AWS Step-by-Step

Assessing Your Security with Amazon Inspector

Here's how to use the Amazon Inspector tool to check the health of your AWS instances from within.

• By Brien Posey
• 02/27/2017

Over the last several years, IT pros have been bombarded with news of one high-profile security breach after another. Given the seriousness of such attacks, and the sometimes irreparable post-breach fallout, it is critically important for IT pros to do what they can to protect their technology resources.

Amazon Web Services (AWS) provides a number of different mechanisms that can be used to improve security, but one that is really worth checking out is Amazon Inspector. First unveiled at the 2015 AWS re:Invent conference, Amazon Inspector is a tool for checking the security health of an instance.

Before I show you how to use Amazon Inspector, it is worth noting that Amazon Inspector is not a penetration testing tool. Penetration testing seeks to break into systems from the outside. Amazon Inspector looks at your AWS instances from within. In fact, Amazon Inspector even requires you to install an agent into your AWS instances.

The process used to install the agent varies depending on the operating system that is running within the AWS instance that you want to analyze. In the case of Windows Server instances, log in to the instance and then download the agent here.

The agent installation process is really simple and straightforward. As you can see in Figure 1, the installer is wizard-based and requires only that you agree to the license terms and click Install.

Once you have installed agents into your instances, you can access Amazon Inspector from the list of AWS services by clicking on the Inspector link found in the Security, Identity, & Compliance section. You can see what the main Amazon Inspector screen looks like in Figure 2.

Click the Get Started button, and you will be taken to a screen that walks you through the initial configuration process. The first thing that you will have to do is to set Amazon Inspector's role. This essentially just means clicking the Choose or Create Role button, and giving Amazon Inspector permission to read the resources in your account.

You will also need to tag your AWS instances. You can use any tag/value pair that you want, but you will need some kind of tag and value that you can use to determine which instances to inspect. It is worth noting that Amazon Inspector can be provisioned with varying sets of rules, so it may be worthwhile to base your tags on the instances' role.

Click Next and you will be taken to a screen that asks which tags and values you want to use when defining an assessment target. Make your selection, as shown in Figure 3, and then click Next.

The next screen requires you to define an assessment template. The basic idea here is that AWS uses packages or rules to perform assessment scans. The items that are tested during a scan vary depending on which rules package is in use. You can see the built-in rules packages in Figure 4, and it is also possible to create your own rules package. As you can see in below, you will need to enter a name for the template, pick a rules package and then set the duration of the scan.

Click Next and you will see a summary of the options that you have chosen. Assuming that everything looks good, click Create to create the assessment template. To run the template, select the template's checkbox, as shown in Figure 5, and click the Run button. It is also possible to perform scheduled scans by using AWS Lambda.

When the run finishes, you should see a status message indicating that the assessment is complete, as shown in Figure 6. You can then click on Findings to see the security health of the instance. The findings are organized in list format and each finding is rated by severity, ranging from Informational to High severity.

You can filter the list of findings based on the severity of the finding, so that you may address the most pressing issues first. Figure 7 shows the basic layout of the Findings screen.