Automatic Remediation of Inspector Findings in AWS
Welcome to this hands-on lab, where we will dig into Automatic Remediation of Inspector Findings in AWS. This activity provides the opportunity to get hands-on experience solving a real-world scenario, where we want to automate the detection and remediation of security vulnerabilities. We'll accomplish this with Amazon Inspector. Resources for this activity are on Github and CVE.
Automatic Remediation of Inspector Findings in AWS
Welcome to this hands-on lab, where we will dig into Automatic Remediation of Inspector Findings in AWS.
This activity provides the opportunity to get hands-on experience solving a real-world scenario, where we want to automate the detection and remediation of security vulnerabilities.
We'll accomplish this with Amazon Inspector.
Our task is to configure Inspector to scan an EC2 instance for vulnerabilities, and have it apply the remediation automatically. We'll use the Lambda function to direct Systems Manager to apply software upgrades to the EC2 instance.
The EC2 instance, Lambda function, and SNS topic have already been deployed.
Use the credentials provided on the hands-on lab overview page, and log into the AWS console. We need to make sure we're in the
We need to configure Inspector to scan the EC2 instance for vulnerabilities and have it apply the remediation automatically. We'll use the Lambda function to direct Systems Manager to implement software upgrades to the EC2 instance.
The Provided Resources
Let's look at what has already been deployed for us. Hop into the EC2 dashboard, and look at Instances. We'll see an instance there. Down in the lower half of the screen, click on the Tags tab. We're going to be coming back here, since we'll be using these tags when we configure Inspector.
Install Inspector Agent
There are two methods to deploy an Inspector Agent, either by Systems Manager, or by using Inspector itself.
Using Systems Manager
From the main AWS dashboard, navigate to Management Tools, then Systems Manager. Once we're in here, in the left-hand menu go to the Actions section, then choose Run Command. Click the orange Run a Command button that shows up over toward the upper right of the screen.
We're taken to another screen showing us a list of documents. In this list, we're looking for the one that says AmazonInspector-ManagerAWSAgent. It might be a page or two in if we're using the pagination buttons above the list.
Once we've selected that document, now we can scroll down a bit to the Targets section, and choose Specify instance tags.
Our tag key will be Environment, and the tag value will be Production. We saw these on the EC2 instance Tags tab.
In the next section, Command parameters, we'll leave the Operation set to Install.
Right now, we'd be ready to go. We could hit the Run button down at the lower right of the screen. But, there are two ways to set this up, remember? Let's go over the second method.
Using Inspector Agent
Before we can set things up with this method, there's a bit of legwork we have to do ahead of time.
Subscribe our SNS Topic to Our Lambda Function
In the AWS console, navigate to the SNS dashboard, and click on Topics. We can see that there's already one sitting there. Click on it, and we can configure it.
Click Create subscription. In the new window that pops up, let's choose AWS Lambda from the Protocol dropdown. As an Endpoint, choose our function from the dropdown. Then click the blue Create subscription button. With this finished, we can move on to Inspector...
Navigate to Inspector in the AWS console, and click on Get started. Choose Advanced. Uncheck All instances. Define the Name as Assessment-Production. Choose the Environment key and give it a value of Production, then choose Next.
In this screen, we've got to define our target. In our case, this will be an EC2 instance. Give it a Name of mytarget. In the Tags section, choose Environment from the Add a new key dropdown in the Key column, and then choose Production over in the Value column. We can click on the Preview button to make sure what we've selected will actually match the target we're aiming for. Once we're sure, we can go ahead and click Next.
This next step is where we configure our assessment template. Plug these values into the form:
- Name: mytemplate
- Rules packages: Common Vulnerabilities and Exposures-1.1
- Duration: 15 Minutes
Make sure Common Vulnerabilities and Exposures-1.1 is the only rules package and uncheck the Assessment Schedule. Click Next to move along.
This last step is just a review. If everything looks good here, click Create.
Once we're bounced back to the *Assessment templates page, navigate (in the left-hand menu) back to Assessment targets. Expand our target (by clicking the Assessment-Production) and then click on the Install Agents with Run Command** button.
Once we click OK, that concludes the second method of deploying an Inspector agent.
Now we can click on Preview Target. In the resulting pop up, click on the refresh button until we see HEALTHY in the Agent Status column. Click OK to close the preview window.
Starting the Inspector
Now we can get back into Assessment templates (in the left-hand menu), and expand our mytemplate with the little arrow next to it.
Click the check box down near SNS topics. In the pop up, select our topic from the dropdown. With that selected, scroll to the right and make sure that we have four events listed there: Run started, Run finished, Run state changed, and Finding Reported. Then we can click Save.
Now, back up at mytemplate, check the box next to the arrow we clicked earlier, and click the Run button near the top of the window.
We are at a standstill for a bit here. It could take fifteen minutes to run, but sometimes it's up to an hour. We can get up, grab a drink, and read a newspaper for a bit, then come back.
Look at Findings
After our little break, we can come back and navigate (in the same left-hand menu) to Findings. There's a High radio button in that same menu we can click, so that we're just looking at the findings with a high severity.
We can expand any of these findings, and in them there will be a Recommendations section. We can click the links in those, to read up on the vulnerabilities.
Examine CloudWatch logs
Back on the main AWS console, navigate to Management Tools and find CloudWatch. Then go to Logs. Select our log group from the list, then on the next screen click Search Log Group. We'll see our Lambda function entries in there showing that it ran a lot, each time in response to a particular finding.
Let's filter these. Up in the Filter events search box, type Command line. If we expand these, we should see something like
yum update commands.
Examine the EC2 Instance
Log into the EC2 instance with SSH (using the credentials on the hands-on lab overview page). Right away, let's become
root with a quick
sudo su, and then get into the logs directory with a
cd /var/log. We want to look at what YUM has been up to, so run
cat yum.log. We'll see a lot of packages that got updated, and these should correspond with what we saw back in the CloudWatch Logs output.
We've accomplished quite a bit in this lab. First we installed the Inspector agent on our EC2 instance. Then we created an Inspector target that pointed to the EC2 instance (based on a tag name). Next we created an Inspector template which defines the ruleset that we apply to our target. Then we directed our template to notify an SNS topic. Finally, we set our SNS topic up to invoke a Lambda function, if there were any CVE findings, which then went ahead and upgraded any packages using Systems Manager. We're finished. Congratulations!