17. Inspector – Setup & Run
So now let’s look at a service that is going to be extremely important when you create amis and when you need to do security analysis of your systems. It’s called Amazon Inspector. And so Amazon Inspector enables you to analyze the behavior of your illus resources and helps you identify potential security issues. So you need to install the Inspector agents on your EC two instances and that can be automated through ssm. You can run an assessment for your targets and then finally you can analyze the findings and we’ll see how we can build automations in the next lecture as well. So let’s get started. So, Amazon Inspector comes in two flavor, okay? It will use a service link role to describe your issue instances and network configuration.
So there’s two setups. There is the network assessments and the host assessments. And the first one, the network assessments does not require the Agent to be installed because it goes and perform a network configuration analysis. Okay? And if there is an agent, then it has a bit more insights. For example, it finds processes which are on ports and the host assessment requires the Agent to be installed because it will analyze the host from within. So be very careful about the pricing and so on. This is free tier for now. So we’re okay, so let’s click on Advanced setup so we can look at all the options.
So we need to define an assessment target and we’ll say Target all instances and that will include all the easy two instances in this account and region. But you could also just say OK, just use a specific tag and Value Install Agent. Meaning do you want the Inspector Agent to be installed on all the EC two instances in these targets? And you can say yes. And if so, your easy two instances must have the ssm Agent installed and an Im role that allows run command. Okay, so in our case I want to just use a tag and I’ll call it name and value will be Inspector. And this is a new thing. So perfect. Click on next. So now we’re saying this template that will run on our targets is going to be looking for all these role packages.
So this is something that aws defines for you. You don’t have to define it yourself and you cannot define it yourself. So they will run network, reachability security, best practice and so on. And then you can look at the duration of the assessment itself. So this one will last 1 hour and that’s the recommended time. But you can go 15 minutes, 8 hours, all the way to 24 hours. Then you can set recurrence. So you can say you need to do this assessment once every seven days. And if you do so, this will actually create a Cloud Watch event rule. So if you look for events, this will create a cloud watch event role that will automatically run a seven day schedule.
And then we’ll invoke your Inspector. So this is something I will just untake for now. So we have just one assessment running. I’ll click on next and here we go. We can review. So here we define our assessments and we’ve filtered by tags. So name and value inspector. It will install the Agent on the EC two instances. If the EC two instances have the ssm Agent installed and an Im role that allows a run command. And then the template itself that will run will run all these role packages onto our instance. So let’s go ahead and then let’s just create this. So this will go and create everything and we are good to go. So now we go back to our targets.
And in here we need to find our targets. So there is no Agent associated with the tag because we have not created an easy two yet. So something you should notice is that the Inspector service will never launch an easy to instance for you. Okay. You have to launch your EC Two instance yourself. So as such I’m going to launch Easy to instance and I’m going to use Amazon linux Two AMI because this AMI comes with the ssm agent pre installed as we’ve seen before. So we’ll do t two micro and I will leave this for the instant details. Or I need to set im role. So we’ll set an Amazon ssm role for instances. Quick setup. And that one should work. And then click on add storage, add tags. And here we need to tag it correctly. So the name is going to be Inspector.
And this way this will be found by Inspector as a target configure security group. We don’t need this. And Launch and, yes, I have this p key pair and we’re good to go. So this instance right now has the ssm agent. And when it’s launched, we will make sure that Inspector installed the inspector. Agent on it. So let’s wait a little bit. Okay, so my instance is launched and now I’m going to refresh this and look at this and assessment target. And we can click on preview targets. And it has found the target in here and we found the instance ID thanks to the tags. And the agent status is currently unknown because it has not been installed on the instance yet. So what I can do is I can do install agents with run command, and I will install the Amazon Inspector agent on all these two instances.
In this assessment target, we’ll click on okay, and it says, the run command successfully issued. Okay. And then we can check. By going into the preview targets and look at it and the agent status says healthy. So we can look at what happened because we know how ssm works by going into ssm and we can look at this run command that was issued so we’re going to run command and in the run command. We can look at the command history. And this one command right here was just issued right now. And it’s been success, has one target and completed one. And as we can see, the command description itself was the Amazon Inspector managed a device agent command document. And so that’s perfect.
So now we see how all these services work together and how we can have an integration between Inspector and ssm. So, excellent. So my instance in this target now has the agent installed, and there’s one instance, so that’s perfect. And that could be an AMI of your own. So this is the Amazon annex. Two AMI. We’re going to test for security findings, but that could be your own AMI with your own patches and so on. It could be your golden AMI you’re maintaining within your company. And so now we need to do an assessment run. So for this, we need to go back to the templates. We’ll click on it and we’ll click on run. And this will run the assessments. And now we go to assessment runs.
And it will appear here and it will take about an hour until this happens. So right now it is a state of collecting data. So what I will do is I will pause the video for 1 hour and get back to you when this is done. So the analysis is now complete, and there were 100 findings to be found in this one assessment. And so we can see that all the rules packages were evaluated and I can download the reports in html or pdf forms or a full report if I wanted to. So, for example, let me download a findings report in pdf form and I’ll generate the reports. And then what this will do is that it will open the report when ready. So here we go. And this is 109 pages of reports, and it gives me a summary of all the things that happened.
So 99 findings were created, and 89 of them were high, one was medium, one was nine of them were informational. And we get also the rules package that we’re generating these insights. And so this entire pdf then will show you what happened and so on. And then this is something you can use during your audits or to analyze your security findings and so on back into the Inspector ui. You can also filter the findings on the left hand side by severity, so we can say, okay, I only want to see the high severity findings, and so on. And then you can open it and look at what’s going on within this finding. So let’s open this one and see what’s going on.
So it’s open, and then there is the finding itself, okay, that the rule was not compliant with whatever, and then the description of this finding and then the recommendation to fix it. And so you can walk through this. And the goal obviously is to reduce the number of security findings. And so so this is quite helpful because whenever you run these assessment runs, you really are able to see if you are vulnerable to any kind of attack or bug or whatever, and you can improve on your security. So that’s Amazon inspector in a gist. But then we’ll see in the next lecture how we can automate everything. So see you in the next lecture.
18. Inspector – Automations
So how can we automate Amazon inspector well, in this case, Amazon Inspector can be the target of Cloud Watch events to run assessments. So it is possible, for example, to go into Inspector and look at this assessment template in here, and we’re going to edit this template and add a schedule. So we’re saying, okay, you need to set up recurring assessments every seven days. And this has created a rule, rule of right, seven days. And actually this rule has been created within Cloud Watch events. So if I go into Cloud Watch and look at my event rules, I can find here a rule that has been scheduled on a fixed rate of seven days, and the target of that rule is running my assessment template that was defined right here.
So Cloudwatch event can be obviously doing way more than this. You could have any kind of rule, and the target again will be an Inspector assessment template and you pass in your arn and you’re good to go. So maybe, for example, when EC Two, there is a new instance state notification, and it goes into running, and then you want to launch as of it, a target to be Inspector, to be running on it, who knows, whatever intervention you can think of. But a very common one is to just use a schedule and for example, rate seven days and have every seven day Inspector being run on your instance. That’s definitely possible.
The other thing I want to notice is that there is the possibility for your assessment template to go and send messages to an sns topic. So as such, you can choose an sns topic wherever this one, and you’re saying, okay, whenever the run has started, the run has finished, the run state changed, or the findings were reported, then send an sms notification. And this is the only way to get notifications and automations for Inspector using this sns topic. There is no way to go and Cloud Watch events as of today create a rule. And so if you choose Inspector for it, there is no way for now to get these events that are defined here.
For example, whenever a run start, a run finished, a run state change, or a findings were reported. So you cannot automate this with cloudwatch events just yet. For now, just sns. But it is definitely possible yes, to send all these notifications into an sms topic. And that could be really helpful for some automation. And so the last thing I want to show you is and then you need to obviously grant some access to do so, but you get the idea. And then the last thing I want to show you is that here you can remediate Amazon Inspector security findings automatically from the security blog by doing, for example, launching an EC Two instance, and then you deploy the EC Two Systems Manager Agent on it with the right role to the template.
Then we deploy the Amazon inspector agent using ssm. Then we create an sns topic, then we configure Inspector to send a message to the sns topic and then we have a lambda function that is triggered by notifications to the sns topic and that will use ssm to perform automatic remediation on the instance. So these are the things, the kind of workflows you can create thanks to this sns topic, integration and so on. But what I want you to remember out of this is that again inspector does not launch an Amazon easy to instance for you. You have to launch an instance and you have to deploy the Amazon Inspector agent before the Inspector service itself can do its work.
Okay? So again, one very common use case for Amazon Inspector, we’ve seen this already, but let’s do it again is to look at golden ami vulnerability assessment. And so we can have a ci cd pipeline in which for example a scheduled cloud event will start a lambda function that will start EC two instances and then when they’re ready start an Amazon Inspector assessment. On these EC two instances the Amazon Inspector is hooked up to an sms topic such as whenever the assessment is completed, then the results will be passed on to a lambda function that will analyze the Inspector findings.
And then for example for that lambda function to know which easy to instance to create from the ami, maybe you can look at the parameter from their systems manager, parameter store and so on. So that’s a very common type of automation to look at. For example, what to do when every day or every week run an assessment on your EC two instances. And obviously at the end of it this lambda function maybe should shut down the EC two instances so that it is terminated after the entire assessment is done. You can have a golden ami pipeline as well.
These are like again more kind of examples, but this is another kind of example where Inspector is used. And so in here cloudwatch events will from a source ami launch an instance, patch everything and then create an ami from it and that will create a golden ami. Okay, that ami will be properly tagged and then the ami will be tagged, will be used to create an instance. From it the Inspector agent will be created, installed and then the assessment will be performed by Inspector. And again whenever things are done, an sns topic will be notified and then an approval maybe will look at this sns topic and approve that image.
So the image can go back into for example the parameter store in here. And if everything is ready, then the parameter store will contain the source and the ID of the golden ami that has been created right now. So again, really helpful to see, but Inspector again is to analyze ami. And in this example the instance is launched again outside of Inspector and Inspector will perform its assessments right here. Okay? And again, this is something you would see in this white paper that I showed you from before, but this is the exact same kind of workflow.
ami gets patched into a golden ami as part of an automation and ssm. Then the validations phase has the Golden ami run on an Inspector assessment, and then it’s being verified. And then the approval phase is the Golden ami gets stored into the parameter store regarding its ID. And then the cloud event will be notified, sending email notifications and sending stuff to an sns topic. So hopefully that makes it really, really clear around the kind of automations that can happen with Inspector, because this is what you be tested on at the exam. So I hope you like this lecture, and I will see you in the next lecture.
