Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon Inspector Findings

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Mixed (depending on recommendation's severity)
Rule ID: Inspector-001

Check for Amazon Inspector Findings and resolve them step by step to ensure that your systems are configured securely. Amazon Inspector is an AWS service that helps improve the security and compliance of your AWS resources. Amazon Inspector Findings are potential security issues found during the service evaluation of the selected resources (also known as Amazon Inspector assessment targets).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With Amazon Inspector Findings you can evaluate your operating system environments and applications deployed on AWS for potential security issues and common vulnerabilities in an automated way.

Note 1: As of April 2017, the Amazon Inspector assessment targets can consist only of EC2 instances that run on certain Linux-based and Windows-based operating systems.
Note 2: As example, this conformity rule will demonstrate how to analyze and solve a finding (security vulnerability) generated automatically by Amazon Inspector after evaluating a group of EC2 instances (Amazon Inspector assessment target).
Note 3: This rule only generates checks based on the findings of the latest assessment run associated with an assessment template


Audit

To check for Amazon Inspector Findings within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard section, choose Findings. If no potential security issues were found during your assessment runs, the Findings list will be empty, otherwise the Findings dashboard will list all the issues found based on their severity.

04 Select the Finding that you want to examine and click the Show/Hide Details button:

Show/Hide Details

to expand the finding details panel.

05 Analyze the selected Amazon Inspector Findings entry by checking the following attributes:

  1. Finding – the name of the finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
  2. Severity – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
  3. Description – a concise summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
  4. Recommendation – suggested steps that you can complete to fix the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

06 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to analyze other Amazon Inspector Findings available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all Amazon Inspector Findings currently available in the selected region:

aws inspector list-findings
	--region us-east-1

02 The command output should return a table with the requested IDs:

{
    "findingArns": [
       "arn:aws:inspector:us-east-1:123456789012:
target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-LSblo0dW"
    ]
}

03 Run describe-findings command (OSX/Linux/UNIX) using the ARN returned at the previous step as identifier to describe the selected finding generated by Amazon Inspector in the current region:

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj

04 The command output should return the metadata for selected finding:

{
    "failedItems": {},
    "findings": [
        {
            "assetType": "ec2-instance",
            "confidence": 10,
            "numericSeverity": 6.0,
            "description": "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.",
            "service": "Inspector",
            "title": "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.",
            "indicatorOfCompromise": false,
            "assetAttributes": {
                "schemaVersion": 1,
                "agentId": "i-0bdaf6743a3e8bde5",
                "ipv4Addresses": []
            },
            "userAttributes": [],
            "createdAt": 1493546543.248,
            "recommendation": "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use **sudo** to escalate privileges when necessary. To disable SSH root logins, set **PermitRootLogin** to \"no\" in **/etc/ssh/sshd_config** and restart sshd.",
            "updatedAt": 1493546543.248,
            "attributes": [
                {
                    "value": "i-0bdaf6743a3e8bde5",
                    "key": "INSTANCE_ID"
                }
            ],
            "schemaVersion": 1,
            "serviceAttributes": {
                "schemaVersion": 1,
                "rulesPackageArn": "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q",
                "assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0"
            },
            "id": "Disable root login over SSH",
            "arn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
            "severity": "Medium"
        }
    ]
}

05 Analyze the selected finding metadata returned at the previous step by checking the following output attributes:

  1. "title" – the name of the Amazon Inspector finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
  2. "severity" – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
  3. "description" – the summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
  4. "recommendation" – recommended steps that you can follow to solve the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

Note: If there are no potential security issues found during your assessment runs, Amazon Inspector generates a finding with the "title" attribute value set to "No potential security issues found".

06 Repeat steps no. 3 – 5 to verify other Amazon Inspector Findings available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To solve any Amazon Inspector Findings discovered for your EC2 resources provisioned within your AWS account, perform the following:

Note: As example, this rule will provide step by step instructions on how to configure your EC2 instances running on a Linux-based OS distribution to prevent root account logins over SSH.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the left navigation panel, under Dashboard section, choose Findings.

04 Choose the Amazon Inspector finding that you want to resolve (see Audit section part I to identify the right resource) and click the Show/Hide Details button:

Show/Hide Details button

to expand the finding details panel.

05 On the selected finding details panel, locate the AWS agent ID attribute and click on its value (link), e.g.

AWS agent ID

The AWS agent ID attribute shares the same ID with the selected finding assessment target (i.e. the EC2 instance evaluated by the Amazon Inspector service).

06 Select the EC2 instance identified by the AWS agent ID assigned to the selected finding then click the Connect button from the dashboard top menu to get the information required to connect to the selected EC2 instance via SSH.

07 Within Connect To Your Instance dialog box, choose whether to use a standalone SSH client like PuTTY or a Java SSH client directly from your browser to connect to the selected EC2 instance in order to solve the potential security issue found during the assessment.

08 Once you have connected to your EC2 instance operating system via SSH, follow the instructions provided by the Amazon Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

09 Repeat steps no. 4 – 8 to solve other Amazon Inspector Findings discovered for the EC2 instances provisioned in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-findings command (OSX/Linux/UNIX) using custom query filters and the ARN of the finding that you want to solve as identifier (see Audit section part II to identify the right ARN) to describe the AWS agent ID for selected Amazon Inspector finding. The finding AWS agent ID shares the same ID with the EC2 instance evaluated by the Amazon Inspector service:

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj
	--query 'findings[*].assetAttributes.agentId'

02 The command output should return the ID of the EC2 instance targeted by the selected Amazon Inspector finding:

[
    "i-0bdaf6743a3e8bde5"
]

03 Now run describe-instances command (OSX/Linux/UNIX) using the EC2 resource ID returned at the previous step to describe the configuration attributes of the EC2 instance targeted by the selected Inspector finding:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0bdaf6743a3e8bde5

04 The command output should return the requested EC2 instance configuration details such as instance Public/Elastic IP, SSH key name, AMI ID, etc:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-0407438b3488ce325",
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "PublicDnsName": "ec2-34-201-70-11.compute-1...",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2017-04-29T05:08:56.000Z",
                    "PublicIpAddress": "34.201.70.11",
                    "PrivateIpAddress": "172.31.14.27",
                    "InstanceId": "i-0bdaf6743a3e8bde5",
                    "EnaSupport": true,
                    "ImageId": "ami-c58c1de1",
                    "PrivateDnsName": "ip-172-31-14-27.ec2.internal",

                    ...

                    "KeyName": "ssh-access-key",
                    "SecurityGroups": [
                        {
                            "GroupName": "launch-wizard-5",
                            "GroupId": "sg-315a34f5"
                        }
                    ],
                    "SubnetId": "subnet-2b394201",
                    "InstanceType": "c4.large",
                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1a"
                    },
                    "Hypervisor": "xen",
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

05 Use the instance configuration details (Public IP, SSH key name, etc) returned at the previous step with your favorite SSH client to connect to the selected EC2 instance in order to solve the potential security issue found during the evaluation performed by Amazon Inspector.

06 Once you have connected to your EC2 instance using SSH, follow the instructions provided by the Amazon Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

07 Repeat steps no. 1 – 6 to solve other Amazon Inspector Findings discovered for your EC2 instances provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date May 2, 2016