User Guide Version Latest - AWS Documentation

1 Amazon InspectorUser GuideVersion LatestAmazon Inspector user GuideAmazon Inspector: user GuideCopyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Inspector user GuideTable of ContentsWhat is Amazon Inspector? .. 1 Benefits of Amazon Inspector .. 1 Features of Amazon Inspector .. 1 Amazon Inspector Pricing .. 2 Accessing Amazon Inspector .. 2 Amazon Inspector Terminology and Concepts .. 2 Amazon Inspector Service Limits .. 3 Amazon Inspector Supported Operating Systems and Regions .. 5 Supported Linux-based Operating Systems .. 5 Supported Windows-based Operating Systems .. 5 Supported Regions.

2 6 Getting Started .. 7 Pre-Requisites for Using Amazon Inspector .. 7 One-Click 7 Advanced Setup .. 8 Tutorials .. 10 Amazon Inspector Tutorial - Red Hat Enterprise Linux .. 10 Step 1: Set Up an Amazon EC2 Instance to Use With Amazon Inspector .. 10 Step 2: Modify Your Amazon EC2 Instance .. 10 Step 3: Create an Assessment Target and Install an Amazon Inspector Agent on the EC2 Instance .. 11 Step 4: Create and Run Your Assessment Template .. 11 Step 5: Locate and Analyze Generated Findings .. 12 Step 6: Apply the Recommended Fix to Your Assessment Target .. 13 Amazon Inspector Tutorial - Ubuntu Server .. 13 Step 1: Set Up an Amazon EC2 Instance to Use With Amazon Inspector .. 13 Step 2: Modify Your Amazon EC2 Instance .. 14 Step 3: Create an Assessment Target and Install an Amazon Inspector Agent on the EC2 Instance .. 14 Step 4: Create and Run Your Assessment Template .. 14 Step 5: Locate and Analyze Generated Findings .. 15 Step 6: Apply the Recommended Fix to Your Assessment Target.

3 16 Using Service-Linked Roles .. 17 Service-Linked Role Permissions for Amazon Inspector .. 17 Creating a Service-Linked Role for Amazon Inspector .. 18If you are getting started with Amazon Inspector for the first time .. 18If you already have Amazon Inspector running in your AWS account .. 18 Editing a Service-Linked Role for Amazon Inspector .. 19 Deleting a Service-Linked Role for Amazon Inspector .. 19 Amazon Inspector Agents .. 20 Amazon Inspector Agent Privileges .. 20 Network and Amazon Inspector Agent Security .. 21 Amazon Inspector Agent Updates .. 21 Telemetry Data Lifecycle .. 21 Access Control from Amazon Inspector into AWS Accounts .. 22 Amazon Inspector Agent Limits .. 22 Amazon Inspector Agent Public Licensing .. 22 Installing Amazon Inspector Agents .. 22 Amazon Linux AMI with Amazon Inspector Agent .. 23To install the Amazon Inspector Agent on multiple EC2 instances using the Systems ManagerRun 23To install the Amazon Inspector Agent on a Linux-based EC2 instance.

4 24To install the Amazon Inspector Agent on a Windows-based EC2 instance .. 24 Working with Amazon Inspector Agents on Linux-based Operating Systems .. 25 Version LatestiiiAmazon Inspector user GuideTo verify that the Amazon Inspector Agent is running .. 25To stop the Amazon Inspector Agent .. 25To start the Amazon Inspector Agent .. 25To configure proxy support for Amazon Inspector Agents .. 26To uninstall the Amazon Inspector Agent .. 27 Working with Amazon Inspector Agents on Windows-based Operating Systems .. 27To stop or start the Amazon Inspector Agent or verify that the Amazon Inspector Agent 27To modify Amazon Inspector Agent settings .. 28To configure proxy support for Amazon Inspector Agents .. 28To uninstall the Amazon Inspector Agent .. 29(Optional) Verify the Signature of the Amazon Inspector Agent Installation Script on Linux-basedOperating Systems .. 29 Install the GPG Tools .. 29 Authenticate and Import the Public Key .. 30 Verify the Signature of the Package.

5 31(Optional) Verify the Signature of the Amazon Inspector Agent Installation Script on Windows-basedOperating Systems .. 32 Amazon Inspector Assessment Targets .. 33 Tagging Resources to Create an Assessment Target .. 33 Amazon Inspector Assessment Targets Limits .. 33 Creating an Assessment Target (Console) .. 34 Deleting an Assessment Target (Console) .. 35 Amazon Inspector Assessment Templates and Assessment Runs .. 36 Amazon Inspector Assessment Templates .. 36 Amazon Inspector Assessment Templates Limits .. 37 Creating an Assessment Template (Console) .. 37 Deleting an Assessment Template (Console) .. 38 Assessment 38 Deleting an Assessment Run (Console) .. 39 Amazon Inspector Assessment Runs Limits .. 39 Setting Up Automatic Assessment Runs Through a Lambda Function .. 39 Setting Up an SNS Topic for Amazon Inspector Notifications (Console) .. 40 Amazon Inspector Findings .. 42 Working with Findings .. 42 Assessment Reports .. 44 Exclusions in Amazon Inspector .. 45 Exclusion Types.

6 45 Previewing Exclusions .. 48 Viewing Post-Assessment Exclusions .. 49 Amazon Inspector Rules Packages and Rules .. 50 Severity Levels for Rules in Amazon Inspector .. 50 Rules Packages in Amazon Inspector .. 50 Common Vulnerabilities and Exposures .. 51 Center for Internet Security (CIS) Benchmarks .. 51 Security Best Practices .. 53 Disable Root Login over SSH .. 53 Support SSH Version 2 Only .. 54 Disable Password Authentication Over SSH .. 54 Configure Password Maximum Age .. 54 Configure Password Minimum Length .. 55 Configure Password Complexity .. 55 Enable 55 Enable 56 Configure Permissions for System Directories .. 56 Runtime Behavior Analysis .. 56 Insecure Client Protocols (Login) .. 57 Version LatestivAmazon Inspector user GuideInsecure Client Protocols (General) .. 57 Unused Listening TCP Ports .. 57 Insecure Server Protocols .. 58 Software Without DEP .. 59 Root Process with Insecure Permissions .. 59 Rules Packages Availability Across Supported Operating Systems.

7 60 Logging Amazon Inspector API Calls with AWS CloudTrail .. 63 Amazon Inspector Information in CloudTrail .. 63 Understanding Amazon Inspector Log File Entries .. 64 Monitoring Amazon Inspector Using CloudWatch .. 66 Amazon Inspector CloudWatch Metrics .. 66 Configuring Amazon Inspector Using AWS CloudFormation .. 68 Authentication and Access Control for Amazon Inspector .. 69 Access Control .. 70 Overview of Managing Access Permissions to Your Amazon Inspector Resources .. 70 Amazon Inspector Resources and Operations .. 71 Understanding Resource Ownership .. 71 Managing Access to Resources .. 71 Specifying Policy Elements: Actions, Effects, Resources, and Principals .. 73 Specifying Conditions in a Policy .. 73 Using Identity-based Policies (IAM Policies) for Amazon Inspector .. 73 Permissions Required to Use the Amazon Inspector Console .. 74 AWS Managed (Predefined) Policies for Amazon Inspector .. 74 Customer Managed Policy Examples .. 75 Amazon Inspector API Permissions: Actions, Resources, and Conditions Reference.

8 76 Appendix - Amazon Inspector Rules Packages' ARNs .. 77US West (Oregon) .. 77US East (N. Virginia) .. 77US East (Ohio) .. 78US West (N. California) .. 78 Asia Pacific (Mumbai) .. 79 Asia Pacific (Sydney) .. 79 Asia Pacific (Seoul) .. 79 Asia Pacific (Tokyo) .. 80EU (Ireland) .. 80EU (Frankfurt) .. 81 AWS GovCloud (US) .. 81 Document History .. 82 Version LatestvAmazon Inspector user GuideBenefits of Amazon InspectorWhat is Amazon Inspector?Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you to identifypotential security issues. Using Amazon Inspector, you can define a collection of AWS resources thatyou want to include in an assessment target. You can then create an assessment template and launch asecurity assessment run of this the assessment run, the network, file system, and process activity within the specified target aremonitored, and a wide set of activity and configuration data is collected. This data includes details ofcommunication with AWS services, use of secure channels, details of the running processes, networktraffic among the running processes, and more.

9 The collected data is correlated, analyzed, and comparedto a set of security rules specified in the assessment template. A completed assessment run produces alist of findings - potential security problems of various does not guarantee that following the provided recommendations will resolve everypotential security issue. The findings generated by Amazon Inspector depend on your choice ofrules packages included in each assessment template, the presence of non-AWS components inyour system, and other factors. You are responsible for the security of applications, processes,and tools that run on AWS services. For more information, see the AWS Shared ResponsibilityModel for is responsible for protecting the global infrastructure that runs all the services offeredin the AWS cloud. This infrastructure comprises the hardware, software, networking, andfacilities that run AWS services. AWS provides several reports from third-party auditors whohave verified our compliance with a variety of computer security standards and regulations.

10 Formore information, see AWS Cloud more information, see Amazon Inspector Terminology and Concepts (p. 2).Benefits of Amazon Inspector Amazon Inspector enables you to quickly and easily assess the security of your AWS resources forforensics, troubleshooting, or active auditing purposes at your own pace, either as you progressthrough the development of your infrastructures or on a regular basis in a stable productionenvironment. Amazon Inspector enables you to focus on more complex security problems by offloading the overallsecurity assessment of your infrastructure to this automated service. By using Amazon Inspector, you can gain deeper understanding of your AWS resources becauseAmazon Inspector findings are produced through the analysis of the real activity and configurationdata of your AWS of Amazon Inspector Configuration Scanning and Activity Monitoring Engine - Amazon Inspector provides an engine thatanalyzes system and resource configuration and monitors activity to determine what an assessmenttarget looks like, how it behaves, and its dependent components.