Inspector

The Amazon Inspector service is agent based, meaning it requires software agents to be installed on any EC2 instances you want to assess. This makes it an easy service to be configured and added at any point to existing resources already running within your AWS infrastructure. This helps Amazon Inspector to become a seamless integration with any of your existing security processes and procedures as another level of security.

These are the tests that AWS Inspector allow you to perform:

• CVEs

• CIS Benchmarks

• Security Best practices

• Network Reachability

You can make any of those run on the EC2 machines you decide.

Element of AWS Inspector

Role: Create or select a role to allow Amazon Inspector to have read only access to the EC2 instances (DescribeInstances) Assessment Targets: Group of EC2 instances that you want to run an assessment against AWS agents: Software agents that must be install on EC2 instances to monitor. Data is sent to Amazon Inspector using a TLS channel. A regular heartbeat is sent from the agent to the inspector asking for instructions. It can autoupdate itself Assessment Templates: Define specific configurations as to how an assessment is run on your EC2 instances. An assessment template cannot be modified after creation.

• Rules packages to be used

• Duration of the assessment run 15min/1hour/8hours

• SNS topics, select when notify: Starts, finished, change state, reports a finding

• Attributes to b assigned to findings

Rule package: Contains a number of individual rules that are check against an EC2 when an assessment is run. Each one also have a severity (high, medium, low, informational). The possibilities are:

• Common Vulnerabilities and Exposures (CVEs)

• Center for Internet Security (CIS) Benchmark

• Security Best practices

Once you have configured the Amazon Inspector Role, the AWS Agents are Installed, the target is configured and the template is configured, you will be able to run it. An assessment run can be stopped, resumed, or deleted.

Amazon Inspector has a pre-defined set of rules, grouped into packages. Each Assessment Template defines which rules packages to be included in the test. Instances are being evaluated against rules packages included in the assessment template.

Reporting

Telemetry: data that is collected from an instance, detailing its configuration, behavior and processes during an assessment run. Once collected, the data is then sent back to Amazon Inspector in near-real-time over TLS where it is then stored and encrypted on S3 via an ephemeral KMS key. Amazon Inspector then accesses the S3 Bucket, decrypts the data in memory, and analyzes it against any rules packages used for that assessment to generate the findings.

Assessment Report: Provide details on what was assessed and the results of the assessment.

• The findings report contain the summary of the assessment, info about the EC2 and rules and the findings that occurred.

• The full report is the finding report + a list of rules that were passed.

Enumeration

# Assessments info, there is a "describe" action for each one to get more info
aws inspector list-assessment-runs
aws inspector list-assessment-targets
aws inspector list-assessment-templates
aws inspector list-event-subscriptions

# Get findings
aws inspector list-findings

# Get exclusions
aws inspector list-exclusions --assessment-run-arn <arn>

# Rule packages
aws inspector list-rules-packages

Post Exploitation

TODO: PRs are welcome