Security, Identity & Compliance | Amazon Inspector

Question 1

What is Amazon Inspector?

General

Amazon Inspector | Security, Identity & Compliance

Answer 1

Amazon Inspector is an automated security assessment service that helps you test the security state of your applications running on Amazon EC2.

Question 2

What can I do with Amazon Inspector?

General

Amazon Inspector | Security, Identity & Compliance

Answer 2

Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is agent-based, API-driven, and delivered as a service to make it easy to deploy, manage, and automate.

Question 3

What makes up the Amazon Inspector service?

General

Amazon Inspector | Security, Identity & Compliance

Answer 3

Amazon Inspector consists of an Amazon-developed agent that is installed in the operating system of your Amazon EC2 instances and a security assessment service that uses telemetry from the agent and AWS configuration to assess instances for security exposures and vulnerabilities.

Question 4

What is an assessment template?

General

Amazon Inspector | Security, Identity & Compliance

Answer 4

An assessment template is a configuration that you create in Amazon Inspector to define your assessment run. This assessment template includes a rules package against which you want Amazon Inspector to evaluate your assessment target, the duration of the assessment run, Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings, and Amazon Inspector-specific attributes (key/value pairs) that you can assign to findings generated by the assessment run.

Question 5

What is an assessment run?

General

Amazon Inspector | Security, Identity & Compliance

Answer 5

An assessment run is the process of discovering potential security issues through the analysis of your assessment target’s configuration and behavior against specified rule packages. During an assessment run, the agent monitors, collects, and analyzes behavioral data (telemetry) within the specified target, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, the agent analyzes the data and compares it against a set of security rule packages specified in the assessment template used during the assessment run. A completed assessment run produces a list of findings - potential security issues of various severity.

Question 6

Is there any performance impact during an Amazon Inspector assessment run?

General

Amazon Inspector | Security, Identity & Compliance

Answer 6

Amazon Inspector and the Amazon Inspector Agent have been designed for minimal performance impact during the assessment run process.

Question 7

What is an assessment target?

General

Amazon Inspector | Security, Identity & Compliance

Answer 7

An assessment target represents a collection of AWS resources that work together as a unit to help you accomplish your business goal(s). Amazon Inspector evaluates the security state of the resources that constitute the assessment target. You create an assessment target by using Amazon EC2 tags, and you can then define these tagged resources as an assessment target for an assessment run defined by the assessment template.

Question 8

What is a finding?

General

Amazon Inspector | Security, Identity & Compliance

Answer 8

A finding is a potential security issue discovered during the Amazon Inspector assessment run of the specified target. Findings are displayed in the Amazon Inspector console or retrieved through the API, and contain both a detailed description of the security issue and a recommendation on how to fix it.

Question 9

What is a rules package?

General

Amazon Inspector | Security, Identity & Compliance

Answer 9

A rules package is a collection of security tests that can be configured as part of an assessment template and assessment run. Amazon Inspector has many rules packages including common vulnerabilities and exposures (CVE), Center for Internet Security (CIS) Operating System configuration benchmarks, and security best practices. See the Amazon Inspector documentation for a full list of rules packages available.

Question 10

Can I define my own rules for assessment templates?

General

Amazon Inspector | Security, Identity & Compliance

Answer 10

No. Only the pre-defined rules will initially be allowed for assessment runs. However, over time we are exploring the inclusion of both premium rules sets from vendors in the AWS Marketplace and self-developed custom rules.

Question 11

Which applications can Inspector analyze for vulnerabilities?

General

Amazon Inspector | Security, Identity & Compliance

Answer 11

Amazon Inspector finds applications by querying the package manager or software installation system on the operating system where the agent is installed. This means that software that was installed through the package manager is assessed for vulnerabilities. The version and patch level of software that is not installed through these methods is not recognized by Inspector. For example, software installed via apt, yum, or Microsoft Installer will be assessed by Inspector. Software installed through make config / make install, or binary files copied directly to the system using automation software such as Puppet or Ansible will not be assessed by Inspector.

Question 12

What is an assessment report, and what does it include?

General

Amazon Inspector | Security, Identity & Compliance

Answer 12

An Amazon Inspector assessment report can be generated for an assessment run once it has been successfully completed. An assessment report is a document that details what is tested in the assessment run, and the results of the assessment. The results of your assessment are formatted into a standard report, which can be generated to share results within your team for remediation actions, to enrich compliance audit data, or to store for future reference.

You can select from two types of report for your assessment, a findings report or a full report. The findings report contains an executive summary of the assessment, the instances targeted, the rules packages tested, the rules that generated findings, and detailed information about each of these rules along with the list of instances that failed the check. The full report contains all the information in the findings report, and additionally provides the list of rules that were checked and passed on all instances in the assessment target.

Question 13

What happens if some of my targets are unavailable when I run an assessment?

General

Amazon Inspector | Security, Identity & Compliance

Answer 13

Amazon Inspector will gather vulnerability data for all available targets configured for the assessment template and return any appropriate security findings for the available targets. If there are no available targets for the assessment template when the run is started, the system will report that the assessment could not be run and will return the following notification: “The assessment run could not executed at this time as there are no targeted instances available for the selected assessment template.”

Question 14

How do Targets become unavailable?

General

Amazon Inspector | Security, Identity & Compliance

Answer 14

Targets in an assessment could be unavailable for a number of reasons, such as: the EC2 instance is down or unresponsive; the Tagged (targeted) instance does not have the Amazon Inspector Agent installed; the installed Amazon Inspector Agent is unavailable or cannot return vulnerability data.

Question 15

What is the pricing for Amazon Inspector?

General

Amazon Inspector | Security, Identity & Compliance

Answer 15

Inspector pricing is based on the number of assessment runs and the number of agents or systems that were assessed during those runs. We call this “agent-assessments.” An on-demand billing period is one calendar month like all AWS services. For example:

1 assessment run against 1 agent = 1 agent-assessment

1 assessment run against 10 agents = 10 agents-assessments

10 assessment runs against 2 agents each = 20 agent-assessments

30 assessment runs against 10 agents each = 300 agent-assessments

If the above represented the Amazon Inspector assessment runs activity in your account for a given billing period, you would be charged for 331 total agent-assessments.

The price of each individual agent-assessment is based on a tiered pricing model. As you move up the volume of agent-assessments in a given billing period, you pay a lower price per agent-assessment. For example, the first two tiers of agent-assessment pricing are:

First 250 agent-assessments = $0.30 per agent-assessment

Next 750 agent-assessments = $0.25 per agent-assessment

So for our example above of 331 total agent-assessments in a given billing period, you would be charged $0.30 for the first 250 and $0.25 for the next 81, or $95.25 total for the billing period. See the Amazon Inspector pricing page for the full pricing table.

Question 16

Is there a free trial for Amazon Inspector?

General

Amazon Inspector | Security, Identity & Compliance

Answer 16

Yes. Amazon Inspector offers the first 250 agent-assessments at no cost for the first 90 days of using the service. All AWS accounts new to the Amazon Inspector service are eligible.

Question 17

What Operating Systems does Amazon Inspector support?

General

Amazon Inspector | Security, Identity & Compliance

Answer 17

Please see the Amazon Inspector documentation for a current list of supported operating systems.

Question 18

In what regions is Amazon Inspector available?

General

Amazon Inspector | Security, Identity & Compliance

Answer 18

Please see the Amazon Inspector documentation for a current list of supported regions.

Question 19

Which Linux kernel versions are supported for Amazon Inspector assessments?

General

Amazon Inspector | Security, Identity & Compliance

Answer 19

You can run successful assessments for an EC2 instance with a Linux-based OS using the Common Vulnerabilities and Exposures (CVE), Center for Internet Security (CIS) Benchmarks, or Security Best Practices rules packages regardless of the kernel version. However, to run an assessment using the Runtime Behavior Analysis rules package, your Linux instance must have a kernel version that is supported for Amazon Inspector. An up-to-date list of Linux kernel versions that are supported for Amazon Inspector assessments is available here.

Question 20

Amazon Inspector sounds great, how do I get started?

General

Amazon Inspector | Security, Identity & Compliance

Answer 20

Simply sign up for Amazon Inspector from the AWS Management Console. Once signed up, you install the appropriate Amazon Inspector Agent on your Amazon EC2 instances, create a new assessment template, select the rules packages you want to use, and schedule an assessment run. Once it completes, the system will generate a findings report on any issues it identified for your environment.

Question 21

Does the Amazon Inspector Agent have to be installed on all of the EC2 instances I wish to assess?

General

Amazon Inspector | Security, Identity & Compliance

Answer 21

Yes. During an assessment run, the Amazon Inspector Agent monitors the behavior of the operating system and applications of the EC2 instance it’s installed on, collects configuration and behavioral data, and passes the data to the Amazon Inspector service.

Question 22

How can I install the Amazon Inspector Agent?

General

Amazon Inspector | Security, Identity & Compliance

Answer 22

There are several ways to install the agent. For simple installations, you can install it manually on each instance or do a one-time load using the AWS Systems Manager Run Command document (AmazonInspector-ManageAWSAgent). For larger deployments, you can automate agent installations using the EC2 User Data Function when configuring your instances or you can create automated installs of the agent using AWS Lambda. You can also launch an EC2 instance using the Amazon Linux AMI with the pre-installed Amazon Inspector Agent from the EC2 Console or the AWS Marketplace.

Question 23

How do I check whether the Amazon Inspector Agent is installed and healthy on my EC2 instances?

General

Amazon Inspector | Security, Identity & Compliance

Answer 23

You can view the status of the Amazon Inspector Agent for all the EC2 instances in your assessment target by using the ‘Preview Targets’ functionality available in the Inspector console and through the PreviewAgents API query. Agent status includes whether the agent is installed on the EC2 instance and the health of the agent. Along with the Inspector Agent status on the targeted EC2 instance, the instance ID, public hostname, and public IP address (if defined) are also displayed, along with links into the EC2 console for each instance.

Question 24

Can Amazon Inspector run without tagging the resources?

General

Amazon Inspector | Security, Identity & Compliance

Answer 24

No. Amazon Inspector requires you to use Amazon EC2 instance tags in order to run an assessment.

Question 25

Does Amazon Inspector access other AWS services in my account?

General

Amazon Inspector | Security, Identity & Compliance

Answer 25

Amazon Inspector needs to enumerate your EC2 instances and tags to identify the instances specified in the assessment target. Amazon Inspector gets access to these through a service-linked role that is created on your behalf when you get started with Inspector as a new customer or in a new region. The Inspector service-linked role is managed by Amazon Inspector, so you don’t have to worry about inadvertently revoking permissions required by Amazon Inspector. For some existing customers, an IAM role that was registered while getting started with Inspector might be used for accessing other AWS services until the Inspector service-linked role is created. You can create the Inspector service-linked role through the Inspector console’s dashboard page.

Question 26

I use a Network Address Translation (NAT) for my instances. Will Amazon Inspector work with these instances?

General

Amazon Inspector | Security, Identity & Compliance

Answer 26

Yes. Instances that use a NAT are supported by Amazon Inspector with no action required from you.

Question 27

I use a Proxy for my instances. Will Amazon Inspector work with these instances?

General

Amazon Inspector | Security, Identity & Compliance

Answer 27

Yes. The Amazon Inspector Agent supports proxy environments. For Linux instances, we support HTTPS Proxy, and for Windows instances, we support WinHTTP proxy. See the Amazon Inspector User Guide for instructions to configure Proxy support for the Amazon Inspector Agent.

Question 28

I would like to automate the assessment of my infrastructure on a regular basis. Do you provide an automated way to submit assessments?

General

Amazon Inspector | Security, Identity & Compliance

Answer 28

Yes. Amazon Inspector provides a full API allowing automatic creation of application environments, creation of assessments, evaluation of policies, creation of policy exceptions, and filters as well as retrieval of the results.

Question 29

Can I schedule security assessments to run at certain dates and times?

General

Amazon Inspector | Security, Identity & Compliance

Answer 29

Yes. Amazon Inspector assessments can be triggered by any Amazon CloudWatch Event. You can set up a recurring Schedule event with either a simple fixed recurring rate or a more detailed Cron expression.

Question 30

Can I trigger security assessments to run based on an event?

General

Amazon Inspector | Security, Identity & Compliance

Answer 30

Yes. You can use Amazon CloudWatch Events to create event patterns which monitor other AWS services for actions to trigger an assessment. For example, you can create an event which monitors AWS Auto Scaling for new Amazon EC2 Instances being launched, or monitors AWS CodeDeploy notifications for when a code deployment has been successfully completed. Once CloudWatch Events have been configured against Amazon Inspector templates, these assessment events will be displayed in the Inspector console as part of your assessment templates so you can see all of the automated triggers for that assessment.

Question 31

Can I set up Amazon Inspector assessments through AWS CloudFormation?

General

Amazon Inspector | Security, Identity & Compliance

Answer 31

Yes, you can create Amazon Inspector resource groups, assessment targets, and assessment templates using AWS CloudFormation templates. This allows you to automatically set up security assessments for your EC2 instances as they are deployed. In your CloudFormation template, you can also bootstrap installation of the Inspector Agent on EC2 instances by using agent installation commands in either AWS::CloudFormation::Init or EC2 user data. Alternatively, you can create EC2 instances in your CloudFormation template using an AMI with the Inspector Agent pre-installed.

Question 32

Where can I find metrics information on my Amazon Inspector assessments?

General

Amazon Inspector | Security, Identity & Compliance

Answer 32

Amazon Inspector automatically publishes metrics data on your assessments to Amazon CloudWatch. If you are a CloudWatch user, your Inspector assessment statistics will automatically be populated to CloudWatch. The Inspector metrics that are currently available are: number of assessment runs, agents targeted, and findings generated. For more details, see the Amazon Inspector documentation for details on the assessment metrics published to CloudWatch.

Question 33

Can Amazon Inspector be integrated with other AWS services for logging and notifications?

General

Amazon Inspector | Security, Identity & Compliance

Answer 33

Amazon Inspector integrates with Amazon SNS to provide notification for various events such as monitoring milestones, failures, or expiration of exceptions and integrates with AWS CloudTrail for logging of calls to Amazon Inspector.

Question 34

What is the “CIS Operating System Security Configuration Benchmarks” rules package?

General

Amazon Inspector | Security, Identity & Compliance

Answer 34

CIS Security Benchmarks are provided by the Center for Internet Security and are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed here. CIS benchmark rules are designed to be pass/fail security checks. For every CIS check that fails, Inspector generates a finding with High severity. Additionally, an Informational finding is generated for each instance that lists all the CIS rules that are checked, and the pass/fail result for each rule.

Question 35

What is the “Common Vulnerabilities and Exposures” rules package?

General

Amazon Inspector | Security, Identity & Compliance

Answer 35

The Common Vulnerabilities and Exposures or CVE rules check for exposure to publicly known information security vulnerabilities and exposures. CVE rule details are available publicly at the National Vulnerability Database (NVD). We use the NVD’s Common Vulnerability Scoring System (CVSS) as the primary source of severity information. In case a CVE is not scored by NVD but is present in Amazon Linux AMI Security Advisory (ALAS), we use the severity from Amazon Linux advisory. In case neither of these scores is available for a CVE, we do not report that CVE as a finding. We check daily for latest information from NVD and ALAS and update our rules packages accordingly.

Question 36

What is the severity of a finding?

General

Amazon Inspector | Security, Identity & Compliance

Answer 36

Each Amazon Inspector rule has an assigned severity level, which Amazon has classified as High, Medium, Low, or Informational. Severity is intended to help you prioritize your responses to findings.

Question 37

How is the severity determined?

General

Amazon Inspector | Security, Identity & Compliance

Answer 37

Severity of a rule is based on potential impact of the security issue found. Although some rules packages have Severity levels provided as part of the rules they provide, these can often differ by rules set. Amazon Inspector has normalized the severity for findings across all available rules packages by mapping the individual severities to common High, Medium, Low, and Informational classifications. For “High”, “Medium”, and “Low” severity findings, the higher the severity of the finding, the more security impact the underlying issue has. Findings that are classified as “Informational” are provided to advise you of security issues which might not have an immediate security impact.

For AWS supported rules packages, the severity is determined by the AWS security team.

The CIS Benchmarks rules package findings always have severity set to “High”.

For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels provided:

Amazon Inspector Severity CVSS Base Score ALAS Severity (if CVSS not scored)

High >= 5 Critical or Important

Medium < 5 and >= 2.1 Medium

Low < 2.1 and >= 0.8 Low

Informational < 0.8 N/A

Question 38

When I describe findings via the API (DescribeFindings), each finding has a “numericSeverity” attribute. What does this attribute signify?

General

Amazon Inspector | Security, Identity & Compliance

Answer 38

The “numericSeverity” attribute is the numeric representation of the severity of a finding. The numeric severity values map to Severity as follows:

Informational = 0.0

Low = 3.0

Medium = 6.0

High = 9.0

Question 39

Does Amazon Inspector work with AWS partner solutions?

General

Amazon Inspector | Security, Identity & Compliance

Answer 39

Yes, Amazon Inspector has public facing APIs that are available for customers and AWS partners to utilize. Several partners have integrated with Amazon Inspector incorporating findings into email, ticketing systems, pager platforms, or broader security dashboards. For detail on supporting partners, please visit the Amazon Inspector Partners page.

Question 40

Is Amazon Inspector a HIPAA eligible service?

General

Amazon Inspector | Security, Identity & Compliance

Answer 40

Yes, Amazon Inspector is a HIPAA eligible service and has been added to the AWS Business Associate Addendum (BAA). If you have an executed BAA with AWS, you can run Inspector on your EC2 instances that contain protected health information (PHI).