Amazon Inspector (What It Actually Evaluates) - Overview.
Scope:
- The concept of What Amazon Inspector Actually Evaluates,
- Core Evaluation Categories,
- Common Vulnerabilities & Exposures
- Evaluation Workflow,
- Network Exposure Analysis (unintended network exposure),
- Sample exposure finding,
- Package & Dependency Scanning (Deep Software inventory analysis),
- Lambda Function Scanning (evaluates Lambda functions),
- Resource Discovery Evaluation Workflow,
- Assessment Evaluation Workflow,
- Finding Generation Evaluation Workflow,
- Integration Evaluation Workflow,
- Architecture Layers (Visual Breakdown),
- Table for Layers, Description, & Samples,
- Key Metrics & Prioritization of Inspector uses,
- Integration with AWS Ecosystem & Purposes,
- Sample Inspector Evaluation Flow,
- Summary Evaluation Table (Area, Purposes & Resources covered).
The concept of What Amazon Inspector Actually Evaluates,
- Amazon Inspector is an automated vulnerability management service.
- Amazon Inspector is a service continuously:
- scans AWS workloads for software vulnerabilities (CVEs)
- And unintended network exposure.
- Amazon Inspector primarily evaluates:
- EC2 instances
- Amazon ECR container images
- Lambda functions with dependencie
- Amazon Inspector helps the security teams to maintain compliance and security posture by identifying vulnerabilities before exploitation.
Core Evaluation
Categories
1.
Common Vulnerabilities & Exposures
- Software packages and OS libraries for Common
Vulnerabilities and Exposures (CVEs).
- Vulnerability data sourced from:
- NVD (National Vulnerability Database).
- Vendor advisories (e.g., Ubuntu, Red Hat, Amazon Linux Security Bulletins).
- AWS internal security intelligence.
Each finding includes:
- CVE ID.
- CVSS base score.
- EPSS (Exploit Prediction Scoring System).
- Remediation guidance (e.g., patch versions).
Targets
- EC2 instances using SSM Agent.
- ECR container images at build, push, or on-demand scan.
2. Network Exposure Analysis (unintended network exposure) by analyzing:
- Security group configurations.
- Network ACLs.
- Publicly accessible ports or services.
- Reachability to the Internet or VPC peers.
Targets
- EC2 instances.
- Lambda functions with public endpoints.
Sample exposure finding:
“EC2 instance i-0ab123xxxxx exposes port 22 to the internet (0.0.0.0/0).”
3. Package & Dependency Scanning (Deep Software inventory analysis) to detect:
- Vulnerable libraries (e.g., Log4j, OpenSSL).
- OS-level packages.
- Container dependencies from Dockerfiles or layers.
Targets
- ECR images.
- Lambda functions (Python, Node.js, Java, etc.).
4. Lambda Function Scanning (evaluates Lambda functions) for:
- Software vulnerabilities in dependencies (CVEs).
- Runtime environment vulnerabilities.
- Package metadata.
- Public accessibility (network exposure).
Scans occur:
- On deployment (new versions).
- On dependency updates.
- On-demand or continuous mode.
Evaluation Workflow
1. Resource Discovery Evaluation Workflow
- Inspector auto-discovers resources using AWS Organizations and Resource Tagging:
- EC2 instances via Systems Manager Agent.
- ECR repositories.
- Lambda functions and layers.
2. Assessment Evaluation Workflow
- Inspector performs continuous, agent-based or agentless scans:
- Uses Inspector Assessment Targets and Assessment
Templates.
- Collects software inventory and network reachability data.
3. Finding Generation Evaluation Workflow
- Inspector produces detailed findings including:
- Vulnerability ID and severity
(Critical/High/Medium/Low).
- CVSS score and exploitability.
- Impacted resource ID.
- Recommended remediation.
4. Integration Evaluation Workflow
Findings are automatically
integrated with:
- AWS Security Hub.
- AWS Organizations (multi-account).
- Amazon EventBridge
- AWS Systems Manager Patch Manager.
Architecture Layers (Visual
Breakdown).
Data Sources → Detection
Engine → Findings & Integrations.
Table for Layers, Description, & Samples
|
Layer |
Description |
Samples |
|
Data Sources. |
Software inventory, network
configs, CVE databases. |
SSM Agent, ECR API, Lambda
metadata |
|
Detection Engine. |
Analyzes resources for
vulnerabilities and exposures. |
CVE scanner, network reachability
analysis |
|
Findings & Integrations. |
Outputs to AWS tools for
visibility and action. |
Security Hub, EventBridge, SNS,
Systems Manager |
Key Metrics & Prioritization of Inspector uses:
- CVSS v3 base score.
- EPSS (Exploit Prediction Scoring System).
- AWS-specific context (e.g., exposure level, resource importance).
- Aggregation by resource and account.
Sample:
- A critical CVE with active exploit (EPSS > 0.9) on a public EC2 instance is prioritized over a low-severity, internal vulnerability.
Integration with AWS
Ecosystem & Purposes
|
Integration |
Purpose |
|
Security Hub. |
Centralized visibility of
Inspector findings |
|
EventBridge. |
Automated remediation workflows |
|
Systems Manager Patch Manager. |
Patching vulnerable instances |
|
AWS Organizations. |
Multi-account vulnerability
management |
|
AWS Config. |
Compliance checks tied to
configuration rules |
Sample Inspector
Evaluation Flow
- EC2 instance launched,
- SSM Agent collects OS + package info,
- Inspector compares software inventory against CVE databases,
- Finds CVE-2024-XXXX affecting OpenSSL ( a free Open-Source Software liblrary used for secure communication over computer networks.
- OpenSSL is a powerful cryptographic toolkit that implements:
- The Secure Sockets Layer (SSL)
- Transport Layer Security (TLS) protocols, with other cryptographic algorithms)
- Checks if the instance is publicly reachable
- Generates finding → Publishes to Security Hub and EventBridge
- Triggered Lambda workflow patches instance automatically
Summary Evaluation Table (Area, Purposes & Resources covered)
Evaluation Area | Purpose | Resources Covered |
CVE Scanning. | Detect known vulnerabilities. | EC2, ECR, Lambda |
Network Exposure. | Identify publicly accessible endpoints. | EC2, Lambda |
Package & Dependency Analysis. | Detect library-level risks. | ECR, Lambda |
Software Inventory. | Maintain asset visibility. | EC2 |
Integration Findings. | Centralize results for remediation. | Security Hub, EventBridge |
No comments:
Post a Comment