Vulnerability Management Considerations for Rapid Amazon EC2 Growth
By Patrick McDowell, Sr. Partner Solutions Architect – AWS
By AM Grobelny, Principal Cloud Solutions Architect – Tenable
In the world of vulnerability management, it’s paramount to keep close watch over new or undiscovered hosts within your organization. It seems obvious: how can you scan for vulnerabilities on instances you don’t even know exist?
As more development and operations teams embrace the rapid prototyping, invention, and iteration that Amazon Web Services (AWS) provides, security teams face exponential compute asset growth over the course of minutes that previously may have taken months or years.
With this pace of innovation, your security teams may also face new challenges balancing proper due diligence in cataloging and scanning compute assets.
Friction can develop between development, operations, and security teams as the business strives for greater agility in building software. One leading cause of friction between these teams stems from vulnerability management requirements such as scanning agent installation and maintenance.
Tenable, an AWS Partner with the Security Competency, built a solution to ease the burdens for organizations that prioritize moving fast but want to maintain the same level of threat and risk detection.
In this post, we will outline how to use Tenable’s Frictionless Assessment for AWS to keep your Amazon Elastic Compute Cloud (Amazon EC2) instances inventoried and scanned without adding any additional processes to your development teams. No matter whether your teams create longer running or short-lived EC2 instances, Frictionless Assessment can help you assess your instances without the need to install a scanning agent.
Frictionless Assessment for AWS
In December 2020, Tenable launched a new way to inventory assets and run vulnerability scans within your AWS environment.
Tenable’s Frictionless Assessment for AWS requires no Tenable agents installed on your EC2 instances. Instead, it collects an inventory of data points through the AWS Systems Manager Agent (SSM Agent) already installed on some of the most popular AWS-provided Amazon Machine Images (AMIs).
Frictionless Assessment provides its functionality through Tenable’s collection of comprehensive vulnerability coverage powered by Nessus and through AWS Systems Manager, a hub for automating operational tasks across compute instances both on AWS and on premises.
Before we learn how to deploy and get started with Frictionless Assessment, let’s examine both Tenable and AWS Systems Manager in a bit more depth.
Tenable and AWS Systems Manager
Tenable provides a suite of products built for security professionals to inventory, assess, and manage vulnerabilities within infrastructure, container images, and running applications.
Additionally, Tenable offers a vulnerability priority rating (VPR) score for vulnerabilities meant to serve as a true remediation prioritization ranking beyond what the CVSS framework can provide.
Through highly-tuned machine learning (ML) models fed by historical threat intelligence, Tenable’s VPR scores help to turn vulnerability noise into a more manageable and addressable list of remediations weighted by realistic threats such as publicly available exploit code.
AWS Systems Manager offers a centralized hub for managing your AWS operations at scale. With features like automation, you can use AWS-provided predefined runbooks, or create your own custom scripts and then execute those tasks across thousands of EC2 instances.
AWS Systems Manager also helps you create inventories of your managed EC2 instances by collecting metadata about them. You’ll see that Tenable’s Frictionless Assessment for AWS makes use of both of these features.
The SSM Agent connects your managed instances back to the AWS Systems Manager service to orchestrate your desired operations tasks. As previously mentioned, SSM Agent comes pre-installed on several AMIs of popular operating systems; however, you can install SSM Agent on other systems as well.
Tenable’s Frictionless Assessment for AWS combines the data collection capabilities of SSM Agent with the vulnerability management capabilities of Tenable.io without the need for any Tenable agents installed on your EC2 instances.
Figure 1 – Dataflow from Amazon EC2 instances to Tenable.io.
You’ll have to meet two prerequisites before we get started:
- Sign up for a free Tenable.io trial or have an existing Tenable.io account.
- Sign up for an AWS account or use an existing account.
At the time of publishing, Tenable’s Frictionless Assessment for AWS supports collecting data from EC2 instances with a tag of your choosing. Tags allow Frictionless Assessment to know which EC2 instances you want to include in your vulnerability management activities.
To enforce that this tag is required and populated on all instances, you can use an AWS Organization-level tag policy, an auto-tagging solution like the one described in this blog post, or a combination of the two.
Additionally, to include an EC2 instance in your Frictionless Assessment inventory, that instance will need SSM Agent installed. If your EC2 instance uses any of these AMIs, SSM Agent is pre-installed; otherwise, you’ll need to install SSM Agent with one of these guides.
Installing and Configuring Frictionless Assessment
Use the following steps to enable Tenable’s Frictionless Assessment for AWS to start collecting data on your tagged EC2 instances.
- Sign in to your Tenable.io account.
- Under the drop-down menu on the left, navigate to Settings.
- Within the Settings menu, find and select Cloud Connectors under the Integrations section.
Figure 2 – Settings panel in Tenable.io.
- In the Cloud Connectors page that opens, choose Create Cloud Connector to select a new cloud connector to create.
- Choose AWS – Keyless setup. In addition to Frictionless Assessment, you’ll create a Tenable Cloud Connector to AWS. Note the AWS – Keyed setup is no longer recommended, as utilizing the keyless setup requires no creation and storage of AWS access and secret keys.
- Give the connector a name for identification purposes, such as MyCompanyProdAWSAccountConnector.
- Enter your AWS account ID.
- After entering the AWS Connector name and your AWS account ID, select Create Stack.
Figure 3 – AWS CloudFormation template for Frictionless Assessment in the AWS console.
- Under Capabilities, select the check box to acknowledge the required AWS Identity and Access Management (IAM) resources. Select Create Stack and wait for AWS CloudFormation to complete creation of this stack.
- Back within the Cloud Connector configuration menu in Tenable.io, provide a tag key and value to identify the EC2 instances you want Frictionless Assessment to include for vulnerability assessment. For example, if you want to include all EC2 instances with a tag of Tenable:FA, enter Tenable under Tag Key and FA under Tag Value.
Note that you can add tags to existing EC2 instances with the AWS CLI or with any of the AWS SDKs. For an auto-tagging solution, see this blog post.
Figure 4 – AWS tag for Assessment Target.
- To save the Connector settings and start importing your AWS assets, select Save and Import. For additional information on more advanced setup options, see the Tenable documentation.
With Frictionless Assessment configured and installed within your AWS environment, you’ll immediately start to see AWS assets and their vulnerabilities begin to populate your Tenable.io account.
Note that assets discovered through AWS Systems Manager and Frictionless Assessment appear with an SSM icon within Tenable.io.
Figure 5 – Vulnerability information populated in Tenable.io from Frictionless Assessments.
Tenable’s Frictionless Assessment for AWS positions you and your security team to have a more complete understanding of the Amazon EC2 instances in your account, even when these instances come and go quickly.
Additionally, you no longer need to rely on development or operations teams to install the required scanning agents to discover that these EC2 instances even exist.
As you investigate your Tenable.io free trial, you can also explore a free trial of Tenable’s Web Application Scanning product for running in-depth vulnerability scans on pre-production and production web applications running behind Amazon API Gateway, Load Balancers, or websites hosted on Amazon Simple Storage Service (Amazon S3).
Tenable – AWS Partner Spotlight
Tenable is an AWS Security Competency Partner that provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance.
*Already worked with Tenable? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.