AWS Security Blog https://aws.amazon.com/blogs/security/ The latest AWS security, identity, and compliance launches, announcements, and how-to posts. Tue, 16 Jan 2018 15:54:53 +0000 en-US hourly 1 Take a Digital Tour of an AWS Data Center to See How AWS Secures Data Centers Around The World https://aws.amazon.com/blogs/security/take-a-digital-tour-of-an-aws-data-center-to-see-how-aws-secures-data-centers-around-the-world/ Tue, 16 Jan 2018 13:55:17 +0000 d2d8b4b9186fd1a891ae233f4d6da22706917933 AWS has launched a digital tour of an AWS data center, providing you with a first-ever look at how AWS secures data centers around the world. The videos, pictures, and information in this tour show you how security is intrinsic to the design of our data centers, our global controls, and the AWS culture. As […] <p style="text-align: center"><a href="https://aws.amazon.com/compliance/data-center/" target="_blank" rel="noopener noreferrer"><img class="alignnone wp-image-6675 size-full" title="Data center tour banner image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/05/DataCenterbanner_1217.png" alt="Data center tour banner image" width="1000" height="618" /></a></p> <p>AWS has launched a <a href="https://aws.amazon.com/compliance/data-center/" target="_blank" rel="noopener noreferrer">digital tour of an AWS data center</a>, providing you with a first-ever look at how AWS secures data centers around the world. The videos, pictures, and information in this tour show you how security is intrinsic to the design of our data centers, our global controls, and the AWS culture.</p> <p>As you will learn when you take this digital tour, the AWS data center security strategy is&nbsp;assembled with scalable security controls and multiple layers of defense that help to protect your information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.</p> <p>To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, the most highly regulated organizations in the world trust AWS to protect their data.</p> <p>Take the <a href="https://aws.amazon.com/compliance/data-center/" target="_blank" rel="noopener noreferrer">tour</a> today to learn more about how we secure our data centers.</p> <p>– Chad</p> A New Guide to Banking Regulations and Guidelines in India https://aws.amazon.com/blogs/security/a-new-guide-to-banking-regulations-and-guidelines-in-india/ Mon, 15 Jan 2018 15:07:38 +0000 c1324c85155d9f6b564ee7e5471e70942933a3c4 The AWS User Guide to Banking Regulations and Guidelines in India was published in December 2017 and includes information that can help banks regulated by the Reserve Bank of India (RBI) assess how to implement an appropriate information security, risk management, and governance program in the AWS Cloud. The guide focuses on the following key […] <p style="text-align: center"><img class="alignnone wp-image-7071 size-full" title="Indian flag" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/10/IndianFlag_500x250a.png" alt="Indian flag" width="500" height="250" /></p> <p>The <a href="https://d1.awsstatic.com/whitepapers/compliance/AWS_User_Guide_for_Banks_in_India.pdf" target="_blank" rel="noopener noreferrer">AWS User Guide to Banking Regulations and Guidelines in India</a> was published in December 2017 and includes information that can help banks regulated by the Reserve Bank of India (RBI) assess how to implement an appropriate information security, risk management, and governance program in the AWS Cloud.</p> <p>The guide focuses on the following key considerations:</p> <ul> <li><strong>Outsourcing guidelines</strong> – Guidance for banks entering an outsourcing arrangement, including risk-management practices such as conducting due diligence and maintaining effective oversight. Learn how to conduct an assessment of AWS services and align your governance requirements with the <a href="https://aws.amazon.com/compliance/shared-responsibility-model/" target="_blank" rel="noopener noreferrer">AWS Shared Responsibility Model</a>.</li> <li><strong>Information security</strong> – Detailed requirements to help banks identify and manage&nbsp;information security&nbsp;in the cloud.</li> </ul> <p>This guide joins the existing Financial Services guides for other jurisdictions, such as Singapore, Australia, and Hong Kong. AWS will publish additional guides in 2018 to help you understand regulatory requirements in other markets around the world.</p> <p>– Oliver</p> Validate Your IT Security Expertise with the New AWS Certified Security – Specialty Beta Exam https://aws.amazon.com/blogs/security/validate-your-it-security-expertise-with-the-new-aws-certified-security-specialty-beta-exam/ Thu, 11 Jan 2018 15:00:47 +0000 c8ac88997adb1d531b06f1ef0f537ff79c4d3fca If you are an experienced cloud security professional, you can demonstrate and validate your expertise with the new AWS Certified Security – Specialty beta exam. This exam allows you to demonstrate your knowledge of incident response, logging and monitoring, infrastructure security, identity and access management, and data protection. Register today – this beta exam will […] <p><img class="aligncenter wp-image-7064 size-full" title="AWS Training and Certification image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/08/AWSTrainingandCertification_blue_600x300.png" alt="AWS Training and Certification image" width="600" height="300" /></p> <p>If you are an experienced cloud security professional, you can demonstrate and validate your expertise with the new <a href="https://aws.amazon.com/certification/beta-exam/" target="_blank" rel="noopener noreferrer">AWS Certified Security – Specialty beta exam</a>. This exam allows you to demonstrate your knowledge of incident response, logging and monitoring, infrastructure security, identity and access management, and data protection. Register today – this beta exam will be available only from January 15 to March 2, 2018.</p> <p>By taking this exam, you can validate your:</p> <ul> <li>Familiarity with region-specific and country-specific security and compliance regulations and meta issues that these regulations include.</li> <li>Understanding of data encryption methods and secure internet protocols, and the AWS mechanisms to implement them.</li> <li>Working knowledge of AWS security services to provide a secure production environment.</li> <li>Ability to make trade-off decisions with regard to cost, security, and deployment complexity when given a set of application requirements.</li> </ul> <p>See the <a href="https://aws.amazon.com/certification/beta-exam/" target="_blank" rel="noopener noreferrer">full list</a> of security knowledge you can validate by taking this beta exam.</p> <h3>Who is eligible?</h3> <p>The beta exam is open to anyone who currently holds an AWS Associate or Cloud Practitioner <a href="https://aws.amazon.com/certification/" target="_blank" rel="noopener noreferrer">certification</a>. We recommend candidates have five years of IT security experience designing and implementing security solutions, and at least two years of hands-on experience securing AWS workloads.</p> <h3>How to prepare</h3> <p>You can take the following courses and use AWS <a href="https://aws.amazon.com/security/security-resources/" target="_blank" rel="noopener noreferrer">cloud security resources</a> and <a href="https://aws.amazon.com/compliance/resources/" target="_blank" rel="noopener noreferrer">compliance resources</a> to prepare for this exam.</p> <p><a href="https://aws.amazon.com/training/course-descriptions/security-fundamentals/" target="_blank" rel="noopener noreferrer">AWS Security Fundamentals</a> (digital, 3 hours)<br /> This digital course introduces you to fundamental cloud computing and AWS security concepts, including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure.</p> <p><a href="https://aws.amazon.com/training/course-descriptions/security-operations/" target="_blank" rel="noopener noreferrer">Security Operations on AWS</a> (classroom, 3 days)<br /> This instructor-led course demonstrates how to efficiently use AWS security services to help stay secure and compliant in the AWS Cloud. The course focuses on the AWS-recommended security best practices that you can implement to enhance the security of your AWS resources. The course highlights the security features of AWS compute, storage, networking, and database services.</p> <p>If you have questions about this new beta exam, <a href="http://proctor2.psionline.com/aws.asp" target="_blank" rel="noopener noreferrer">contact us</a>.</p> <p>Good luck with the exam!</p> <p>– Sara</p> Two New Documents to Help You Navigate Australian Prudential Regulation Authority (APRA) Requirements https://aws.amazon.com/blogs/security/two-new-documents-to-help-you-navigate-australian-prudential-regulation-authority-apra-requirements/ Tue, 09 Jan 2018 13:56:34 +0000 4696772aa5bfc468d50a284dee6f6e3c3d66f734 AWS has published two new documents to help Financial Services customers understand how to operate in the cloud within the requirements of the Australian Prudential Regulation Authority (APRA). These documents continue AWS’s efforts to help customers navigate Australian regulatory requirements in a shared responsibility environment. The two new APRA-related documents are: AWS User Guide to […] <p style="text-align: center"><img class="alignnone wp-image-6998 size-full" title="APRA logo" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/20/APRA_400x200.png" alt="APRA logo" width="400" height="200" /></p> <p>AWS has published two new documents to help Financial Services customers understand how to operate in the cloud within the requirements of the <a href="http://www.apra.gov.au/Pages/default.aspx" target="_blank" rel="noopener noreferrer">Australian Prudential Regulation Authority</a> (APRA). These documents continue AWS’s efforts to help customers navigate Australian regulatory requirements in a <a href="https://aws.amazon.com/compliance/shared-responsibility-model/" target="_blank" rel="noopener noreferrer">shared responsibility environment</a>.</p> <p>The two new APRA-related documents are:</p> <ul> <li><a href="https://d1.awsstatic.com/whitepapers/compliance/AWS_User_Guide_to_Financial_Services_Regulations_and_Guidelines_in_Australia.pdf" target="_blank" rel="noopener noreferrer">AWS User Guide to Financial Services Regulations and Guidelines in Australia</a> –&nbsp;Summarizes APRA requirements and recommendations related to outsourcing, IT risk, and the cloud. This 34-page whitepaper is intended for APRA-regulated institutions looking to run material workloads in the cloud. It’s particularly useful for leadership, security, risk, and compliance teams that need to understand APRA requirements about outsourcing policies, agreements, and notification and consultation with APRA.</li> <li><strong>The APRA CPG 234 Workbook</strong> (download through <a href="https://aws.amazon.com/artifact/" target="_blank" rel="noopener noreferrer">AWS Artifact</a>; an AWS account is required) – Includes a detailed analysis of the&nbsp;<a href="http://www.apra.gov.au/CrossIndustry/Documents/Prudential-Practice-Guide-CPG-234-Management-of-Security-Risk-May-2013.pdf" target="_blank" rel="noopener noreferrer">APRA CPG 234</a> guidelines and how they map to AWS controls. APRA-regulated institutions can use this 53-page guide when conducting technical due diligence before running material workloads in the cloud.</li> </ul> <p>These documents join existing guides for other jurisdictions in the Asia Pacific, such as India, Singapore, and Hong Kong. We will release additional AWS Financial Services resource guides in 2018 to help you navigate regulatory requirements in other markets around the world.</p> <p>– Oliver</p> The Top 20 Most Viewed AWS IAM Documentation Pages in 2017 https://aws.amazon.com/blogs/security/the-top-20-most-viewed-aws-iam-documentation-pages-in-2017/ Fri, 05 Jan 2018 15:57:59 +0000 bb88eb268fde2ca184c57c16a05f677f6ca870ad The following 20 pages&nbsp;were the most viewed AWS Identity and Access Management (IAM) documentation pages in 2017. I have included a brief description with each link to explain what each page covers. Use this list to see what other AWS customers have been viewing and perhaps to pique your own interest in a topic you’ve […] <p style="text-align: center"><img class="alignnone wp-image-7058 size-full" title="AWS IAM image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/05/IAM_social_v2_800x400.png" alt="" width="800" height="400" /></p> <p>The following 20 pages&nbsp;were the most viewed AWS Identity and Access Management (IAM) documentation pages in 2017. I have included a brief description with each link to explain what each page covers. Use this list to see what other AWS customers have been viewing and perhaps to pique your own interest in a topic you’ve been meaning to learn about.</p> <ol> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html" target="_blank" rel="noopener noreferrer">What Is IAM?</a><br /> Learn more about IAM, a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and how they can use resources (authorization).</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html" target="_blank" rel="noopener noreferrer">Creating an IAM User in Your AWS Account</a><br /> You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html" target="_blank" rel="noopener noreferrer">Managing Access Keys for IAM Users</a><br /> Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html" target="_blank" rel="noopener noreferrer">IAM JSON Policy Elements Reference</a><br /> Learn more about the elements that you can use when you create a JSON policy. View additional JSON policy examples and learn about conditions, supported data types, and how they are used in various services.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" target="_blank" rel="noopener noreferrer">IAM Best Practices</a><br /> To help secure your AWS resources, follow these best practices for IAM.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html" target="_blank" rel="noopener noreferrer">Tutorial: Delegate Access to the Billing Console</a><br /> Learn how to&nbsp;delegate access to specific IAM users who need to view or manage AWS Billing and Cost Management data for an AWS account.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html" target="_blank" rel="noopener noreferrer">Using Multi-Factor Authentication (MFA) in AWS</a><br /> For an additional layer of security when signing in to your AWS account, AWS recommends that you configure MFA to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device when they access AWS websites or services.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/console.html" target="_blank" rel="noopener noreferrer">The IAM Console and the Sign-in Page</a><br /> Learn about the IAM-enabled AWS Management Console sign-in page and how to sign in as an AWS account root user or as an IAM user. To help your users sign in easily, create a unique sign-in URL for your account.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html" target="_blank" rel="noopener noreferrer">Enabling a Virtual MFA Device</a><br /> Learn how to enable and manage virtual MFA devices from the AWS Management Console.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html" target="_blank" rel="noopener noreferrer">How Users Sign In to Your Account</a><br /> After you create IAM users and passwords for each, your users can sign in to the AWS Management Console using your account ID or alias, or from a special URL that includes your account ID.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html" target="_blank" rel="noopener noreferrer">Working with Server Certificates</a><br /> Some AWS services can use server certificates that you manage with IAM or <a href="https://aws.amazon.com/acm/" target="_blank" rel="noopener noreferrer">AWS Certificate Manager</a> (ACM).&nbsp;ACM is the preferred tool to provision, manage, and deploy your server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html" target="_blank" rel="noopener noreferrer">Your AWS Account ID and Its Alias</a><br /> Learn how to find your AWS account ID and its alias.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html" target="_blank" rel="noopener noreferrer">IAM Roles</a><br /> A role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS using <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank" rel="noopener noreferrer">temporary security credentials</a> that are created dynamically and provided to the user. A role is intended to be assumable by anyone who needs it using these temporary security credentials.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" target="_blank" rel="noopener noreferrer">IAM Policies</a><br /> Read an overview of policies, which are entities in AWS that, when attached to an identity or resource, define their permissions. Policies are stored in AWS as JSON documents attached to principals as <em>identity-based policies</em>&nbsp;or to resources as <em>resource-based policies</em>.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html" target="_blank" rel="noopener noreferrer">Example Policies</a><br /> This collection of policies can help you define permissions for your IAM identities, such as granting access to a specific Amazon DynamoDB table or launching Amazon EC2 instances in a specific subnet.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html" target="_blank" rel="noopener noreferrer">Tutorial: Delegate Access Across AWS Accounts Using IAM Roles</a><br /> Learn how to use an IAM role to delegate access to resources that are in different AWS accounts that you own.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html" target="_blank" rel="noopener noreferrer">Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances</a><br /> Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you do not have to distribute long-term credentials to an EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html" target="_blank" rel="noopener noreferrer">Creating Your First IAM Admin User and Group</a><br /> As a best practice, do not use the AWS account root user for any task where it’s not required. Instead, learn how to create an IAM administrator user and group for yourself.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank" rel="noopener noreferrer">Temporary Security Credentials</a><br /> You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.</li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html" target="_blank" rel="noopener noreferrer">The AWS Account Root User</a><br /> When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. To manage your root user, follow the steps on this page.</li> </ol> <p>In the “Comments” section below, let us know if you would like to see anything on these or other IAM documentation pages expanded or updated to make them more useful to you.</p> <p>–&nbsp;Stephenie</p> The Top 10 Most Downloaded AWS Security and Compliance Documents in 2017 https://aws.amazon.com/blogs/security/the-top-10-most-downloaded-aws-security-and-compliance-documents-in-2017/ Fri, 05 Jan 2018 15:08:31 +0000 9e48a88923331ca2b768cc284b27604099a288ac The following list includes the ten most downloaded AWS security and compliance documents in 2017. Using this list, you can learn about what other AWS customers found most interesting about security and compliance last year. AWS Security Best Practices&nbsp;– This guide is intended for customers who are designing the security infrastructure and configuration for applications […] <p><img class="aligncenter wp-image-7036 size-medium" title="AWS download logo" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/02/whitepaper-generic-300x235.png" alt="AWS download logo" width="300" height="235" /></p> <p>The following list includes the ten most downloaded AWS security and compliance documents in 2017. Using this list, you can learn about what other AWS customers found most interesting about security and compliance last year.</p> <ol> <li><a href="https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf" target="_blank" rel="noopener noreferrer">AWS Security Best Practices</a>&nbsp;– This guide is intended for customers who are designing the security infrastructure and configuration for applications running on AWS. The guide provides security best practices that will help you define your Information Security Management System (ISMS) and build a set of security policies and processes for your organization so that you can protect your data and assets in the AWS Cloud.</li> <li><a href="https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf" target="_blank" rel="noopener noreferrer">AWS: Overview of Security Processes</a> – This whitepaper describes the physical and operational security processes for the AWS managed network and infrastructure, and helps answer questions such as, “How does AWS help me protect my data?”</li> <li><a href="https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf" target="_blank" rel="noopener noreferrer">Architecting for HIPAA Security and Compliance on AWS</a> – This whitepaper describes how to leverage AWS to develop applications that meet HIPAA and HITECH compliance requirements.</li> <li><a href="https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.pdf" target="_blank" rel="noopener noreferrer">Service Organization Controls (SOC) 3 Report</a> – This publicly available report describes internal AWS security controls, availability, processing integrity, confidentiality, and privacy.</li> <li><a href="https://d1.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf" target="_blank" rel="noopener noreferrer">Introduction to AWS Security</a>&nbsp;–This document&nbsp;provides an introduction to AWS’s approach to security, including the controls in the AWS environment, and some of the products and features that AWS makes available to customers to meet your security objectives.</li> <li><a href="https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf" target="_blank" rel="noopener noreferrer">AWS Best Practices for DDoS Resiliency</a> – This whitepaper covers techniques to mitigate distributed denial of service (DDoS) attacks.</li> <li><a href="https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf" target="_blank" rel="noopener noreferrer">AWS: Risk and Compliance</a> – This whitepaper provides information to help customers integrate AWS into their existing control framework, including a basic approach for evaluating AWS controls and a description of AWS certifications, programs, reports, and third-party attestations.</li> <li><a href="https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf" target="_blank" rel="noopener noreferrer">Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities</a>&nbsp;– AWS WAF is a web application firewall that helps you protect your websites and web applications against various attack vectors at the HTTP protocol level. This whitepaper outlines how you can use&nbsp;AWS WAF to mitigate the application vulnerabilities that are defined in the Open Web Application Security Project (OWASP) Top 10 list of most common categories of application security flaws.</li> <li><a href="https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf" target="_blank" rel="noopener noreferrer">Introduction to Auditing the Use of AWS</a> – This whitepaper provides information, tools, and approaches for auditors to use when auditing the security of the AWS managed network and infrastructure.</li> <li><a href="https://d1.awsstatic.com/whitepapers/compliance/AWS_Compliance_Quick_Reference.pdf" target="_blank" rel="noopener noreferrer">AWS Security and Compliance: Quick Reference Guide</a> – By using AWS, you inherit the many security controls that we operate, thus reducing the number of security controls that you need to maintain. Your own compliance and certification programs are strengthened while at the same time lowering your cost to maintain and run your specific security assurance requirements. Learn more in this quick reference guide.</li> </ol> <p>– Sara</p> The Most Viewed AWS Security Blog Posts in 2017 https://aws.amazon.com/blogs/security/the-most-viewed-aws-security-blog-posts-in-2017/ Wed, 03 Jan 2018 14:42:38 +0000 1a0a1937c8c5f215e37c080cfb655564b12e7f83 The following 10 posts were the most viewed AWS Security Blog posts that we published during 2017. You can use this list as a guide to catch up on your AWS Security Blog reading or read a post again that you found particularly useful. Coming Soon: Improvements to How You Sign In to Your AWS […] <p style="text-align: center"><img class="alignnone wp-image-7027 size-full" title="AWS security image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2018/01/02/security_feature.png" alt="AWS security image" width="250" height="250" /></p> <p>The following 10 posts were the most viewed AWS Security Blog posts that we published <em>during 2017</em>. You can use this list as a guide to catch up on your AWS Security Blog reading or read a post again that you found particularly useful.</p> <ol> <li><a href="https://aws.amazon.com/blogs/security/coming-soon-improvements-to-how-you-sign-in-to-your-aws-account/" target="_blank" rel="noopener noreferrer">Coming Soon: Improvements to How You Sign In to Your AWS Account</a></li> <li><a href="https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/" target="_blank" rel="noopener noreferrer">Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI</a></li> <li><a href="https://aws.amazon.com/blogs/security/aws-and-the-general-data-protection-regulation/" target="_blank" rel="noopener noreferrer">AWS and the General Data Protection Regulation (GDPR)</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/" target="_blank" rel="noopener noreferrer">How to Protect Data at Rest with Amazon EC2 Instance Store Encryption</a></li> <li><a href="https://aws.amazon.com/blogs/security/s2n-is-now-handling-100-percent-of-of-ssl-traffic-for-amazon-s3/" target="_blank" rel="noopener noreferrer">s2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3</a></li> <li><a href="https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/" target="_blank" rel="noopener noreferrer">Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-monitor-host-based-intrusion-detection-system-alerts-on-amazon-ec2-instances/" target="_blank" rel="noopener noreferrer">How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/" target="_blank" rel="noopener noreferrer">How to Prepare for AWS’s Move to Its Own Certificate Authority</a></li> <li><a href="https://aws.amazon.com/blogs/security/introducing-aws-single-sign-on/" target="_blank" rel="noopener noreferrer">Introducing AWS Single Sign-On</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-visualize-and-refine-your-networks-security-by-adding-security-group-ids-to-your-vpc-flow-logs/" target="_blank" rel="noopener noreferrer">How to Visualize and Refine Your Network’s Security by Adding Security Group IDs to Your VPC Flow Logs</a></li> </ol> <p>The following 10 posts <em>published&nbsp;since the blog’s inception&nbsp;</em>in April 2013 were the most viewed AWS Security Blog posts in 2017.</p> <ol> <li><a href="https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/" target="_blank" rel="noopener noreferrer">Where’s My Secret Access Key?</a></li> <li><a href="https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/" target="_blank" rel="noopener noreferrer">Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/" target="_blank" rel="noopener noreferrer">How to Restrict Amazon S3 Bucket Access to a Specific IAM Role</a></li> <li><a href="https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/" target="_blank" rel="noopener noreferrer">Securely Connect to Linux Instances Running in a Private Amazon VPC</a></li> <li><a href="https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/" target="_blank" rel="noopener noreferrer">Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/" target="_blank" rel="noopener noreferrer">How to Control Access to Your Amazon Elasticsearch Service Domain</a></li> <li><a href="https://aws.amazon.com/blogs/security/coming-soon-improvements-to-how-you-sign-in-to-your-aws-account/" target="_blank" rel="noopener noreferrer">Coming Soon: Improvements to How You Sign In to Your AWS Account</a></li> <li><a href="https://aws.amazon.com/blogs/security/a-new-and-standardized-way-to-manage-credentials-in-the-aws-sdks/" target="_blank" rel="noopener noreferrer">A New and Standardized Way to Manage Credentials in the AWS SDKs</a></li> <li><a href="https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/" target="_blank" rel="noopener noreferrer">How to Connect Your On-Premises Active Directory to AWS Using AD Connector</a></li> <li><a href="https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/" target="_blank" rel="noopener noreferrer">Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0</a></li> </ol> <p>Let us know in the comments section below if there is a specific security or compliance topic you would like us to cover on the Security Blog in 2018.</p> <p>– Craig</p> How to Encrypt Amazon S3 Objects with the AWS SDK for Ruby https://aws.amazon.com/blogs/security/how-to-encrypt-amazon-s3-objects-with-the-aws-sdk-for-ruby/ Wed, 27 Dec 2017 17:24:07 +0000 d4fb737c541d7809db6f55cf0fbae8be4a2d64a8 Recently, Amazon announced some new Amazon S3 encryption and security features. The AWS Blog post showed how to use the Amazon S3 console to take advantage of these new features. However, if you have a large number of Amazon S3 buckets, using the console to implement these features could take hours, if not days. As […] <p><img class="aligncenter wp-image-6958 size-full" title="AWS KMS image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/19/KMS_feature.png" alt="AWS KMS image" width="250" height="250" /></p> <p>Recently, Amazon announced some <a href="https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/" target="_blank" rel="noopener noreferrer">new Amazon S3 encryption and security features</a>. The AWS Blog post showed how to use the <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener noreferrer">Amazon S3</a> console to take advantage of these new features. However, if you have a large number of Amazon S3 buckets, using the console to implement these features could take hours, if not days. As an alternative, I created documentation topics in the <a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/welcome.html" target="_blank" rel="noopener noreferrer">AWS SDK for Ruby Developer Guide</a> that include code examples showing you how to use the new Amazon S3 encryption features using the <a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/api/index.html" target="_blank" rel="noopener noreferrer">AWS SDK for Ruby</a>.</p> <h3>What are my encryption options?</h3> <p>You can encrypt Amazon S3 <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html" target="_blank" rel="noopener noreferrer">bucket objects</a> on a server or on a client:</p> <ul> <li><strong>When you encrypt objects on a server</strong>, you request that Amazon S3 encrypt the objects before saving them to disk in data centers and decrypt the objects when you download them. The main advantage of this approach is that Amazon S3 manages the entire encryption process.</li> <li><strong>When you encrypt objects on a client</strong>, you encrypt the objects before you upload them to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. Use this option when: <ul> <li>Company policy and standards require it.</li> <li>You already have a development process in place that meets your needs.</li> </ul> <p>Encrypting on the client has always been available, but you should know the following points:</p> <ul> <li>You must be diligent about protecting your encryption keys, which is analogous to having a burglar-proof lock on your front door. If you leave a key under the mat, your security is compromised.</li> <li>If you lose your encryption keys, you won’t be able to decrypt your data.</li> </ul> <p>If you encrypt objects on the client, we strongly recommend that you use an <a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener noreferrer">AWS Key Management Service</a> (AWS KMS) managed customer master key (CMK)</p></li> </ul> <h2>How to use encryption on a server</h2> <p>You can specify that Amazon S3 automatically encrypts objects as you upload them to a bucket or require that objects uploaded to an Amazon S3 bucket include encryption on a server before they are uploaded to an Amazon S3 bucket.</p> <p>The advantage of these settings is that when you specify them, you ensure that objects uploaded to Amazon S3 are encrypted. Alternatively, you can have Amazon S3 encrypt individual objects on the server as you upload them to a bucket or encrypt them on the server with your own key as you upload them to a bucket.</p> <p>The AWS SDK for Ruby Developer Guide now contains the following topics that explain your encryption options on a server:</p> <ul> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-default-server-side-encryption.html" target="_blank" rel="noopener noreferrer">Setting Default Server-Side Encryption for an Amazon S3 Bucket</a> – Describes how to specify that objects uploaded to a bucket are automatically encrypted by Amazon S3.</li> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-server-side-encryption.html" target="_blank" rel="noopener noreferrer">Encrypting an Amazon S3 Bucket Object on the Server</a> – Describes how to have Amazon S3 encrypt an object when it’s uploaded to a bucket.</li> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-enforce-server-side-encryption.html" target="_blank" rel="noopener noreferrer">Requiring Encryption on the Server to Upload Amazon S3 Bucket Objects</a> – Describes how to require objects uploaded to a bucket be encrypted by Amazon S3 using a bucket policy.</li> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-server-side-encryption-with-user-managed-key.html" target="_blank" rel="noopener noreferrer">Encrypting an Amazon S3 Bucket Object with an AWS KMS Key</a> – Describes how to have Amazon S3 encrypt an object with a key that you provide when you upload the object to a bucket.</li> </ul> <h2>How to use encryption on a client</h2> <p>You can encrypt objects on a client before you upload them to a bucket and decrypt them after you download them from a bucket by using the <a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Encryption.html" target="_blank" rel="noopener noreferrer">Amazon S3 encryption client</a>.</p> <p>The AWS SDK for Ruby Developer Guide now contains the following topics that explain your encryption options on the client:</p> <ul> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-client-side-encryption-with-kms-master-key.html" target="_blank" rel="noopener noreferrer">Encrypting an Amazon S3 Bucket Object with an AWS KMS Key</a> and <a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-client-side-decrypt-item-with-kms-master-key.html" target="_blank" rel="noopener noreferrer">Decrypting an Amazon S3 Bucket Object with an AWS KMS Key</a> – Describe how to encrypt and decrypt an object with an AWS KMS managed CMK. CMKs are either customer managed or AWS managed. For more information, see <a href="http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html" target="_blank" rel="noopener noreferrer">AWS Key Management Service Concepts</a>.</li> <li><a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-client-side-encryption-with-public-key.html" target="_blank" rel="noopener noreferrer">Encrypting an Amazon S3 Bucket Object with a Public Key</a> and <a href="http://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-example-client-side-decrypt-item-with-private-key.html" target="_blank" rel="noopener noreferrer">Decrypting an Amazon S3 Bucket Object with a Private Key</a> – Describe how to encrypt and decrypt an object with a public/private RSA key. Public keys can be distributed to others so that they can encrypt data; however, only those in possession of a private key can decrypt that data. For more information, see <a href="http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/PKey.html" target="_blank" rel="noopener noreferrer">OpenSSL::PKey</a>.</li> </ul> <p><strong>Note: </strong>The Amazon S3 encryption client in the AWS SDK for Ruby is compatible with other Amazon S3 encryption clients, but it is not compatible with other AWS client-side encryption libraries, including the <a href="http://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html" target="_blank" rel="noopener noreferrer">AWS Encryption SDK</a> and the <a href="http://github.com/awslabs/aws-dynamodb-encryption-java" target="_blank" rel="noopener noreferrer">Amazon DynamoDB encryption client for Java</a>. Each library returns a different ciphertext (“encrypted message”) format, so you can’t use one library to encrypt objects and a different library to decrypt them. For more information, see <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html" target="_blank" rel="noopener noreferrer">Protecting Data Using Client-Side Encryption</a>.</p> <p>If you have comments about this blog post, submit them in the “Comments” section below. If you have questions about encrypting objects on servers and clients, start a new thread on the <a href="https://forums.aws.amazon.com/forum.jspa?forumID=24" target="_blank" rel="noopener noreferrer">Amazon S3 forum</a> or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p>– Doug</p> AWS Updated Its ISO Certifications and Now Has 67 Services Under ISO Compliance https://aws.amazon.com/blogs/security/aws-updated-its-iso-certifications-and-now-has-67-services-under-iso-compliance/ Wed, 20 Dec 2017 15:53:12 +0000 cbbb44a3ff3d7c0d3108cef6515cb2af40151f27 AWS has updated its certifications against ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards, bringing the total to 67 services now under ISO compliance. We added the following 29 services this cycle: • Amazon Aurora • Amazon S3 Transfer Acceleration • AWS Lambda@Edge • Amazon Cloud Directory • Amazon SageMaker • AWS Managed […] <p><img class="wp-image-7007 size-full aligncenter" title="ISO 9001 logo" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/26/ISO_gen.png" alt="" width="548" height="371" /></p> <p>AWS has updated its certifications against <a href="https://aws.amazon.com/compliance/iso-9001-faqs/" target="_blank" rel="noopener noreferrer">ISO 9001</a>, <a href="https://aws.amazon.com/compliance/iso-27001-faqs/" target="_blank" rel="noopener noreferrer">ISO 27001</a>, <a href="https://aws.amazon.com/compliance/iso-27017-faqs/" target="_blank" rel="noopener noreferrer">ISO 27017</a>, and <a href="https://aws.amazon.com/compliance/iso-27018-faqs/" target="_blank" rel="noopener noreferrer">ISO 27018</a> standards, bringing the total to 67 services now under ISO compliance. We added the following 29 services this cycle:</p> <table style="height: 366px" width="1200;" cellspacing="0;" cellpadding="0;"> <tbody> <tr> <td>• <a href="https://aws.amazon.com/rds/aurora/" target="_blank" rel="noopener noreferrer">Amazon Aurora</a></td> <td>• <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html" target="_blank" rel="noopener noreferrer">Amazon S3 Transfer Acceleration</a></td> <td>• <a href="https://aws.amazon.com/lambda/edge/" target="_blank" rel="noopener noreferrer">AWS Lambda@Edge</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/cloud-directory/" target="_blank" rel="noopener noreferrer">Amazon Cloud Directory</a></td> <td>• <a href="https://aws.amazon.com/sagemaker/" target="_blank" rel="noopener noreferrer">Amazon SageMaker</a></td> <td>• <a href="https://aws.amazon.com/managed-services/" target="_blank" rel="noopener noreferrer">AWS Managed Services</a></td> </tr> <tr> <td>• <a href="http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html" target="_blank" rel="noopener noreferrer">Amazon CloudWatch Logs</a></td> <td>• <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener noreferrer">Amazon Simple Notification Service</a></td> <td>• <a href="https://aws.amazon.com/opsworks/stacks/" target="_blank" rel="noopener noreferrer">AWS OpsWorks Stacks</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/cognito/" target="_blank" rel="noopener noreferrer">Amazon Cognito</a></td> <td>• <a href="https://aws.amazon.com/autoscaling/" target="_blank" rel="noopener noreferrer">Auto Scaling</a></td> <td>• <a href="https://aws.amazon.com/shield/" target="_blank" rel="noopener noreferrer">AWS Shield</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/connect/" target="_blank" rel="noopener noreferrer">Amazon Connect</a></td> <td>• <a href="https://aws.amazon.com/batch/" target="_blank" rel="noopener noreferrer">AWS Batch</a></td> <td>• <a href="https://aws.amazon.com/snowball-edge/" target="_blank" rel="noopener noreferrer">AWS Snowball Edge</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/ecr/" target="_blank" rel="noopener noreferrer">Amazon Elastic Container Registry</a></td> <td>• <a href="https://aws.amazon.com/codebuild/" target="_blank" rel="noopener noreferrer">AWS CodeBuild</a></td> <td>• <a href="https://aws.amazon.com/snowmobile/" target="_blank" rel="noopener noreferrer">AWS Snowmobile</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/inspector/" target="_blank" rel="noopener noreferrer">Amazon Inspector</a></td> <td>• <a href="https://aws.amazon.com/codecommit/" target="_blank" rel="noopener noreferrer">AWS CodeCommit</a></td> <td>• <a href="https://aws.amazon.com/step-functions/" target="_blank" rel="noopener noreferrer">AWS Step Functions</a></td> </tr> <tr> <td>• <a href="https://aws.amazon.com/kinesis/data-streams/" target="_blank" rel="noopener noreferrer">Amazon Kinesis Data Streams</a></td> <td>• <a href="https://aws.amazon.com/codedeploy/" target="_blank" rel="noopener noreferrer">AWS CodeDeploy</a></td> <td>• <a href="https://aws.amazon.com/systems-manager/" target="_blank" rel="noopener noreferrer">AWS Systems Manager</a>&nbsp;(formerly Amazon EC2 Systems Manager)</td> </tr> <tr> <td>• <a href="https://aws.amazon.com/macie/" target="_blank" rel="noopener noreferrer">Amazon Macie</a></td> <td>• <a href="https://aws.amazon.com/codepipeline/" target="_blank" rel="noopener noreferrer">AWS CodePipeline</a></td> <td>• <a href="https://aws.amazon.com/xray/" target="_blank" rel="noopener noreferrer">AWS X-Ray</a></td> </tr> <tr> <td>• <a href="https://quicksight.aws/" target="_blank" rel="noopener noreferrer">Amazon QuickSight</a></td> <td>• <a href="https://aws.amazon.com/iot-core/" target="_blank" rel="noopener noreferrer">AWS IoT Core</a></td> <td></td> </tr> </tbody> </table> <p>For the complete list of services under ISO compliance, see <a href="https://aws.amazon.com/compliance/services-in-scope/" target="_blank" rel="noopener noreferrer">AWS Services in Scope by Compliance Program</a>.</p> <p>AWS maintains certifications through extensive audits of its controls to ensure that information security risks that affect the confidentiality, integrity, and availability of company and customer information are appropriately managed.</p> <p>You can download copies of the AWS ISO certificates that contain AWS’s in-scope services and Regions, and use these certificates to jump-start your own certification efforts:</p> <ul> <li><a href="https://d1.awsstatic.com/certifications/iso_9001_certification.pdf" target="_blank" rel="noopener noreferrer">AWS ISO 9001 certificate</a></li> <li><a href="https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf" target="_blank" rel="noopener noreferrer">AWS ISO 27001 certificate</a></li> <li><a href="https://d1.awsstatic.com/certifications/iso_27017_certification.pdf" target="_blank" rel="noopener noreferrer">AWS ISO 27017 certificate</a></li> <li><a href="https://d1.awsstatic.com/certifications/iso_27018_certification.pdf" target="_blank" rel="noopener noreferrer">AWS ISO 27018 certificate</a></li> </ul> <p>AWS does not increase service costs in any AWS Region as a result of updating its certifications.</p> <p>To learn more about compliance in the AWS Cloud, see&nbsp;<a href="https://aws.amazon.com/compliance/" target="_blank" rel="noopener noreferrer">AWS Cloud Compliance</a>.</p> <p>– Chad</p> How to Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector https://aws.amazon.com/blogs/security/how-to-set-up-continuous-golden-ami-vulnerability-assessments-with-amazon-inspector/ Wed, 20 Dec 2017 14:50:06 +0000 22924fda0fb518d52abbd070215497553ef63ef6 As companies mature in their cloud journey, they implement layered security capabilities and practices in their cloud architectures. One such practice is to continually assess golden Amazon Machine Images (AMIs) for security vulnerabilities. AMIs provide the information required to launch an Amazon EC2 instance, which is a virtual server in the AWS Cloud. A golden […] <p>As companies mature in their cloud journey, they implement layered security capabilities and practices in their cloud architectures. One such practice is to continually assess golden <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" target="_blank" rel="noopener noreferrer">Amazon Machine Images</a> (AMIs) for security vulnerabilities. AMIs provide the information required to launch an <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Instances.html" target="_blank" rel="noopener noreferrer">Amazon EC2 instance</a>, which is a virtual server in the AWS Cloud. A <em>golden AMI</em> is an AMI that contains the latest security patches, software, configuration, and software agents that you need to install for logging, security maintenance, and performance monitoring. You can build and deploy golden AMIs in your environment, but the AMIs quickly become dated as new vulnerabilities are discovered.</p> <p>A security best practice is to perform routine vulnerability assessments of your golden AMIs to identify if newly found vulnerabilities apply to them. If you identify a vulnerability, you can update your golden AMIs with the appropriate security patches, test the AMIs, and deploy the patched AMIs in your environment. In this blog post, I demonstrate how to use <a href="https://aws.amazon.com/inspector/" target="_blank" rel="noopener noreferrer">Amazon Inspector</a> to set up such continuous vulnerability assessments to scan your golden AMIs routinely.</p> <h3>Solution overview</h3> <p>Amazon Inspector performs security assessments of <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">Amazon EC2</a> instances by using AWS managed <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html#InspectorRulePackages" target="_blank" rel="noopener noreferrer">rules packages</a> such as the <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html" target="_blank" rel="noopener noreferrer">Common Vulnerabilities and Exposures</a> (CVEs) package. The solution in this post creates EC2 instances from golden AMIs and then runs an Amazon Inspector security assessment on the created instances. When the assessment results are available, the solution consolidates the findings and advises you about next steps. Furthermore, the solution schedules an <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">Amazon CloudWatch Events</a> rule to run the golden AMI vulnerability assessments on a regular basis.</p> <p>The following solution diagram illustrates how this solution works.</p> <p><img class="alignnone wp-image-6936 size-full" title="Solution diagram showing how this post's solution works" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/15/KW_1217_diagram.png" alt="Solution diagram showing how this post's solution works" width="1410" height="773" /></p> <p>Here’s how this solution works, as illustrated in the preceding diagram:</p> <ol> <li>A scheduled CloudWatch Events event triggers the <code>StartContinuousAssessment</code> <a href="http://aws.amazon.com/lambda/" target="_blank" rel="noopener noreferrer">AWS Lambda</a> function, which starts the security assessment of your golden AMIs.</li> <li>The <code>StartContinuousAssessment</code> Lambda function performs the following actions: <ol type="A"> <li>It reads a JSON parameter stored in the <a href="http://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html" target="_blank" rel="noopener noreferrer">AWS Systems Manager</a> (Systems Manager) Parameter Store. This JSON parameter contains the following metadata for each golden AMI: <ol type="i"> <li><code>InstanceType</code> – A valid instance-type for launching an EC2 instance of the golden AMI.</li> <li><code>Ami-Id</code> – The ID of the golden AMI.</li> <li><code>UserData</code> – An operating system–compatible <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html" target="_blank" rel="noopener noreferrer">user-data script</a> for installing the <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html" target="_blank" rel="noopener noreferrer">Amazon Inspector agent</a>.</li> </ol> </li> </ol> </li> </ol> <p style="padding-left: 90px">Later in this blog post, I provide instructions for creating this JSON parameter.</p> <ol> <li style="list-style-type: none"> <ol start="2" type="A"> <li>For each AMI specified in the JSON parameter, the Lambda function creates an EC2 instance. When each instance starts, it installs the Amazon Inspector agent by using the user-data script provided in the JSON. The Lambda function then copies each golden AMI’s <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html" target="_blank" rel="noopener noreferrer">tags</a> (you will assign custom metadata in the form of tags to each golden AMI when you set up the solution) to the corresponding EC2 instance. The function also adds a tag with the <code>key</code> of <code>continuous-assessment-instance</code> and <code>value</code> as <code>true</code>. This tag identifies EC2 instances that require regular security assessments. The Lambda function copies the AMI’s tags to the instance (and later, to the security findings found for the instance) to help you identify the golden AMIs for each security finding. After you analyze security findings, you can patch your golden AMIs.</li> <li>The first time the <code>StartContinuousAssessment</code> function runs, it creates: <ol type="i"> <li>An <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_applications.html" target="_blank" rel="noopener noreferrer">Amazon Inspector assessment target</a>: The target identifies EC2 instances to assess by using the <code>continuous-assessment-instance</code> tag.</li> <li>An <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_assessments.html#inspector-assessment-templates" target="_blank" rel="noopener noreferrer">Amazon Inspector assessment template</a>: The template contains a reference to the Amazon Inspector assessment target created in the preceding step and the following AWS managed rules packages to evaluate: <ul> <li><a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html" target="_blank" rel="noopener noreferrer">Common Vulnerabilities and Exposures</a> (CVEs)</li> <li><a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html" target="_blank" rel="noopener noreferrer">Center for Internet Security (CIS) Benchmarks</a></li> <li><a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_security-best-practices.html" target="_blank" rel="noopener noreferrer">AWS Security Best Practices</a></li> <li><a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_runtime-behavior-analysis.html" target="_blank" rel="noopener noreferrer">Runtime Behavior Analysis</a></li> </ul> </li> </ol> </li> </ol> <p style="padding-left: 80px">For subsequent assessments, the <code>StartContinuousAssessment</code> function reuses the target and the template created during the first run of <code>StartContinuousAssessment</code> function.</p> <p style="padding-left: 80px"><strong>Note: </strong>Amazon Inspector can start an assessment only after it finds at least one running Amazon Inspector agent. To allow EC2 instances to boot and the Amazon inspector agent to start, the Lambda function waits four minutes. Because the assessment runs for approximately one hour and boot time for EC2 instances typically takes a few minutes, all Amazon Inspector agents start before the assessment ends.</p> <ol> <li style="list-style-type: none"> <ol start="3"> <li>The Lambda function then runs the assessment. The Amazon Inspector agents collect behavior and configuration data, and pass it to Amazon Inspector. Amazon Inspector analyzes the data and generates <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_findings.html" target="_blank" rel="noopener noreferrer">Amazon Inspector findings</a>, which are possible security findings you may need to address.</li> <li>After the Lambda function completes the assessment, Amazon Inspector publishes an assessment-completion notification message to an <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener noreferrer">Amazon SNS</a> topic called <code>ContinuousAssessmentCompleteTopic</code>. SNS uses&nbsp;<em>topics</em>, which are communication channels for sending messages and subscribing to notifications.</li> <li>The notification message published to SNS triggers the <code>AnalyzeInspectorFindings</code> Lambda function, which performs the following actions: <ol type="A"> <li>Associates the tags of each EC2 instance with security findings found for that EC2 instance. This enables you to identify the security findings using the <code>app-name</code> tag you specified for your golden AMIs. You can use the information provided in the findings to patch your golden AMIs.</li> <li>Terminates all instances associated with the <code>continuous-assessment-instance=true</code> tag.</li> <li>Aggregates the number of findings found for each EC2 instance by severity and then publishes a consolidated result to an SNS topic called <code>ContinuousAssessmentResultsTopic</code>.</li> </ol> </li> </ol> </li> </ol> </li> </ol> <h2>How to deploy the solution</h2> <p>To deploy this solution, you must set it up in the AWS Region where you build your golden AMIs. If that AWS Region does not <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html#inspector_supported-regions" target="_blank" rel="noopener noreferrer">support Amazon Inspector</a>, at the end of your continuous integration pipeline, you can copy your AMIs to an AWS Region where Amazon Inspector assessments are supported. To learn more about continuous integration pipelines, see <a href="https://aws.amazon.com/devops/continuous-integration/" target="_blank" rel="noopener noreferrer">What is Continuous Integration?</a></p> <p>To deploy continuous golden AMI vulnerability assessments in your AWS account, follow these steps:</p> <ol> <li><strong>Tag your golden AMIs</strong> – Tagging your golden AMIs lets you search assessment result findings based on tags after Amazon Inspector completes an assessment.</li> <li><strong>Store your golden AMI metadata in the Systems Manager Parameter Store</strong> – Prepare and store the golden AMI metadata in the Systems Manager Parameter Store. The <code>StartContinuousAssessment</code> Lambda function reads golden AMI metadata and starts assessing for vulnerabilities.</li> <li><strong>Run the supplied AWS CloudFormation template and subscribe to an SNS topic to receive assessment results</strong> – Set up the infrastructure required to run vulnerability assessments and subscribe to an SNS topic to receive assessment results via email.</li> <li><strong>Test golden AMI </strong><strong>vulnerability assessments</strong> – Ensure you have successfully set up the required resources to run vulnerability assessments.</li> <li><strong>Set up a CloudWatch Events rule for triggering continuous golden AMI vulnerability assessments</strong> – Schedule the execution of vulnerability assessments on a regular basis.</li> </ol> <h3>1.&nbsp; Tag your golden AMIs</h3> <p>You can search assessment findings based on golden AMI tags after Amazon Inspector completes an assessment.</p> <p>To tag a golden AMI by using the AWS Management Console:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and then navigate to the <a href="https://console.aws.amazon.com/ec2/v2/home" target="_blank" rel="noopener noreferrer">EC2 console</a>.</li> <li>In the navigation pane, choose&nbsp;<strong>AMIs</strong>.</li> <li>Choose your AMI from the list, and then choose&nbsp;<strong>Actions</strong> &gt;&nbsp;<strong>Add/Edit Tags</strong>.</li> <li>Choose<strong> Create Tag. </strong>In the <strong>Key</strong> column, type <code>app-name</code>. In the <strong>Value</strong> column, type your application name. Following the same steps, create the <code>app-version</code> and <code>app-environment</code>&nbsp;tags. Choose <strong>Save</strong>.</li> </ol> <p>Now that you have tagged your golden AMIs, you need to create golden AMI metadata, which will be read by the <code>StartContinuousAssessment</code> function to initiate vulnerability assessments. You will store the golden AMI metadata in the Systems Manager Parameter Store.</p> <h3>2.&nbsp; Store your golden AMI metadata in the Systems Manager Parameter Store</h3> <p>This solution reads golden AMI metadata from a parameter stored in the Systems Manager Parameter Store. The metadata must be in JSON format and must contain the following information for each golden AMI:</p> <ul> <li><code>Ami-Id</code></li> <li><code>InstanceType</code></li> <li><code>UserData</code></li> </ul> <p><strong>Step A:</strong> Find the AMI ID of your golden AMI.</p> <p>An AMI ID uniquely identifies an AMI in an AWS Region and is a required parameter for launching an EC2 instance from a golden AMI. To find the AMI ID of your golden AMI:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">EC2 console</a>.</li> <li>In the navigation pane, choose&nbsp;<strong>AMIs</strong>.</li> <li>Choose your AMI from the list and then note the corresponding value in the <strong>AMI ID</strong> column.</li> </ol> <p><strong>Step B: </strong>Find a compatible <code>InstanceType</code> for your golden AMI.</p> <p>Each AMI has a list of compatible <code>InstanceTypes</code>. The <code>InstanceType</code> is a required parameter for launching an EC2 instance from a golden AMI. To find a compatible <code>InstanceType</code> for your golden AMI:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">EC2 console</a>.</li> <li>Choose&nbsp;<strong>Launch Instance</strong>. On the&nbsp;<strong>Choose an Amazon Machine Image</strong> (<strong>AMI</strong>)&nbsp;page, choose <strong>My AMIs</strong>.</li> <li>Type the <strong>AMI ID</strong> that you noted in Step A in the <strong>Search my AMIs</strong> box, and then choose <strong>Enter</strong>.</li> <li>The search result will contain your golden AMI. To choose it, choose <strong>Select</strong>.</li> <li>Locate any available <strong>Instance Type</strong> and then note the corresponding value in the <strong>Type</strong> column.</li> <li>Choose <strong>Cancel</strong>.</li> </ol> <p><strong>Note:</strong> Amazon Inspector will launch the chosen <code>InstanceType</code> every time the vulnerability assessment runs.</p> <p><strong>Step C: </strong>Create the <code>user-data</code> script to install and start the Amazon Inspector agent.</p> <p>The <code>user-data</code> script automates the installation of software packages when an EC2 instance launches for the first time. In this step, you create an operating system specific, JSON-compatible user-data script that installs and starts the Amazon Inspector agent.</p> <ol> <li>Identify the command that installs the Amazon Inspector agent</li> </ol> <p style="padding-left: 30px">Based on <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html" target="_blank" rel="noopener noreferrer">Installing Amazon Inspector Agents</a>, the following shell command installs the Amazon Inspector agent on an Amazon Linux-based EC2 instance.</p> <div class="hide-language"> <pre style="padding-left: 30px"><code class="lang-text">wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install bash install</code></pre> </div> <p style="padding-left: 30px">To find this command for other operating systems, see <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html" target="_blank" rel="noopener noreferrer">Installing Amazon Inspector Agents</a>.</p> <ol start="2"> <li>Identify the command that starts the Amazon Inspector agent</li> </ol> <p style="padding-left: 30px">The following shell command starts the Amazon Inspector agent on an Amazon Linux-based EC2 instance.</p> <pre style="padding-left: 30px"><code class="lang-text">sudo /etc/init.d/awsagent start</code></pre> <p style="padding-left: 30px">To find this command for other operating systems, see <a href="http://docs.aws.amazon.com/inspector/latest/userguide/inspector_agents.html" target="_blank" rel="noopener noreferrer">Amazon Inspector Agents</a>.</p> <ol start="3"> <li>Create a script by concatenating the commands from the preceding two steps</li> </ol> <p style="padding-left: 30px">The following is a sample concatenated script for the Amazon Linux operating system that installs and starts an Amazon Inspector agent.</p> <pre style="padding-left: 30px"><code class="lang-text">wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install bash install sudo /etc/init.d/awsagent start</code></pre> <ol start="4"> <li>Make the script user-data compatible</li> </ol> <p style="padding-left: 30px">Based on <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-api-cli" target="_blank" rel="noopener noreferrer">Running Commands on Your Linux Instance at Launch</a>, you make a Linux shell script user-data compatible by prefixing it with a <code>#!/bin/bash</code>. In this step, you add the <code>#!/bin/bash</code> prefix to the script from the preceding step. The following is the user-data compatible version of the script from the preceding step.<strong>&nbsp;</strong></p> <pre style="padding-left: 30px"><code class="lang-text">#!/bin/bash wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install bash install sudo /etc/init.d/awsagent start</code></pre> <p style="padding-left: 30px">To make your script user-data compatible for Windows, see <a href="http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-windows-user-data.html" target="_blank" rel="noopener noreferrer">Running Commands on Your Windows Instance at Launch</a>.</p> <p style="padding-left: 30px">The <code>user-data</code> script provided in the JSON metadata must be JSON-compatible, which you will do next.</p> <ol start="5"> <li>Make the user-data script JSON compatible</li> </ol> <p style="padding-left: 30px">To make the user-data script JSON compatible, you must replace all new-line characters with a <code>\r\n\r\n</code> sequence. The following is the JSON-compatible user-data script that you specify for your Amazon Linux-based golden AMI in Step D.</p> <p style="padding-left: 30px"><span style="text-decoration: underline"><strong><code>JSON-compatible-user-data-for-Amazon-Linux-AMI</code></strong></span></p> <pre style="padding-left: 30px"><code class="lang-text">#!/bin/bash \r\n\r\nwget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install \r\n\r\nbash install \r\n\r\nsudo /etc/init.d/awsagent start</code></pre> <p style="padding-left: 30px">Repeat Steps A, B, and C to find the <code>Ami Id</code>, <code>InstanceType</code>, and <code>UserData</code> for each of your golden AMIs. When you have this metadata, you can create the JSON document of metadata for all your golden AMIs. The <code>StartContinuousAssessment</code> Lambda function reads this JSON to start golden AMI vulnerability assessments.<strong><br /> </strong></p> <p><strong>Step D</strong>: Create a JSON document of metadata of all your golden AMIs.</p> <p>Use the following template to create a JSON document:</p> <div class="hide-language"> <pre><code class="lang-text">[ { &quot;instanceType&quot;: &quot;<span style="color: #ff0000"><strong>instance-type-of-first-AMI</strong></span>&quot;, &quot;ami-id&quot;: &quot;<span style="color: #ff0000"><strong>AMI-ID-of-first-AMI</strong></span>&quot;, &quot;userData&quot;: &quot;<span style="color: #ff0000"><strong>JSON-compatible-user-data-of-first-AMI</strong></span>&quot; }, { &quot;instanceType&quot;: &quot;<span style="color: #0000ff"><strong>instance-type-of-second-AMI</strong></span>&quot;, &quot;ami-id&quot;: &quot;<span style="color: #0000ff"><strong>AMI-ID-of-second-AMI</strong></span>&quot;, &quot;userData&quot;: &quot;<span style="color: #0000ff"><strong>JSON-compatible-user-data-of-second-AMI</strong></span>&quot; } ]</code></pre> </div> <p>Replace all <span style="color: #ff0000"><strong>placeholder values</strong></span> with values corresponding to your first golden AMI. If your golden AMI is Amazon Linux-based, you can specify the <code>userData</code> as the <code>JSON-compatible-user-data-for-Amazon-Linux-AMI</code> from Step C.5. Next, replace the <span style="color: #0000ff"><strong>placeholder values</strong></span> for your second golden AMI. You can add more entries to your JSON document, if you have more than two golden AMIs.</p> <p><strong>Note</strong><strong>:</strong> The total number of characters in the JSON document must be fewer than or equal to 4,096 characters, and the number of golden AMIs must be fewer than 500. You must verify whether your account has permissions to run one on-demand EC2 instance for each of your golden AMIs. For information about how to verify service limits, see <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html" target="_blank" rel="noopener noreferrer">Amazon EC2 Service Limits</a>.</p> <p>Now that you have created the JSON document of your golden AMIs, you will store the JSON document in a Systems Manager parameter. The <code>StartContinuousAssessment</code> Lambda function will read the metadata from this parameter.</p> <p><strong>Step E:</strong> Store the JSON in a Systems Manager parameter.</p> <p>To store the JSON in a Systems Manager parameter:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">EC2 console</a>.</li> <li>Expand&nbsp;<strong>Systems Manager Shared Resources</strong>&nbsp;in the navigation pane, and then choose&nbsp;<strong>Parameter Store</strong>.</li> <li>Choose&nbsp;<strong>Create Parameter</strong>.</li> <li>For&nbsp;<strong>Name</strong>, type <code>ContinuousAssessmentInput</code>.</li> <li>In the&nbsp;<strong>Description</strong>&nbsp;field, type <code>Continuous golden AMI vulnerability assessment process metadata</code>.</li> <li>For&nbsp;<strong>Type</strong>, choose&nbsp;<strong>String</strong>.</li> <li>Paste the JSON that you created in <strong>Step D</strong> in the <strong>Value</strong> field.</li> <li>Choose&nbsp;<strong>Create Parameter</strong>. After the system creates the parameter, choose&nbsp;<strong>Close</strong>.<strong><br /> </strong></li> </ol> <p>To set up the remaining components required to run assessments, you will run a CloudFormation template and perform the configuration explained in the next section.</p> <h3>3.&nbsp; Run the CloudFormation template and subscribe to an SNS topic to receive assessment results</h3> <p>Next, create a CloudFormation stack using the provided <a href="https://s3.amazonaws.com/awsiammedia/public/sample/GoldenAMIContinuousVulnerabilityAssessment/GoldenAMIs_template.json" target="_blank" rel="noopener noreferrer">CloudFormation template</a>. Before you start, download the CloudFormation template to your computer.</p> <p>To create a stack:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and choose <strong>CloudFormation</strong> in the <strong>Services</strong> menu.</li> <li>Click&nbsp;<strong>Create Stack</strong>.</li> <li>On the&nbsp;<strong>Select Template&nbsp;</strong>page, choose <strong>Upload a template to Amazon S3</strong>.</li> <li>Choose <strong>Choose File&nbsp;</strong>and then choose the CloudFormation template you just downloaded. Choose <strong>Next</strong>.</li> <li>On the <strong>Specify Details</strong> page, specify the <strong>Stack Name</strong> as <code>AmazonInspectorAssessment</code>. Choose <strong>Next</strong>.</li> <li>On the <strong>Options</strong> page, choose <strong>Next</strong>.</li> <li>On the <strong>Review</strong> page, choose the check box next to the following message: “<strong>I acknowledge that AWS CloudFormation might create IAM resources</strong>.<strong>”</strong></li> <li>Choose <strong>Create</strong>. The CloudFormation template creates SNS topics, <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management</a> (IAM) roles, and Lambda functions.</li> <li>On the <strong>Stacks</strong> page, choose <strong>AmazonInspectorAssessment</strong>.</li> <li>In the <strong>Detail</strong> pane, choose <strong>Outputs&nbsp;</strong>to view the output of your stack.</li> </ol> <p>After CloudFormation successfully creates a stack, the <strong>Outputs</strong> tab displays following results:</p> <ul> <li><code>StartContinuousAssessmentLambdaFunction</code> – The <strong>Value</strong> box displays the name of the <code>StartContinuousAssessment</code> function. You will run this function to trigger the entire workflow.</li> <li><code>ContinuousAssessmentResultsTopic</code> – The <strong>Value</strong> box displays the <code>ContinuousAssessmentResultsTopic</code> topic’s <a href="http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html" target="_blank" rel="noopener noreferrer">Amazon Resource Name</a> (ARN), which you will use later.</li> </ul> <p>To receive consolidated vulnerability assessment results in email, you must subscribe to <code>ContinuousAssessmentResultsTopic</code>.</p> <p>To subscribe to <code>ContinuousAssessmentResultsTopic</code>:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/sns/v2/home" target="_blank" rel="noopener noreferrer">SNS console</a>.</li> <li>Choose <strong>Create subscription</strong>. In the&nbsp;<strong>Topic ARN</strong>&nbsp;field, paste the ARN of <code>ContinuousAssessmentResultsTopic</code> that you noted in the previous section.</li> <li>In the&nbsp;<strong>Protocol</strong>&nbsp;drop-down, choose&nbsp;<strong>Email</strong>.</li> <li>In the&nbsp;<strong>Endpoint</strong>&nbsp;box, type the email address where you will receive notifications.</li> <li>Choose <strong>Create subscription</strong>.</li> <li>Navigate to your email application and open the message from AWS Notifications. Click the link to confirm your subscription to the SNS topic.<strong><br /> </strong></li> </ol> <h3>4.&nbsp; Test golden AMI vulnerability assessments</h3> <p>Before you schedule vulnerability assessments, you should test the process by running the <code>StartContinuousAssessment</code> function. In this test, you trigger a security assessment and monitor it. You then receive an email after the assessment has completed, which shows that vulnerability assessments have been successfully set up.</p> <p>To start golden AMI vulnerability assessments:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and choose&nbsp;<strong>Lambda </strong>in the&nbsp;<strong>Services&nbsp;</strong>menu.</li> <li>Choose <strong>Functions</strong>. In the <strong>Functions</strong> pane, choose the <strong>StartContinuousAssessment</strong> function.</li> <li>Choose the <strong>Select a test event</strong> drop-down, and choose <strong>Configure test events</strong>.</li> <li>On the <strong>Configure test event</strong> page, choose <strong>Create new test event</strong> and specify the event name as test.</li> <li>Paste the following JSON in the editor box. <div class="hide-language"> <pre><code class="lang-text">{ &quot;AMIsParamName&quot;: &quot;ContinuousAssessmentInput&quot; }</code></pre> </div> </li> <li>Choose <strong>Create</strong>. Choose <strong>Test</strong>.</li> </ol> <p>The <code>StartContinuousAssessment</code> function runs for approximately five minutes and then displays the following message.<br /> <img class="alignnone wp-image-6945 size-full" title="Message showing the function has run successfully" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/15/KW_1_1217.png" alt="Message showing the function has run successfully" width="973" height="225" /></p> <p>Next, open Amazon Inspector and monitor the progress of the assessment:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/inspector/" target="_blank" rel="noopener noreferrer">Amazon Inspector console</a>.</li> <li>On <strong>Dashboard</strong> under <strong>Recent Assessment Runs</strong>, you will see an entry with the status, <strong>Collecting Data</strong>. This status indicates that Amazon Inspector agents are collecting data from instances running your golden AMIs. The agents collect data for an hour and then Amazon Inspector analyzes the collected data.</li> </ol> <p>After Amazon Inspector completes the assessment, the status in the console changes to <strong>Analysis complete</strong>. Amazon Inspector then publishes an SNS message that triggers the <code>AnalyzeInspectionReports</code> Lambda function. When <code>AnalyzeInspectionReports</code> publishes results, you will receive an email containing consolidated assessment results. You also will be able to see the findings.</p> <p>To see the findings in Amazon Inspector’s <strong>Findings</strong> section:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/inspector/home" target="_blank" rel="noopener noreferrer">Amazon Inspector console</a>.</li> <li>In the navigation pane, choose<strong> Assessment Runs</strong>. In the table on the<strong> Amazon Inspector – Assessment Runs </strong>page<strong>, </strong>choose the findings of the latest assessment run.</li> <li>Choose the settings (<img class="alignnone wp-image-6948 size-full" title="Gear icon" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/15/KW_3_1217.png" alt="Gear icon" width="30" height="19" />) icon and choose the appropriate tags to see the details of findings, as shown in the following screenshot. The findings also contain information about how you can address each underlying vulnerability.<br /> <img class="alignnone wp-image-6946 size-full" title="Screenshot showing details of findings" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/12/15/KW_2_1217.png" alt="Screenshot showing details of findings" width="1200" height="179" /></li> </ol> <p>Having verified that you have successfully set up all components of golden AMI vulnerability assessments, you now will schedule the vulnerability assessments to run on a regular basis to give you continual insight into the health of instances created from your golden AMIs.</p> <h3>5.&nbsp; Set up a CloudWatch Events rule for triggering continuous golden AMI vulnerability assessments</h3> <p>The last step is to create a CloudWatch Events rule to schedule the execution of the vulnerability assessments on a daily or weekly basis.</p> <p>To set up a CloudWatch Events rule:</p> <ol> <li>Sign in to the <a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener noreferrer">AWS Management Console</a> and navigate to the <a href="https://console.aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">CloudWatch console</a>.</li> <li>In the navigation pane, choose&nbsp;<strong>Rules </strong>&gt;&nbsp;<strong>Create rule</strong>.</li> <li>On the <strong>Event Source </strong>page, choose&nbsp;<strong>Schedule</strong>. Choose&nbsp;<strong>Fixed rate of&nbsp;</strong>and specify the interval (for example, 1 day).</li> <li>For&nbsp;<strong>Targets</strong>, choose&nbsp;<strong>Add target&nbsp;</strong>and then choose&nbsp;<strong>Lambda function</strong>.</li> <li>For&nbsp;<strong>Function</strong>, choose the <strong>StartContinuousAssessment</strong> function.</li> <li>Choose<strong> Configure Input</strong>.</li> <li>Choose <strong>Constant (JSON text)</strong>.</li> <li>In the box, paste the following JSON code. <div class="hide-language"> <pre><code class="lang-text">{ &quot;AMIsParamName&quot;: &quot;ContinuousAssessmentInput&quot; }</code></pre> </div> </li> <li>Choose&nbsp;<strong>Configure details</strong>.</li> <li>For&nbsp;<strong>Rule definition</strong>, type <code>ContinuousGoldenAMIAssessmentTrigger</code> for the name, and type as the description, <code>This rule triggers the continuous golden AMI vulnerability assessment process</code>.</li> <li>Choose&nbsp;<strong>Create rule</strong>.</li> </ol> <p>The vulnerability assessments are executed on the first occurrence of the schedule you chose while setting up the CloudWatch Events rule. After the vulnerability assessment <strong>is </strong>executed, you will receive an email to indicate that your continuous golden AMI vulnerability assessments are set up.<strong><br /> </strong></p> <h3>Summary</h3> <p>To get visibility into the security of your EC2 instances created from your golden AMIs, it is important that you perform security assessments of your golden AMIs on a regular basis. In this blog post, I have demonstrated how to set up vulnerability assessments, and the results of these continuous golden AMI vulnerability assessments can help you keep your environment up to date with security patches. To learn how to patch your golden AMIs, see <a href="https://aws.amazon.com/blogs/aws/streamline-ami-maintenance-and-patching-using-amazon-ec2-systems-manager-automation/" target="_blank" rel="noopener noreferrer">Streamline AMI Maintenance and Patching Using Amazon EC2 Systems Manager</a>.</p> <p>If you have comments about this blog post, submit them in the “Comments” section below. If you have questions about implementing the solution in this post, start a new thread on the&nbsp;<a href="https://forums.aws.amazon.com/forum.jspa?forumID=205" target="_blank" rel="noopener noreferrer">Amazon Inspector forum</a> or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p>– Kanchan and David</p>