Introduction

Amazon Inspector, an automated security assessment service by AWS, empowers cloud security engineers to enhance application security by automatically checking for vulnerabilities and deviations from best practices. With its severity-based vulnerability listing and the ability to enforce security standards and policies, Amazon Inspector ensures comprehensive protection for applications before and during deployment. It also offers network accessibility checks and updates its rules database with input from security researchers, making it a valuable tool for assessing the security posture of your EC2 instances and cloud deployments.

Lab Objective

In this lab, you will be shown how to utilize the Amazon Inspector API console to inspect an AWS EC2 instance, identifying and examining potential vulnerabilities.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console.

Lab Tasks

• Sign in to your AWS management console and navigate to the EC2 instance dashboard by searching for EC2 in the Search box at the top.

• On the EC2 Dashboard, click on Instances (running) to create a new EC2 instance.

NB: from the Resource dashboard there is a Security group created by default

• On the Instances page, click on Launch Instances to continue.

• On the Choose AMI page, give a name of your choice under “Name and tags” (here, it is d3mo-pro). Next, Choose Amazon Linux 2 AMI (HVM) - kernel 5.10, SSD Volume Type (eligible for the free tier) as shown below.

• On the Instance Type Section, by default, the instance type is selected.

• On the Key Pair (Log in) section, click on Create new key pair. A popup appears for entering a name (d3m0key) under Key Pair Name, select RSA in the Key pair type, and .pem in the Private key file format then, Click on Create key pair. Thus, the key pair is downloaded to your local machine with a .pem extension (d3m0key.pem).

• Scroll down to Network Settings and click on Edit. Select the radio button for Create security group. Give an appropriate Security group name (in this lab, we have used D3m0_SG as the Security group name).

• Scroll down and click on Add security group rule. For the new rule, select the Type as Custom TCP Rule from the dropdown. Add the port range as 21 and select the source type as Anywhere from the dropdown.

• On the Configure Storage section, retain the default settings (don’t change any settings)

• Scroll down and Click on Launch Instances.

• Now, the Launch Status window will display Success. Scroll down to the bottom and click on View all instances.

• The Instance state will display running, indicating that the instance is running.

Security assessment on the target’s resources using Amazon Inspector

• Navigate to the search box at the top and search for Amazon Inspector.

• On the Amazon Inspector page, click on Get Started.

• On the Advanced Inspector page, click on “Switch to Inspector Classic.”

• Once the Amazon Inspector page loads, click on Get Started.

• Next, click on Advanced Setup to continue.

• On the Get Started with Amazon Inspector page; Step 1: Define an assessment target section, and enter any name of your choice. Here (Ec2-Assessment-Target1) is the name, and click Next.

• On the Step 2 page: Define an assessment template, retain the default template name; select Duration as 15 minutes; and click on Next.

• On step 3: Review, Evaluate the configuration settings and click on Create.

• You will see a message that says the installation of Amazon Inspector Agent has been initiated, as shown in the below screenshot. Now, to view the findings, click on the Assessment Runs option from the left menu.

• On the Amazon Inspector – Assessment Runs page, the assessment details can be seen in the following screenshot. To check the assessment findings, click on Findings.

• On the Findings page, the finding details will be visible.

• There are different severity levels. Select High under the Severity Filter and expand the available findings for High Severity. You can see the details about this severity.

• Scroll down the page. You can see the findings and recommendations for the best security practices.

• This way, the AWS Inspector can assess the instances and recommend the best security practices.

• The Recommendation suggests editing the security group to remove access to the Internet on port 21. Port 21 is associated with the FTP protocol, which is generally considered insecure because it uses the clear-text format for data transfer. Click on the security group link provided in the Recommendation to execute the recommendation, as shown in the following screenshot.

• The Security Groups page opens in a new tab. Switch to the newly opened tab and click on the security group ID under Security group ID, as shown in the screenshot below.

• In the D3m0_SG security group page, click on the Inbound tab and then click on Edit Inbound at the top right to remove port 21.

• On the Inbound Rule page, click on Delete on “Inbound Rule 2 and Inbound Rule 3” to remove the open port 21, as shown below.

• Ensure only Port 22 is configured, and click on Save Rules.

• Next, switch back to the Amazon Inspector tab to perform the assessment after the suggested security recommendation is executed. Navigate to Assessment Templates from the left side navigation pane and click on Create to create a new assessment template for the instance on the Amazon Inspector: Assessment Templates page.

• On the Assessment Template page, type the template Name as New-Ec2Assessment Template1, and select the target name as Ec2-Assessment Template1. Select all options for Rules packages from the dropdown and set the duration to 15 minutes.

• Scroll down and uncheck the Assessment Schedule option and click on Create and Run.

• You can see the Assessment run started message. To view the assessment details, click on Assessment Runs, as shown in the screenshot below.

• On the Assessment runs page, you can see only two findings against New-Ec2Assessment Template1. Click on the finding numbers (e.g., 2) to get their details.

• On Amazon Inspector- Findings page, you can see the detailed findings. No high-severity finding is observed here.

• This way, a cloud security engineer can assess the AWS instances using Amazon Inspector and implement the security recommendations to secure them.

Deleting Created Resources

Note: Ensure you delete, shut down, or terminate all resources created and used in this lab to prevent their billing.

1. Now delete the instances created in this lab. Navigate to the Assessment templates under Amazon Inspector and select the checkboxes for the instances created in this lab. Click on the Delete button. In the pop-up window, click on the Yes button.

• Navigate to the Assessment targets under Amazon Inspector and select the checkbox for the instance created in this lab. Click on the Delete button. In the pop-up window, click on Yes button.

• Navigate to the Instances under the EC2 console and select the checkbox for the instance created in this tab. Select the Actions dropdown and click on Terminate instance. In the pop-up window, click on the Terminate button.

• Navigate to Security Groups under the EC2 console and select the checkbox for the instance created in this lab (here, D3m0_SG). Select the Actions dropdown and click on Delete security group. In the pop-up window, click on the Delete button.

• Navigate to EC2 Dashboard and click on Key Pairs. On the key pairs page, check the box for the key pair you created. (Here, d3m0key) and then click on the Action drop-down menu and click on Delete. a message box pops up, enter Delete in the box and click on Delete