AWS Inspector : A Guide to Discover Your Security Holes

Published:7 June 2022 - 7 min. read

Do you have an extensive infrastructure to manage in AWS public cloud? If so, inspecting and monitoring your environments and infrastructures for vulnerabilities is crucial. And the good news is that AWS has its own most widely-used service, AWS Inspector.

Amazon Inspector is a vulnerability management service that continuously scans your AWS compute resources and automatically detects the affected resources. And in this tutorial, you’ll learn what an AWS inspector is and how to execute an inspector in the AWS cloud to find vulnerabilities.

Read on and start patching up security holes with AWS Inspector!

Prerequisites

This tutorial comprises step-by-step instructions. If you’d like to follow along, be sure you have the following in place:

Enabling Amazon Inspector in AWS Cloud

AWS Inspector is an AWS service that cares about vulnerabilities or issues that might block you from working with AWS compute resources. But before you inspect your AWS infrastructure, you’ll need to enable the AWS Inspector by subscribing to the service.

1. Open your favorite web browser, navigate the AWS Management Console, and log in with your AWS account.

You can centrally manage AWS inspector with multiple AWS accounts by using the AWS organization. Also, if you have more accounts in the future, you can easily enable the service.

2. While in AWS Management Console, search for inspector in the search box at the top, click on and click on the Inspector menu item. Your browser redirects to a page where you’ll see details about AWS Inspector (step three).

Accessing the AWS Inspector Overview Page
Accessing the AWS Inspector Overview Page

3. On the Amazon Inspector page, click on the Get Started button, as shown below, to initialize enabling AWS Inspector.

Getting Started with AWS Inspector
Getting Started with AWS Inspector

4. Finally, click on the Enable Inspector button (bottom-right) to enable the AWS Inspector. After enabling the Inspector, all scan types are enabled by default.

Enabling the Amazon Inspector in AWS Cloud
Enabling the Amazon Inspector in AWS Cloud

Once the AWS Inspector is enabled, your browser redirects to the AWS Inspector Dashboard page with a welcome message at the top, as shown below.

As of now, you will see 0 instances and repositories in the Environment coverage. AWS Inspector initially takes a few minutes to scan your infrastructure after getting enabled,

Viewing the AWS Inspector Dashboard
Viewing the AWS Inspector Dashboard

Running Scans on AWS EC2 Instances in AWS Cloud

You’ve just enabled AWS Inspector in AWS Cloud, and you’re now ready to scan AWS EC2 instances in AWS Cloud. AWS Inspector inspects all installed software and networking components in the AWS EC2 instance.

1. Log in to your Ubuntu machine using your favorite SSH client.

2. Next, run the below systemctl command to check the status of the SSM Agent. SSM agent collects information about the software application inventory of your EC2 instances.

The SSM agent is installed on all AWS EC2 instances by default, but verifying the agent’s status is essential.

sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service
Checking the Status of the AWS SSM Agent
Checking the Status of the AWS SSM Agent

3. Navigate to your Amazon EC2 dashboard and count the number of EC2 instances in your AWS account.

As you can see below, there are five instances currently running in the AWS account in the us-east-01 region.

Viewing All AWS EC2 Instances
Viewing All AWS EC2 Instances

4. Now, navigate to the AWS Inspector Dashboard, where you’ll notice the Environment coverage section. Environment coverage provides the count of total resources scanned by the Amazon Inspector, such as several AWS accounts, AWS EC2 instances, and ECR repositories.

You can continuously scan your environment or AWS resources, and later AWS inspector publishes the findings of all issues and vulnerabilities to Amazon EventBridge.

In the screenshot below, you can see five instances that the AWS Inspector scanned.

Viewing Environment Coverage for AWS EC2 instance
Viewing Environment Coverage for AWS EC2 instance

You can also see the Critical findings, which provide the essential vulnerabilities in your environment and a total count of all findings in your environment.

AWS inspector provides a well-structured Dashboard that provides a high level of findings across environments.

Below, the critical findings on each instance are zero (0), but the AWS Inspector showed one (1) in the All column, which signifies a High-Priority finding.

Viewing Critical Vulnerabilities in AWS Inspector for AWS EC2 Instance
Viewing Critical Vulnerabilities in AWS Inspector for AWS EC2 Instance

5. Click on any of the instances to access its critical findings.

Accessing an Instance Critical Findings
Accessing an Instance Critical Findings

Below, you can see 1 High priority finding. This high priority finding shows the title saying Port range 0 to 65535 is reachable from an Internet Gateway. This finding warns that it’s a risk for an infrastructure to open many ports.

Checking High Findings in AWS inspector for AWS EC2
Checking High Findings in AWS inspector for AWS EC2

6. Finally, click on High under the Severity table shown below to see more details on the findings, such as Network, which can cause vulnerabilities or attackers attacking the system.

As you can see below, the Open Network Paths suggest that the network causing security concerns is from Internet Gateway > Network ACL > Security Group > Network Interface > Instance in the AWS Cloud (red box).

You’ll also see that AWS Inspector provides remediation (green box) so that you can act upon it.

Viewing AWS Inspector Findings on the AWS EC2 Instance Level
Viewing AWS Inspector Findings on the AWS EC2 Instance Level

Running Scans on AWS ECR Repository

You previously scanned your AWS EC2 instances and went through critical findings based on priority. But this time, you’ll scan container images stored in Amazon Elastic Container Registry (ECR) for software vulnerabilities.

1. On the AWS Management Console, search for ecr, and select the Elastic Container Registry menu item shown below.

Opening AWS ECR Console
Opening AWS ECR Console

2. Next, click on the Get Started (top-right) button to create an ECR repository.

Creating the ECR Repository
Creating the ECR Repository

3. Specify the details of the new repository, such as Visibility settings and Repository name, and click on the Save button (bottom) to save the new repository. You can choose the repository name as you like, but this tutorial’s choice is ata-learning-ecr.

After saving the repository, your browser redirects to the Amazon Elastic Container Registry page (step four)

Providing Details for the New ECR Repository
Providing Details for the New ECR Repository

4. Now, navigate to the Private registry page (left panel), and click on Edit under the Scanning configuration section to edit the registry settings.

Editing the Scanning configuration
Editing the Scanning configuration

5. Edit the Scanning configuration with the following:

  • Select the Enhanced scanning option. Enhanced scanning allows AWS Inspector to scan all the AWS ECR repositories automatically. This option gives you a choice between continuous scanning or on-push scanning at the repository level.
  • Check the Continuously scan of all repositories box. Continuous scanning includes on-push scans and automated rescans.
  • Click on the Save button to save the configuration.

On-push scanning scans only work when you push an image.

Editing Scanning Configuration
Editing Scanning Configuration

6. Navigate back to the AWS Inspector main page, and you’ll notice the Summary page shows one repository in the Environment coverage you just created. The below summary indicates that AWS Inspector detected/scanned the ECR repository.

Click on 100% under repositories, and your browser redirects to the Account management page, where you can view the scan details.

Viewing the Repository Being Scanned by AWS Inspector
Viewing the Repository Being Scanned by AWS Inspector

7. Finally, click on the Repositories tab on the Account management page details to view the scan details.

As you can see below, there are no issues or findings made so far for this repository by AWS Inspector, indicating there are no security risks in the ECR repository you created.

Checking the Repositories in AWS Inspector
Checking the Repositories in AWS Inspector

Conclusion

In this tutorial, you’ve learned how to discover security holes in your AWS EC2 instances and AWS ECR within AWS Cloud using AWS Inspector. Building a secure cloud infrastructure is crucial, and AWS Inspector is a service that one must use to scan for vulnerabilities.

At this point, you’re now ready to use this knowledge with other AWS services and secure your powerful services with Amazon Inspector.

AWS Inspector integrates with various AWS services such as AWS CloudWatch, and CloudTrail.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!