Today at the AWS Summit in Chicago, AWS announced the general available of Amazon Inspector. This service has been available in preview since AWS re:Invent 2015 and with it’s wider release today, it’s easier then ever for AWS users to quickly and easily security their EC2 instances and AMIs. As a launch partner for Amazon Inspector, Trend Micro has been working closely with the team at AWS to ensure our Deep Security platform complement this great new service from AWS.  

The Problem

Traditional vulnerability scanning simply doesn’t work in the cloud. Traditional scanners either are either black box (a scan where the scanner doesn’t have privileged access to the system being scanned), can’t keep up with the dynamic environments typical in AWS, or simply don’t integrate into the continuous workflows common in AWS. Enter Amazon Inspector.  

Amazon Inspector

This new service uses a small agent easily deployed to your EC2 instances to analyze the behaviour of your instances and identify any potential security issues. The AWS blog has the simple steps to get up and running with the service. In simple terms, you;
  1. define a target set of resources using tags (e.g., Name: ToInspect)
  2. configure an assessment template that defines what you’re looking for (common vulnerabilities and exploits (CVEs), PCI requirements, etc.)
  3. run a assessment against your target resources
  4. examine the findings
  5. mitigate (a/k/a fix) the issues found
As you’d expect from AWS, the API and CLI for Amazon Inspector makes it easy to integrate into your development workflow. Assessments should be a part of all of your deployments.  

Take Steps To Mitigate

When Amazon Inspector finds an issue (reported as finding) it makes a recommendation for a mitigation. Sometimes, these recommendations are simple configuration issue (e.g., turn on Data Execution Prevention) but occasionally a finding will show the need to update a key application or shared library in the form of a CVE. A CVE indicates a risk to your deployment. These risks are rated and apply to specific versions of software. The recommended fix is to update the software to an unaffected version. But it’s not always possible to update right away. More testing might be required or the fix might not be released yet. Thankfully, Deep Security can help.  

Intrusion Prevention

For vulnerabilities that are remotely exploitable (a/k/a hackers can take advantage of it from outside your instance), Deep Security offers a full intrusion prevention engine that examines each network packet before it reaches the affected software. In the case of a potential attack, Deep Security simply discards the bad packets, keeping your workloads safe from hackers. Our initial integration connects the knowledge provided by Amazon Inspector to automatically protect your instances from these types of vulnerabilities.  

Mitigation Report

After running an assessment in Amazon Inspector, a simple command line tool will automatically analyze the findings from Amazon Inspector and enable the appropriate protection within Deep Security. Here’s what needs to be in place for this to work;
  1. Deep Security running on your EC2 instances (here’s a quick way to get started)
  2. Amazon Inspector running on at least one EC2 instance using the same AMI or Deep Security security policy
One you’ve done an assessment run in Amazon Inspector, you can use the ds-analyze-findings.py tool available now on our GitHub repo (https://github.com/deep-security/amazon-inspector). This simple tool will generate a report like the following:
*********************************************
* RUN: Run 1 for OutOfDateSoftware
*********************************************
i-ebbe8d2c reports:
  There are 0 findings related to known CVEs
  ...and 6 other findings
  * Instance i-ebbe8d2c does not meet PCI DSS Requirement 2.2.2 - It was found to be running unnecessary services on ports: 22, 4118.
    Can be mitigated by taking the following action:

      We recommend that you disable extraneous services if not required for your business operations or restrict access to them via security groups. Enable only necessary 
      ...

i-fb9eac3c reports:
  There are 1 findings related to known CVEs
  ...and 2 other findings
  * CVE-2014-1424
    Can be mitigated by taking the following action:

      Use your Operating System's update feature to update package apparmor. For more information see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1424](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1424)

  * The following executable files installed on Instance i-fb9eac3c do not support stack cookies: /lib/x86_64-linux-gnu/libpthread-2.19.so, /lib/x86_64-li
    Can be mitigated by taking the following action:

      It is recommended that you uninstall this software from your application if you are not using it, or contact the   
      ...
The information in this report will allow you determine your strategy for mitigating these issues. But every once and a while, Amazon Inspector will identify a vulnerability that can be remotely exploited by a malicious actor. This is where the integration of Deep Security and Amazon Inspector really starts to shine.  

Automatic Mitigation

When you see an entry in the report that states an CVE should be mitigated immediately using Deep Security, that’s an indication that you can apply a rule in Deep Security to quickly stop attackers from taking advantage of this vulnerability.
...
i-fb9eac3c reports:
  There are 1 findings related to known CVEs
  ...and 2 other findings
  * CVE-2014-6271
    !!! Should be mitigated immediately using Deep Security (rule ‘Identified Suspicious Bash ShellShock Attack’)
...
This is great information that can help you improve the security posture of your workload. But why not let the tool automatically apply these rules to your instances? Simply add the --mitigate flag and the tool will do just that. This flag will automatically apply the required intrusion prevention rules to the policy of the affected instances. The tool offers even more options including running from AWS Lambda for a completely automate detection/mitigation workflow. Be sure to check out the README in the code repository.  

Amazon Inspector + Deep Security

When it comes to vulnerability scanning in the AWS Cloud, Amazon Inspector solves the challenges faced by traditional tools. It’s an excellent way to identify configuration issues with your EC2 instances and AMIs. Add the defensive capabilities of Deep Security and you can easily identify vulnerabilities and prevent malicious attack from exploiting them. Read more in the Amazon Inspector documentation and in the documentation for our integration tool.