What is Amazon Inspector?
Amazon Inspector is an automated security assessment service that helps you test the security state of your applications running on Amazon EC2.
What can I do with Amazon Inspector?
Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is agent-based, API-driven, and delivered as a service to make it easy to deploy, manage, and automate.
What makes up the Amazon Inspector service?
Amazon Inspector consists of an Amazon-developed agent that is installed in the operating system of your Amazon EC2 instances and a security assessment service that uses telemetry from the agent and AWS configuration to assess instances for security exposures and vulnerabilities.
What is an assessment template?
An assessment template is a configuration that you create in Amazon Inspector to define your assessment run. This assessment template includes a rules package against which you want Amazon Inspector to evaluate your assessment target, the duration of the assessment run, Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings, and Amazon Inspector-specific attributes (key/value pairs) that you can assign to findings generated by the assessment run.
What is an assessment run?
An assessment run is the process of discovering potential security issues through the analysis of your assessment target's configuration and behavior against specified rule packages. During an assessment run, the agent monitors, collects, and analyzes behavioral data (telemetry) within the specified target, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, the agent analyzes the data and compares it against a set of security rule packages specified in the assessment template used during the assessment run. A completed assessment run produces a list of findings - potential security issues of various severity.
Is there any performance impact during an Amazon Inspector assessment run?
Amazon Inspector and the Amazon Inspector Agent have been designed for minimal performance impact during the assessment run process.
What is an assessment target?
An assessment target represents a collection of AWS resources that work together as a unit to help you accomplish your business goal(s). Amazon Inspector evaluates the security state of the resources that constitute the assessment target. You create an assessment target by using Amazon EC2 tags, and you can then define these tagged resources as an assessment target for an assessment run defined by the assessment template.
What is a finding?
A finding is a potential security issue discovered during the Amazon Inspector assessment run of the specified target. Findings are displayed in the Amazon Inspector console or retrieved through the API, and contain both a detailed description of the security issue and a recommendation on how to fix it.
What is a rules package?
A rules package is a collection of security tests that can be configured as part of an assessment template and assessment run. Amazon Inspector has many rules packages including common vulnerabilities and exposures (CVE), Center for Internet Security (CIS) Operating System configuration benchmarks, and security best practices. See the Amazon Inspector documentation for a full list of rules packages available.
Which applications can Inspector analyze for vulnerabilities?
Amazon Inspector finds applications by querying the package manager or software installation system on the operating system where the agent is installed. This means that software that was installed through the package manager is assessed for vulnerabilities. The version and patch level of software that is not installed through these methods is not recognized by Inspector. For example, software installed via apt, yum, or Microsoft Installer will be assessed by Inspector. Software installed through make config / make install, or binary files copied directly to the system using automation software such as Puppet or Ansible will not be assessed by Inspector.
What is an assessment report, and what does it include?
An Amazon Inspector assessment report can be generated for an assessment run once it has been successfully completed. An assessment report is a document that details what is tested in the assessment run, and the results of the assessment. The results of your assessment are formatted into a standard report, which can be generated to share results within your team for remediation actions, to enrich compliance audit data, or to store for future reference.
You can select from two types of report for your assessment, a findings report or a full report. The findings report contains an executive summary of the assessment, the instances targeted, the rules packages tested, the rules that generated findings, and detailed information about each of these rules along with the list of instances that failed the check. The full report contains all the information in the findings report, and additionally provides the list of rules that were checked and passed on all instances in the assessment target.
What happens if some of my targets are unavailable when I run an assessment?
Amazon Inspector will gather vulnerability data for all available targets configured for the assessment template and return any appropriate security findings for the available targets. If there are no available targets for the assessment template when the run is started, the system will report that the assessment could not be run and will return the following notification: “The assessment run could not be executed at this time as there are no targeted instances available for the selected assessment template.”
How do Targets become unavailable?
Targets in an assessment could be unavailable for a number of reasons, such as: the EC2 instance is down or unresponsive; the Tagged (targeted) instance does not have the Amazon Inspector Agent installed; the installed Amazon Inspector Agent is unavailable or cannot return vulnerability data.
What is the pricing for Amazon Inspector?
Inspector pricing is based on the number of assessment runs and the number of agents or systems that were assessed during those runs. We call this “agent-assessments.” An on-demand billing period is one calendar month like all AWS services. For example:
1 assessment run against 1 agent = 1 agent-assessment
1 assessment run against 10 agents = 10 agents-assessments
10 assessment runs against 2 agents each = 20 agent-assessments
30 assessment runs against 10 agents each = 300 agent-assessments
If the above represented the Amazon Inspector assessment runs activity in your account for a given billing period, you would be charged for 331 total agent-assessments.
The price of each individual agent-assessment is based on a tiered pricing model. As you move up the volume of agent-assessments in a given billing period, you pay a lower price per agent-assessment. For example, the first two tiers of agent-assessment pricing are:
First 250 agent-assessments = $0.30 per agent-assessment
Next 750 agent-assessments = $0.25 per agent-assessment
So for our example above of 331 total agent-assessments in a given billing period, you would be charged $0.30 for the first 250 and $0.25 for the next 81, or $95.25 total for the billing period. See the Amazon Inspector pricing page for the full pricing table.
Is there a free trial for Amazon Inspector?
Yes. Amazon Inspector offers the first 250 agent-assessments at no cost for the first 90 days of using the service. All AWS accounts new to the Amazon Inspector service are eligible.
Which Linux kernel versions are supported for Amazon Inspector assessments?
You can run successful assessments for an EC2 instance with a Linux-based OS using the Common Vulnerabilities and Exposures (CVE), Center for Internet Security (CIS) Benchmarks, or Security Best Practices rules packages regardless of the kernel version. However, to run an assessment using the Runtime Behavior Analysis rules package, your Linux instance must have a kernel version that is supported for Amazon Inspector. An up-to-date list of Linux kernel versions that are supported for Amazon Inspector assessments is available here.
Amazon Inspector sounds great, how do I get started?
Simply sign up for Amazon Inspector from the AWS Management Console. Once signed up, you install the appropriate Amazon Inspector Agent on your Amazon EC2 instances, create a new assessment template, select the rules packages you want to use, and schedule an assessment run. Once it completes, the system will generate a findings report on any issues it identified for your environment.
Does the Amazon Inspector Agent have to be installed on all of the EC2 instances I wish to assess?
Yes. During an assessment run, the Amazon Inspector Agent monitors the behavior of the operating system and applications of the EC2 instance it's installed on, collects configuration and behavioral data, and passes the data to the Amazon Inspector service.
How can I install the Amazon Inspector Agent?
There are several ways to install the agent. For simple installations, you can install it manually on each instance or do a one-time load using the AWS Systems Manager Run Command document (AmazonInspector-ManageAWSAgent). For larger deployments, you can automate agent installations using the EC2 User Data Function when configuring your instances or you can create automated installs of the agent using AWS Lambda. You can also launch an EC2 instance using the Amazon Linux AMI with the pre-installed Amazon Inspector Agent from the EC2 Console or the AWS Marketplace.
How do I check whether the Amazon Inspector Agent is installed and healthy on my EC2 instances?
You can view the status of the Amazon Inspector Agent for all the EC2 instances in your assessment target by using the ‘Preview Targets’ functionality available in the Inspector console and through the PreviewAgents API query. Agent status includes whether the agent is installed on the EC2 instance and the health of the agent. Along with the Inspector Agent status on the targeted EC2 instance, the instance ID, public hostname, and public IP address (if defined) are also displayed, along with links into the EC2 console for each instance.
Does Amazon Inspector access other AWS services in my account?
Amazon Inspector needs to enumerate your EC2 instances and tags to identify the instances specified in the assessment target. Amazon Inspector gets access to these through a service-linked role that is created on your behalf when you get started with Inspector as a new customer or in a new region. The Inspector service-linked role is managed by Amazon Inspector, so you don’t have to worry about inadvertently revoking permissions required by Amazon Inspector. For some existing customers, an IAM role that was registered while getting started with Inspector might be used for accessing other AWS services until the Inspector service-linked role is created. You can create the Inspector service-linked role through the Inspector console’s dashboard page.
I use a Network Address Translation (NAT) for my instances. Will Amazon Inspector work with these instances?
Yes. Instances that use a NAT are supported by Amazon Inspector with no action required from you.
I use a Proxy for my instances. Will Amazon Inspector work with these instances?
Yes. The Amazon Inspector Agent supports proxy environments. For Linux instances, we support HTTPS Proxy, and for Windows instances, we support WinHTTP proxy. See the Amazon Inspector User Guide for instructions to configure Proxy support for the Amazon Inspector Agent.
I would like to automate the assessment of my infrastructure on a regular basis. Do you provide an automated way to submit assessments?
Yes. Amazon Inspector provides a full API allowing automatic creation of application environments, creation of assessments, evaluation of policies, creation of policy exceptions, and filters as well as retrieval of the results.
Can I schedule security assessments to run at certain dates and times?
Yes. Amazon Inspector assessments can be triggered by any Amazon CloudWatch Event. You can set up a recurring Schedule event with either a simple fixed recurring rate or a more detailed Cron expression.
Can I trigger security assessments to run based on an event?
Yes. You can use Amazon CloudWatch Events to create event patterns which monitor other AWS services for actions to trigger an assessment. For example, you can create an event which monitors AWS Auto Scaling for new Amazon EC2 Instances being launched, or monitors AWS CodeDeploy notifications for when a code deployment has been successfully completed. Once CloudWatch Events have been configured against Amazon Inspector templates, these assessment events will be displayed in the Inspector console as part of your assessment templates so you can see all of the automated triggers for that assessment.
Can I set up Amazon Inspector assessments through AWS CloudFormation?
Yes, you can create Amazon Inspector resource groups, assessment targets, and assessment templates using AWS CloudFormation templates. This allows you to automatically set up security assessments for your EC2 instances as they are deployed. In your CloudFormation template, you can also bootstrap installation of the Inspector Agent on EC2 instances by using agent installation commands in either AWS::CloudFormation::Init or EC2 user data. Alternatively, you can create EC2 instances in your CloudFormation template using an AMI with the Inspector Agent pre-installed.
Where can I find metrics information on my Amazon Inspector assessments?
Amazon Inspector automatically publishes metrics data on your assessments to Amazon CloudWatch. If you are a CloudWatch user, your Inspector assessment statistics will automatically be populated to CloudWatch. The Inspector metrics that are currently available are: number of assessment runs, agents targeted, and findings generated. For more details, see the Amazon Inspector documentation for details on the assessment metrics published to CloudWatch.
Can Amazon Inspector be integrated with other AWS services for logging and notifications?
Amazon Inspector integrates with Amazon SNS to provide notification for various events such as monitoring milestones, failures, or expiration of exceptions and integrates with AWS CloudTrail for logging of calls to Amazon Inspector.
What is the “CIS Operating System Security Configuration Benchmarks” rules package?
CIS Security Benchmarks are provided by the Center for Internet Security and are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Amazon Web Services is a CIS Security Benchmarks Member company and the list of Amazon Inspector certifications can be viewed here. CIS benchmark rules are designed to be pass/fail security checks. For every CIS check that fails, Inspector generates a finding with High severity. Additionally, an Informational finding is generated for each instance that lists all the CIS rules that are checked, and the pass/fail result for each rule.
What is the “Common Vulnerabilities and Exposures” rules package?
The Common Vulnerabilities and Exposures or CVE rules check for exposure to publicly known information security vulnerabilities and exposures. CVE rule details are available publicly at the National Vulnerability Database (NVD). We use the NVD's Common Vulnerability Scoring System (CVSS) as the primary source of severity information. In case a CVE is not scored by NVD but is present in Amazon Linux AMI Security Advisory (ALAS), we use the severity from Amazon Linux advisory. In case neither of these scores is available for a CVE, we do not report that CVE as a finding. We check daily for latest information from NVD and ALAS and update our rules packages accordingly.
What is the severity of a finding?
Each Amazon Inspector rule has an assigned severity level, which Amazon has classified as High, Medium, Low, or Informational. Severity is intended to help you prioritize your responses to findings.
How is the severity determined?
Severity of a rule is based on potential impact of the security issue found. Although some rules packages have Severity levels provided as part of the rules they provide, these can often differ by rules set. Amazon Inspector has normalized the severity for findings across all available rules packages by mapping the individual severities to common High, Medium, Low, and Informational classifications. For “High”, “Medium”, and “Low” severity findings, the higher the severity of the finding, the more security impact the underlying issue has. Findings that are classified as “Informational” are provided to advise you of security issues which might not have an immediate security impact.
For AWS supported rules packages, the severity is determined by the AWS security team.
The CIS Benchmarks rules package findings always have severity set to “High”.
For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels provided:
|Amazon Inspector Severity||CVSS Base Score||ALAS Severity (if CVSS not scored)|
|High||>= 5||Critical or Important|
|Medium||< 5 and >= 2.1||Medium|
|Low||< 2.1 and >= 0.8||Low|
When I describe findings via the API (DescribeFindings), each finding has a “numericSeverity” attribute. What does this attribute signify?
The “numericSeverity” attribute is the numeric representation of the severity of a finding. The numeric severity values map to Severity as follows:
Informational = 0.0
Low = 3.0
Medium = 6.0
High = 9.0
Does Amazon Inspector work with AWS partner solutions?
Yes, Amazon Inspector has public facing APIs that are available for customers and AWS partners to utilize. Several partners have integrated with Amazon Inspector incorporating findings into email, ticketing systems, pager platforms, or broader security dashboards. For detail on supporting partners, please visit the Amazon Inspector Partners page.
Is Amazon Inspector a HIPAA eligible service?
Yes, Amazon Inspector is a HIPAA eligible service and has been added to the AWS Business Associate Addendum (BAA). If you have an executed BAA with AWS, you can run Inspector on your EC2 instances that contain protected health information (PHI).
What compliance and assurance programs does Amazon Inspector support?
Inspector supports SOC 1, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017, ISO 27018, and HIPAA. Inspector meets the controls for FedRAMP and we’re waiting for the completion of the audit report. If you want to learn more about the AWS services in scope by compliance program, please visit the AWS Services in Scope Page.