AWS has, for a while now, provided the Trusted Advisor service which is an excellent tool to sanity check your environment to ensure you are adhering to best practice recommendations around, amongst other things, security. Trusted Advisor’s security checks are mainly at the account level and validates such things as whether MFA is in use for IAM users, access keys need rotating or if security groups have unrestricted access.
AWS Inspector , announced at re:Invent last November, takes things much further. Using agents on supported platforms (most popular Linux/Windows 2008/2012) it provides endpoint security testing to allow visibility of any vulnerabilities on the actual hosts themselves. Assessment templates can be created with a set of pre-defined rules packages to provide customised reports at scheduled intervals.
Inspector allows you to run security assessments against targets from 15 minute through to 24 hours, the longer the assessment the more thorough the analysis of your target instance. Each assessment is defined via a template where targets are specified along with duration and the packages of rules to run against. Rules are categorised from Informational through to High severity so you can understand the impact of each check. The following rules packages have been made available
- Common Vulnerabilities and Exposures
- CIS Operating System Security Configuration Benchmarks
- Security Best Practices
- Runtime Behavior Analysis
An example of a check that the security Best Practices rule pack might make is whether SSH sessions authenticated by password are enabled.
Unfortunately, Inspector is not yet available in the Sydney region, but with AWS’ recent announcements about increased capacity and new services, we have our fingers crossed that it will reach these shores soon.
To find out more about how to get started with AWS Inspector follow this excellent walkthrough on the AWS site.