Learn DevOps

AWS inspector setting

Hải Yến Trịnh's photo
Hải Yến Trịnh
·

5 min read

Hỏi:

Assuming that Amazon Inspector will be deployed in the future, we will use a test environment I would like to evaluate it, but the information on the referenced site etc. is old, so there is another setting method I don’t understand.

I’m very sorry, but could you please teach me the setting procedure etc.

Trả lời:

Monitor AMI

(Tham khảo: https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html)

  • Điều kiện là instance sẽ phải có SSM agent (loại mới không cần cài đặt Inspector agent nữa, chỉ cần SSM agent và tạo Suppression rules)

“Amazon Inspector uses the (SSM) agent to collect information about the software application inventory of your EC2 instances, this data is then scanned by Amazon Inspector for software vulnerabilities. Amazon Inspector can only scan for software vulnerabilities in operating systems supported by Systems Manager. For information about supported operating systems, see

Supported operating systems and programming languages

Amazon Inspector does not require the SSM Agent to scan Amazon EC2 instances for open network paths. There are no prerequisites for this type of scanning.

(reference: https://aws.amazon.com/premiumsupport/knowledge-center/set-up-amazon-inspector/)

Làm sao để sử dụng công cụ này: https://ap-northeast-1.console.aws.amazon.com/systems-manager/automation/executions?region=ap-northeast-1

kết quả phải pass hết:

Cách làm:

  • Cài đặt SSM agent:
wget <https://raw.githubusercontent.com/awslabs/aws-support-tools/master/Systems%20Manager/SSMAGENT-TOOLKIT-LINUX/ssmagent-toolkit-Linux.sh>
sudo bash ssmagent-toolkit-Linux.sh > AWS-SSMtroubleshooting-output.txt
sudo cat AWS-SSMtroubleshooting-output.txt
  • Kiểm tra SSM service:
sudo systemctl status amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent

Tạo ở IAM role gắn cho instance, đảm bảo Amazon Managed Policy,AmazonSSMManagedInstanceCore is attached to the Role

Được như ảnh dưới là đẹp:

[ec2-user@ip-172-31-43-94 ~]$ cat AWS-SSMtroubleshooting-output.txt

    ___ _       _______    _____            __                         __  ___
   /   | |     / / ___/   / ___/__  _______/ /____  ____ ___  _____   /  |/  /___ _____  ____ _____ ____  _____
  / /| | | /| / /\__ \    \__ \/ / / / ___/ __/ _ \/ __ '__ \/ ___/  / /|_/ / __ '/ __ \/ __ '/ __ '/ _ \/ ___/
 / ___ | |/ |/ /___/ /   ___/ / /_/ (__  ) /_/  __/ / / / / (__  )  / /  / / /_/ / / / / /_/ / /_/ /  __/ /
/_/  |_|__/|__//____/   /____/\__, /____/\__/\___/_/ /_/ /_/____/  /_/  /_/\__,_/_/ /_/\__,_/\__, /\___/_/
                             /____/                                                         /____/



Check                                       Value                                            Note
-----                                       -----                                            -----

Testing metadata endpoint                   Pass                                             Connected to http://169.254.169.254
Getting IAM Role Attached                   AmazonSSMManagedInstanceCore-role                Ensure the Amazon Managed Policy,AmazonSSMManagedInstanceCore is attached to the Role.
Testing ec2messages endpoint Connectivity   Pass                                             Connected to ec2messages.ap-northeast-1.amazonaws.com.
Testing SSM endpoint Connectivity           Pass                                             Connected to ssm.ap-northeast-1.amazonaws.com.
Testing ssmmessages endpoint Connectivity   Pass                                             Connected to ssmmessages.ap-northeast-1.amazonaws.com.
SSM agent service status                    Active                                           N/A
SSM Agent Proxy Settings                    http_proxy=NULL,http_proxys=NULL,no_proxy=NULL   No Proxy variables found for ssm agent. Refer : https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-proxy-with-ssm-agent.html
System Wide Proxy Settings                  http_proxy=NULL,https_proxy=NULL,no_proxy=NULL   No System Wide proxy settings detected
Nameservers(DNS) configured on the server   172.31.0.2                                       DNS servers found in /etc/resolv.conf
Resolving ssm.ap-northeast-1.amazonaws.com  52.119.223.48                                    N/A
Checking for Hybrid Activation              Instance not registered with Hybrid Activation.  Ref: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances.html

[ec2-user@ip-172-31-43-94 ~]$ sudo systemctl status amazon-ssm-agent
● amazon-ssm-agent.service - amazon-ssm-agent
   Loaded: loaded (/usr/lib/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-01-18 08:11:44 UTC; 32min ago
 Main PID: 3046 (amazon-ssm-agen)
   CGroup: /system.slice/amazon-ssm-agent.service
           ├─3046 /usr/bin/amazon-ssm-agent
           └─3209 /usr/bin/ssm-agent-worker

Note: Nếu tạo mà thấy ở dashboard không manage, vào trong Account management page, và thấy instance ở dạng như ảnh:

thì click vào these instruction, sẽ mở ra Execute automation document page within Systems Manager (đã dẫn bên trên bằng link)

Ở đây sẽ xem được troubleshoot xem có vấn đề gì với setup và config

We simply input the instance ID and then click “Execute”. After a few minutes, the executed automation should give us the debugging information we need to fix the setup.

Sample output cho việc có lỗi:

Sau khi fix, Run the Systems Manager troubleshooting steps again, verify what has been fixed already, and then fix the rest of the reported configuration issues. Once everything has been configured properly, then we should see Amazon Inspector scanning the instance.

nếu có vấn đề, vài phút sẽ có thể xem findings:

ECR Image

To test Amazon Inspector’s capability to detect and automatically scan container images, we simply create a new ECR repository and push a sample vulnerable container image such as a container image that contains DVWA (D*** Vulnerable Web Application). If this is your first time hearing about DVWA, it is simply a sample application that helps security professionals learn basic penetration testing.

After a few minutes, we are able to see that there are 50 Critical issues found by Amazon Inspector. That’s probably where the web application got its name

By clicking the title link, we are able to see a few more details regarding one of the reported issues.

If we scroll down a bit, we should be able to see a link that opens a reference with more information about this vulnerability.

Clicking the Vulnerability ID link, the following page should open:

Verifying if this is a false positive or not and remediating this security issue is another story

Next steps:

Once you are done, feel free to turn off, terminate / delete, and disable the resources created while you are following the steps in this tutorial. This will help prevent any unexpected charges while using the different services.

There are a lot more features, capabilities, and integrations of Amazon Inspector which we will not discuss here. These include:

  • Amazon EventBridge integration

  • AWS Security Hub integration

  • Better risk scoring system

  • and more…

If you would like to learn more about this service, feel free to check this link.

Nguồn: PoC kết hợp với: https://medium.com/@arvs.lat/automated-vulnerability-management-on-aws-with-amazon-inspector-53c572bf8515

Note: có 15 ngày free trial thôi nên nghịch xong nhớ disable không lại phải đi khóc lóc với aws

AWS