Skip to main content

Automatic Remediation of Inspector Findings in AWS

Hands-On Lab

 

Photo of

Training Architect

Length

01:30:00

Difficulty

Intermediate

In this hands-on lab, you'll get hands-on experience solving a real-world scenario, where we want to automate the detection and remediation of security vulnerabilities. We'll accomplish this with Amazon Inspector.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Automatic Remediation of Inspector Findings in AWS

Introduction

In this hands-on lab, you'll get hands-on experience solving a real-world scenario, where we want to automate the detection and remediation of security vulnerabilities. We'll accomplish this with Amazon Inspector.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Note: Running an assessment with Inspector can take up to an hour, so make sure you have some time.

Install Inspector Agent

There are two methods to deploy an Inspector Agent, either by Systems Manager, or by using Inspector itself.

Using Systems Manager

  1. Navigate to Systems Manager.
  2. In the left-hand menu, choose Run Command.
  3. Click Run a Command.
  4. Click through the pages to find AmazonInspector-ManageAWSAgent.
  5. Select the circle next to it.
  6. In the Command parameters section, make sure the Operation is set to Install.
  7. In the Targets section, choose Specify instance tags, and set the following values:
    • Tag key: Environment
    • Tag value: Production
  8. Click Add.
  9. We could hit the Run button down at the lower right of the screen. But first, let's go over the second method to install Inspector Agent.

Using Inspector Agent

Subscribe SNS Topic to Lambda Function

  1. In a new browser tab, navigate to SNS > Topics.
  2. Click the listed topic.
  3. Click Create subscription.
  4. Set Protocol to AWS Lambda.
  5. For Endpoint, choose our function from the dropdown.
  6. Click Create subscription.

Configure Inspector

  1. Navigate to Inspector.
  2. Click Get started.
  3. Click Advanced setup.
  4. Set the following values:
    • Name: Assessment-Production
    • All Instances: Un-check
    • Tags:
      • Key: Environment
      • Value: Production
  5. Click Next.
  6. On the *Define an assessment template** screen, set the following values:
    • Name: mytemplate
    • Rules packages: Delete all except Common Vulnerabilities and Exposures-1.1
    • Duration: 15 Minutes
    • Assessment Schedule: Un-check
  7. Click Next.
  8. Click Create.
  9. Click Assessment targets in the left-hand menu.
  10. Click the arrow next to Assessment-Production to expand it.
  11. Click Install Agents with Run Command.
  12. Click OK in the pop-up.
  13. Click Preview Target.
  14. In the pop-up, click the refresh button until we see HEALTHY in the Agent Status column.
  15. Click OK.

Start Inspector

  1. Click Assessment templates in the left-hand menu.
  2. Expand mytemplate.
  3. Click the edit box below SNS topics.
  4. In the pop-up, select our topic from the dropdown.
  5. Scroll to the right and make sure four events are listed:
    • Run started
    • Run finished
    • Run state changed
    • Finding reported
  6. Click Save.
  7. Back at the top, check the box next to mytemplate.
  8. Click Run.
    • It could take 15 minutes to run, but sometimes it's up to an hour, so give it some time.

View Findings

  1. Click Findings in the left-hand menu.
  2. Select the High circle to view high-severity findings.
  3. Expand any of these findings, and we will see a description and recommendation.
  4. Click the links there to view vulnerabilities.

Examine CloudWatch logs

  1. Navigate to CloudWatch > Log groups.
  2. Select our log group from the list.
  3. Click Search Log Group. We'll see our Lambda function entries in there showing it ran a lot, each time in response to a particular finding.
  4. In the Filter events search box, enter Command line.
  5. If we expand these, we should see yum update commands.

Examine EC2 Instance

  1. Open a terminal session and log in to the EC2 instance via SSH using the credentials on the lab page:

    ssh cloud_user@<WEB_SERVER_PUBLIC_IP_ADDRESS>
  2. Become root:

    sudo su

    Enter the cloud_user password.

  3. Change to the /var/log directory:

    cd /var/log
  4. See what YUM has been up to:

    cat yum.log

    We'll see a huge list of packages that were updated, which should correspond with what we saw in the CloudWatch Logs output.

Conclusion

Congratulations on successfully completing this hands-on lab!