Amazon Inspector, Continual Vulnerability Management & Reporting
Notes on using Amazon Inspector to automatically report software vulnerabilities within your compute workloads.
Table of Contents
↑An Inspector Calls
If you have multiple compute workloads within Amazon Web Service, you will want to have an automated vulnerability scanner to check those servers for CVEs. Especially if some of those workloads are supplier-managed. You need to ensure they are patching their servers. You need to ensure they are meeting your compliance requirements.
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Inspector automatically discovers and allows you to quickly route vulnerability findings in near real time to the appropriate teams so they can take immediate action.
↑Enabling Amazon Inspector using Terraform
Amazon Inspector can either be enabled at the AWS account level or if you’re using AWS Organizations can be centrally activated for all accounts within your organisation.
While you can enable Amazon Inspector via the AWS web console, enabling it as part of your Infrastructure as Code deployment is much better. Below is an example of how to enable the service using Terraform.
1resource "aws_inspector2_enabler" "example" {
2 account_ids = ["012345678901"]
3 resource_types = ["ECR", "EC2"]
4}
Once activated, Inspector will auto-discover servers using Systems Manager. As such, all your servers will need the Systems Manager Agent installed. I’m currently writing up how to provision EC2 instances to have the necessary instant role permissions attached to the server so that Inspector will pick them up.
↑Extracting Findings using the AWS CLI
Once Inspector has started gathering its findings, you can use the AWS command-line utility to pull them down to a reporting tool of your choice.
The example command below shows how to extract all the active findings using a filter-criteria when extracting the data. The results are formatted as a JSON file and outputted to a file called findings.json.
1aws inspector2 list-findings \
2 --filter-criteria '{"findingStatus": [{"comparison": "EQUALS", "value": "ACTIVE"}]}' \
3 --output json \
4 --region eu-west-2 \
5 --profile prodution-profile \
6 > findings.json
↑Report the number of vulnerabilities by severity
Once we have the findings.json file on our development machine, we can use the excellent command-line JSON processor, jq to interrogate the data.
The example below gives us the number of vulnerabilities sorted by their severity.
1jq --raw-output '.findings[].severity' findings.json | sort | uniq -c
Which will produce output like this:
1 6 HIGH
2 1 INFORMATIONAL
3 6 LOW
451 MEDIUM
↑Report HIGH severity vulnerabilities that are exploitable
Out of those six high vulnerabilities found, we need to know how many have exploits available in the wild.
The following jq example filters out the high severity findings and then further filters by those with the exploitAvailable field set to YES. We then also list the EC2 instance IDs, CVE numbers, and a descriptive title.
1jq --raw-output '.findings[] |
2 select(.severity | contains("HIGH")) |
3 select(.exploitAvailable != null) |
4 select(.exploitAvailable | contains("YES")) |
5 "\(.severity)|\(.exploitAvailable)|\(.resources[].id)|\(.packageVulnerabilityDetails.vulnerabilityId)|\(.title)"' lf.json | sort
The command above will produce a report like the one shown below. Of those six high vulnerabilities, three have active exploits.
1HIGH|YES|i-017fd81*******|CVE-2022-2586|CVE-2022-2586 - linux-image-aws
2HIGH|YES|i-017fd81*******|CVE-2022-2588|CVE-2022-2588 - linux-image-aws
3HIGH|YES|i-017fd81*******"""|CVE-2022-34918|CVE-2022-34918 - linux-image-aws
↑Converting the Findings JSON into actionable reports
The jq command below outputs the essential fields from the JSON file and formats the results into a CSV file. You can quickly load the CSV file into Excel for teams to review.
1jq --raw-output '.findings[] |
2 "\(.findingArn),\(.firstObservedAt),\(.lastObservedAt),\(.severity),\(.exploitAvailable),\(.title),\(.type),\(.updatedAt),\(.packageVulnerabilityDetails.vulnerabilityId),\(.packageVulnerabilityDetails.vendorCreatedAt),\(.packageVulnerabilityDetails.sourceUrl),\(.resources[].id)"' lf.json
I import the CSV into SQLite and then use SQLite to generate reports, which are then emailed to the relevant teams.