Amazon Inspector is a vulnerability scanning solution for your Amazon EC2 instances, ECR containers and the apps that run on them.
Using an on-host agent (Inspector Agent), it examines the configuration and behavior of operating systems and apps to find potential security exposures such common flaws and unsafe configuration settings.
It primarily perform two functions:
- Network Evaluation: [Network Reachability]
- Host Assessment: [Common vulnerabilities and exploits, CIS benchmarks, Security Best Practices, and runtime behavior analysis]
But you must install the Inspector Agent in order to do these evaluations, particularly the host assessment.
Before we begin
First, before we configure the inspector we need either EC2, ECR or both so that inspector can give us the insights.
Let's get started
Let's create EC2 and ECR container.
To use Inspector we need and instance which supports SSM Agent or we have to install SSM Agent manually.
We also need an IAM role for SSM agent, so lets create an IAM Role first.
Create an IAM role with (AmazonSSMManagedInstanceCore) policy.
Lets create an EC2 instance with the IAM role.
Once the instance is up and running, let's also create an ECR repository.
Go to ECR and create a repository, once repository is created, you will see an push commands option just like below.
These are the commands that are required to push the docker image to this ECR repository.
Before we can push the docker image to the repository, we need to install an docker image in the ec2 instance.
Run the following commands in the EC2 instance terminal for creating the docker image.
sudo su -
yum -y install docker
systemctl start docker
#pull docker image
docker pull centos:7
#we are using an older image to test Inspector
#check your image
#here you will see the centos:7 image
Once docker image is confirmed, lets now push the image to the repository.
But to do so we need to provide appropriate permissions to our EC2 instance, so let's add the required permissions to our EC2 Role. For now we will add "AmazonEC2ContainerRegistryFullAccess" policy, but for real cases you can choose the least privilege for the same.
Let's push the docker image using the push commands from the ECR repository.
#since we have already created the Docker image in EC2 instance, we don't need the 2nd command.
#Run the first command and check for "Login Successful message"
#Now before you run the 3rd command you need to edit the command and replace "demo-images:latest" to "centos:7"
docker tag centos:7 244192264121.dkr.ecr.ap-northeast-1.amazonaws.com/demo-images:latest
#once done, all we need to do is push our docker image using 4th command.
#Note: you don't have to change anything in this command just copy and paste.
Now since we have both the EC2 and ECR running let's go to the Inspector.
All you need to do is enable the inspector.
Once enabled, wait for a few minutes until you see both the instance and repositories at 100%
Depending on the size of the container image it can take more time to scan the repository.
If there are any findings, you can check it on the inspector dashboard and get into more details.
As you can see above that we have 10 critical findings in the Old centos:7 image.
For a lot of findings, On bottom you can see how can you remediate the issue ,the more you explore the dashboard more details you will find.
That's it ,Congratulations you have successfully implemented AWS inspector for your EC2 and ECR container infrastructure.
All about inspector. https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html