps to address the potential security issue identified in the selected finding, e.g., "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path".

06 Using the information from the previous step, you can analyze the selected Amazon Inspector v2 finding and implement the recommended fix.

07 Repeat steps no. 4 – 6 to analyze each Amazon Inspector v2 finding available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) to list the Amazon Resource Name (ARN) of each Amazon Inspector v2 finding identified in the selected AWS region: 

aws inspector2 list-findings
	--region us-east-1
	--query 'findings[].findingArn'

02 The command output should return a table with the requested ARNs. If no potential security issues were found during your assessment runs, the list-findings command output returns an empty array (i.e., []): 

[
	"arn:aws:inspector2:us-east-1:123456789012:finding/abcd1234abcd1234abcd1234abcd1234",
	"arn:aws:inspector2:us-east-1:123456789012:finding/abcdabcdabcdabcdabcdabcdabcdabcd",
	"arn:aws:inspector2:us-east-1:123456789012:finding/1234abcd1234abcd1234abcd1234abcd",
	"arn:aws:inspector2:us-east-1:123456789012:finding/abcd1234abcd1234abcd1234abcd1234",
	"arn:aws:inspector2:us-east-1:123456789012:finding/1234abcd1234abcd1234abcd1234abcd"
]

03 Run again list-findings command (OSX/Linux/UNIX) with built-in filters to list the information available for the specified Amazon Inspector v2 finding. Replace \<finding-arn\> in --filter-criteria '{"findingArn": [{"comparison": "EQUALS", "value": "\<finding-arn\>"}]}' with the ARN of the finding that you want to examine: 

aws inspector2 list-findings
	--filter-criteria '{"findingArn": [{"comparison": "EQUALS", "value": "arn:aws:inspector2:us-east-1:123456789012:finding/abcd1234abcd1234abcd1234abcd1234"}]}'
	--query 'findings[]'

04 The command output should return the information available for selected finding: 

[
	{
		"awsAccountId": "123456789012",
		"description": "On the instance i-0abcd1234abcd1234, the port range 22-22 is reachable from the InternetGateway igw-0abcd1234abcd1234 from an attached ENI eni-01234123412341234.",
		"findingArn": "arn:aws:inspector2:us-east-1:123456789012:finding/abcd1234abcd1234abcd1234abcd1234",
		"firstObservedAt": "2024-12-18T18:46:32.191000+00:00",
		"lastObservedAt": "2024-12-18T18:46:32.191000+00:00",
		"networkReachabilityDetails": {
			"networkPath": {
				"steps": [
					{
						"componentId": "igw-0abcd1234abcd1234",
						"componentType": "AWS::EC2::InternetGateway"
					},
					{
						"componentId": "acl-01234123412341234",
						"componentType": "AWS::EC2::NetworkAcl"
					},
					{
						"componentId": "sg-0abcd1234abcd1234",
						"componentType": "AWS::EC2::SecurityGroup"
					},
					{
						"componentId": "eni-01234123412341234",
						"componentType": "AWS::EC2::NetworkInterface"
					},
					{
						"componentId": "i-0abcd1234abcd1234",
						"componentType": "AWS::EC2::Instance"
					}
				]
			},
			"openPortRange": {
				"begin": 22,
				"end": 22
			},
			"protocol": "TCP"
		},
		"remediation": {
			"recommendation": {
				"text": "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path."
			}
		},
		"resources": [
			{
				"details": {
					"awsEc2Instance": {
						"iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/tm-instance-profile",
						"imageId": "ami-0abcd1234abcd1234",
						"ipV4Addresses": [
							"172.31.17.140",
							"xxx.xxx.xxx.xxx"
						],
						"ipV6Addresses": [],
						"keyName": "tm-project5-key",
						"launchedAt": "2024-12-18T12:55:01+00:00",
						"platform": "AMAZON_LINUX_2023",
						"subnetId": "subnet-0abcd1234abcd1234",
						"type": "t2.micro",
						"vpcId": "vpc-0abcd1234abcd1234"
					}
				},
				"id": "i-0abcd1234abcd1234",
				"partition": "aws",
				"region": "us-east-1",
				"tags": {
					"Name": "tm-ec2-server"
				},
				"type": "AWS_EC2_INSTANCE"
			}
		],
		"severity": "MEDIUM",
		"status": "ACTIVE",
		"title": "Port 22 is reachable from an Internet Gateway - TCP",
		"type": "NETWORK_REACHABILITY",
		"updatedAt": "2024-12-18T18:46:32.191000+00:00"
	}
]

05 Examine the finding information returned at the previous step using the following attributes:

  1. "title": the name of the finding, e.g., "Port 22 is reachable from an Internet Gateway - TCP".
  2. "description": a concise summary of the finding, e.g., "On the instance i-0abcd1234abcd1234, the port range 22-22 is reachable from the InternetGateway igw-0abcd1234abcd1234 from an attached ENI eni-01234123412341234".
  3. "severity": the severity of the finding, e.g., "MEDIUM". Possible values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, and UNTRIAGED.
  4. "resources": the information required to identify the affected AWS resource(s). This information can contain the resource identifier, type, platform, etc.
  5. "remediation": the recommended steps to address the potential security issue identified in the selected finding, e.g., "You can restrict access to your instance by modifying the Security Groups or ACLs in the network path".

06 Based on the information collected and analyzed in the previous step, you can implement the recommended fix.

07 Repeat steps no. 3 – 6 to analyze each Amazon Inspector v2 finding available in the selected AWS region.

08 Change the AWS cloud region by updating the --region parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To remediate the Amazon Inspector v2 findings identified within your AWS account, perform the following operations:

For example, this section provides step-by-step instructions on restricting SSH access on TCP port 22 to an Amazon EC2 instance by modifying the associated security group(s) in the network path.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Inspector console available at https://console.aws.amazon.com/inspector/v2/home.

03 In the left navigation panel, under Dashboard, choose Findings, and select All findings.

04 Select the Amazon Inspector v2 finding that you want to remediate to show the panel with the finding details.

05 In the Resource affected section, click on the ID (link) of the affected EC2 instance, listed next to Resource ID.

06 Choose the Security tab, click on the name (link) of the security group that you want to configure, listed under Security groups, and perform the following actions:

  1. Select the Inbound rules tab and choose Edit inbound rules.
  2. On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows unrestricted SSH access, by performing one of the following actions:
    1. Locate the inbound rule with the Type attribute set to SSH, Protocol set to TCP, and Port range set to 22.
    2. Choose My IP from the Source dropdown list to allow inbound traffic only from your current IP address.
    3. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
      1. The static IP address of the permitted host in CIDR notation, e.g., 10.0.0.5/32.
      2. The IP address range of the permitted network/subnetwork in CIDR notation, for example 10.0.5.0/24.
      3. The name/ID of another security group available in the same AWS cloud region.
      4. The managed prefix list of the permitted AWS service, e.g., com.amazonaws.us-east-1-dynamodb.
    4. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon Inspector v2 finding that you want to remediate, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) with built-in filters to describe the network path information returned by the specified finding. Replace \<finding-arn\> in --filter-criteria '{"findingArn": [{"comparison": "EQUALS", "value": "\<finding-arn\>"}]}' with the ARN of the finding that you want to remediate. 

aws inspector2 list-findings
	--filter-criteria '{"findingArn": [{"comparison": "EQUALS", "value": "arn:aws:inspector2:us-east-1:123456789012:finding/abcd1234abcd1234abcd1234abcd1234"}]}'
	--query 'findings[].networkReachabilityDetails'

02 The command output should return the requested network path information (including the IDs of the associated security groups): 

[
	{
		"networkPath": {
			"steps": [
				{
					"componentId": "igw-0abcd1234abcd1234",
					"componentType": "AWS::EC2::InternetGateway"
				},
				{
					"componentId": "acl-01234123412341234",
					"componentType": "AWS::EC2::NetworkAcl"
				},
				{
					"componentId": "sg-0abcd1234abcd1234",
					"componentType": "AWS::EC2::SecurityGroup"
				},
				{
					"componentId": "eni-01234123412341234",
					"componentType": "AWS::EC2::NetworkInterface"
				},
				{
					"componentId": "i-0abcd1234abcd1234",
					"componentType": "AWS::EC2::Instance"
				}
			]
		},
		"openPortRange": {
			"begin": 22,
			"end": 22
		},
		"protocol": "TCP"
	}
]

03 Run revoke-security-group-ingress command (OSX/Linux/UNIX) with the ID of the EC2 security group that you want to configure as the identifier parameter, to remove the inbound rules that allow unrestricted SSH access on TCP port 22: 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
	--query 'Return'

04 The command output should return true if the request succeeds. Otherwise, it should return an error: 

true

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict access on TCP port 22 (SSH) to trusted entities only (IP addresses, IP ranges, security groups, or prefix lists). To create and attach custom inbound/ingress rules to the selected EC2 security group based on your access requirements, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows traffic on TCP port 22 from an authorized static IP address using CIDR notation (e.g., 10.0.0.5/32): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--protocol tcp
	--port 22
	--cidr 10.0.0.5/32
  2. Add an inbound/ingress rule that allows traffic on TCP port 22 from a trusted IP address range using CIDR notation (for example, 10.0.5.0/24): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--protocol tcp
	--port 22
	--cidr 10.0.5.0/24
  3. Add an inbound rule that allows traffic on TCP port 22 from another security group (e.g., sg-01234123412341234) available in the same AWS cloud region: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--protocol tcp
	--port 22
	--source-group sg-01234123412341234
  4. Add an inbound rule that allows traffic on TCP port 22 from a managed prefix list (e.g., pl-01234123412341234): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-0abcd1234abcd1234
	--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,PrefixListIds="[{PrefixListId=pl-01234123412341234}]"

06 Repeat steps no. 1 – 5 for each Amazon Inspector v2 finding that you want to remediate, available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.

References

Publication date Jan 7, 2025

Related Inspector2 rules