AWS
February 18, 2020

using-amazon-aws-inspector

What is AWS Amazon Inspector?

Amazon Inspector is an AWS Service that provides compliance checks, best practices, and checks for known vulnerabilities in installed applications in your operating system. It requires that an agent be installed on your cloud instances. Amazon Inspector evaluations help you find excessively permissive access control and vulnerabilities in your EC2 instances. Checks are grouped on packages with pre-defined rules that are split into four different categories.

Inspector classifies its findings into four different levels of severity;

High – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you treat this security issue as an emergency and implement an immediate remediation.

Medium – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you fix this issue at the next possible opportunity, for example, during your next service update.

Low – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you fix this issue as part of one of your future service updates.

Informational – Describes a particular security configuration detail of your assessment target. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your assessment target.

Rules Packages

  1. CIS Benchmark
    The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.
  2. Best Practices
    Use Amazon Inspector rules to help determine whether your systems are configured securely.
  3. Network reachability
    Rules into the Network reachability package verify connectivity in your architecture that is too permissive, making hosts and services exposed.
  4. CVE Checks
    The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data.

Amazon Inspector Supported Operating Systems

  • Amazon Linux 2 (LTS, 2017.12)
  • Amazon Linux (2018.03, 2017.09, 2017.03, 2016.09, 2016.03, 2015.09, 2015.03, 2014.09, 2014.03, 2013.09, 2013.03, 2012.09, 2012.03)
  • Ubuntu (18.04 LTS, 16.04 LTS, 14.04 LTS)
  • Debian (9.0 – 9.5, 8.0 – 8.7)
  • Red Hat Enterprise Linux (7.2 – 7.X, 6.2 – 6.9)
  • CentOS (7.2 – 7.X, 6.2 – 6.9)
  • Windows Server 2008 R2
  • Windows Server 2012w
  • Windows Server 2012 R2
  • Windows Server 2016 Base
It is worth noting how big a delay Inspector has in supporting new operating system versions. For example, RHEL 8 was released in May/2019 while Windows 2019 was released in November/2018, but so far there is no support for either.

Default AMIs tests

We tested Inspector to validate the level of security in some default AMIs that are commonly installed thousands of times daily:

  • Amazon Linux 2
  • Ubuntu 18.04
  • Redhat Enterprise Linux 7.6
  • Windows
  • CIS Hardened Image Level 1

Our tests showed a big number of vulnerabilities in these default installations:

Ubuntu ami-0d5d9d301c853a04a (153 findings) tested in Jan 10th, 2020

Redhat Enterprise Linux 7.X ami-006b2db4ca7e39d7d (298 findings) tested in Jan 11th, 2020

Windows 2016 ami-084c1257f64cd7db9 (278 findings) tested in Jan 13th, 2020

Amazon Linux 2 ami-02ccb28830b645a41 (100 findings) tested in Jan 13th, 2020

CIS Amazon Linux 2 Benchmark – Level 1 ami-0dab0321406ed8c76 (35 findings) tested in Jan 13th, 2020

It’s interesting to note that even using an instance CIS Level 1 ready to go from AWS MarketPlace, some vulnerabilities still show up since Inspector tests controls from all CIS Levels.

Those results are a good example of the risks associated with using standard unhardened AMIs, which contain several known vulnerabilities. Security Teams and Operations should: a-) establish a process to continuously update running instances, and b-) create hardened and continuously updated golden images, and ensure their use is mandatory to mitigate the exposure windows of newly created instances.

Severity Categorization

One other aspect of Inspector caught our attention. We noticed that basically all CIS Benchmark rule Package tests are categorized as High, that is the highest severity from Inspector analysis.

The following table was extracted from the output of testing on an Amazon Linux 2 instance:

Notice for example item 1.7.1.1 (MOTD Configuration) or 3.2.4 (suspicious packets are logged), which are considered High. That is in our humble opinions a severe overestimation of the risks represented by those misconfigurations.

Since Inspector overestimates finding severities, this could cause misprioritization of remediation efforts and cause critical findings to be unaddressed for a longer period of time. You should take this into consideration in case you are thinking about use AWS Inspector in production.

It also seems per the documentation that currently there is no way to write your own tests or override existing test severities, so this is not a particularly flexible solution.

Some conclusions

Amazon Inspector looks promising at first contact, but at its current state it is not ready to be your main EC2 instance operating system security configuration and patching solution.

The huge delay to support new operating system versions and the overestimation of the severity of findings of the CIS Benchmark strongly limit its usefulness. There are other of commercial and open source tools available that will probably deliver superior results.

References

Written by Rodrigo Montoro and Alexandre Sieira.