Scan AWS EC2 instances with the power of Terraform, AWS Inspector and AWS Command Line

As terraform is gaining popularity in the market and becoming by far the best deployment and automation tool for public cloud , best practices around AWS and enterprise standards are sometimes neglected in the dynamics and glamour of swiftness.

The basic of all the security checks and the most preliminary task is operating system hardening

Agenda

Automated vulnerability scanning workflow for base operating systems using a combination of terraform, AWS Inspector and AWS CLI.

Build a golden image as future reference for all deployments

Operating systems are the base of any application stack. A strong foundation is of utmost importance when moving to public cloud under the shared responsibility model.

Hence scan of operating system images before going into production is a must.

• Deploying at scale and using third party software's makes vulnerability assessment the tasks tedious.

Why to use a third party software for operating system vulnerability scanning when you have AWS inspector

Amazon Inspector

• An automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
• Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
• After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
• These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Running AWS Inspector will also give you findings for vulnerable network security groups ports as per AWS best practices

Process

1. Use the AWS image (AMI) id on which applications are deployed
2. Create temporary servers for scanning and creating golden images
3. Install AWS inspector agent on the servers via user metadata and file function in terraform
4. Use AWS rule package ARN to create a assessment template
5. Run the assessment template using AWS CLI (since terraform doesn't have inbuilt

AWS Inspector Rules Packages

Writing explanation ends now and following scripts of terraform and AWS CLI will let you get in action right away. So pull of you AWS test accounts and lets run the scripts. The ARN's of packages are available at https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rules-arns.html

Terraform Script - To be modified as per .tf scripts used by the organization

I would love if you do hands on and not a copy paste, so use the pictures as reference and write the code with your own hands :)

• Do not hard code the AMI id's
• Use AWS CLI credentials for terraform execution rather than passing access key and secret key
• Rather than opening security groups to internet
• use inspectoragent-install.sh in the same directory as main.tf . The URL's are available at aws public documentation site

Run AWS CLI script using the ARN received for assessment run in output of terraform apply

aws inspector start-assessment-run --assessment-run-name Hardeningrun --assessment-template-arn "output ARN value from terraform apply"

Also replace the assessment run name

See the magic in the AWS inspector console after a successful run of 1 hour (recommended)

Make a choice - Do you want to go with so many vulnerabilities of base marketplace images into production ?

Quickly go and run the setup for your production workloads and start hardening the operating systems and make a repository of golden images

You can also download the report and share with the Infosec team and IT infra team for remediation