Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Amazon Inspector 2

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Inspector2-001

Ensure that the new version of Amazon Inspector is enabled in order to help you improve the security and compliance of your AWS cloud environment. Amazon Inspector 2 is a vulnerability management solution that continually scans scans your Amazon EC2 instances, ECR container images, and Lambda functions to identify software vulnerabilities and instances of unintended network exposure.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Inspector 2 introduces a vulnerability management solution that conducts ongoing scans of AWS workloads to identify software vulnerabilities and potential network vulnerabilities. The new version of Amazon Inspector has undergone a comprehensive rearchitecture, streamlining vulnerability management by automating processes and promptly delivering findings to swiftly detect emerging vulnerabilities. Once enabled, the new Inspector service diligently locates all your workloads and maintains a continuous cycle of vulnerability scans for both software and unintended network exposures.


Audit

To ensure that Amazon Inspector 2 is enabled in your AWS cloud environment, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector 2 console available at https://console.aws.amazon.com/inspector/v2/home.

03 If the Get Started page is displayed, Amazon Inspector 2 is not enabled within the current AWS region.

04 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run batch-get-account-status command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Inspector status of multiple accounts within your AWS cloud environment:

aws inspector2 batch-get-account-status 
  --region us-east-1 
  --query 'accounts[*].[accountId,state.status]'

02 The command output should return the Amazon Inspector 2 status for each account within your AWS cloud environment:

[
	[
		"123456789012",
		"DISABLED"
	]
]

If the batch-get-account-status command output returns "DISABLED" for your AWS account, as shown in the example above, Amazon Inspector 2 is not enabled for your AWS cloud environment.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To enable Amazon Inspector 2 for your AWS cloud environment, perform the following actions:

Using AWS Console

- For standalone AWS account environments:

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector 2 console available at https://console.aws.amazon.com/inspector/v2/home.

03 In the left navigation panel, under Inspector, choose Activate Inspector.

04 Choose Activate Amazon Inspector to enable Amazon Inspector 2 for your AWS cloud account. After enabling Amazon Inspector 2 in a standalone account, all scan types are promptly activated. The control over these activated scan types can be exercised through the account management page on the Amazon Inspector console or by utilizing the Amazon Inspector API. Once enabled, Amazon Inspector 2 will automatically identify and initiate scans on all eligible AWS resources.

- For multi-account AWS environments:

01 Sign in to the AWS Management Console using your AWS Organizations management account credentials.

02 Navigate to Amazon Inspector 2 console available at https://console.aws.amazon.com/inspector/v2/home.

03 In the left navigation panel, under Inspector, choose Activate Inspector.

04 In the Delegated administrator section, enter the twelve-digit ID (e.g. 123456789012) of the AWS account that you want to designate as the Amazon Inspector 2 delegated administrator for your organization in the Delegated administrator account ID box. Choose Delegate to save the changes. In the confirmation box, choose Delegate again. When you delegate an administrator account, Amazon Inspector 2 is enabled for that AWS account, and in your account.

05 As a delegated administrator, you can enable Inspector 2 scanning for any member associated with the management account within the organization. This activates all scan types for all member accounts. Choose Account management from the left navigation panel and enable scanning for all accounts in order to activate resource scanning for all AWS accounts in your organization. Alternatively, you can choose the AWS accounts that you want to add as members by selecting them from the Accounts panel.

Using AWS CLI

- For standalone AWS account environments:

01 Run enable command (OSX/Linux/UNIX) to enable Amazon Inspector 2 for all the supported resources within the AWS cloud account(s) specified in the --account-ids parameter value:

aws inspector2 enable 
  --region us-east-1 
  --account-ids 123456789012 
  --resource-types "EC2" "ECR" "LAMBDA" "LAMBDA_CODE"

02 The command output should return the Amazon Inspector 2 status for the specified AWS account(s):

{
	"accounts": [
		{
			"accountId": "123456789012",
			"resourceStatus": {
				"ec2": "ENABLING",
				"ecr": "ENABLING",
				"lambda": "ENABLING"
			},
			"status": "ENABLING"
		}
	],
	"failedAccounts": []
}

- For multi-account AWS environments:

01 Run enable-delegated-admin-account command (OSX/Linux/UNIX) to configure Amazon Inspector 2 delegated administrator for your AWS Organizations organization. For --delegated-admin-account-id command parameter, provide the twelve-digit ID (e.g. 123456789012) of the AWS account that you want to designate as the Amazon Inspector 2 delegated administrator for your organization:

aws inspector2 enable-delegated-admin-account  
  --region us-east-1 
  --delegated-admin-account-id 123456789012

02 The command output should return the account ID of the successfully delegated administrator:

{
	"delegatedAdminAccountId": "123456789012"
}

03 As a delegated administrator, you can enable Inspector 2 scanning for any member associated with the management account within the organization. To associate an AWS cloud account with your Amazon Inspector 2 delegated administrator, run the associate-member command (OSX/Linux/UNIX):

aws inspector2 associate-member
  --region us-east-1 
  --account-id 123412341234

04 The command output should return the account ID of the successfully associated member account:

{
	"accountId": "123412341234"
}

References

Publication date Aug 30, 2023