Testing out the new Amazon Inspector Vulnerability Management Tool

The most interesting security announcement from this week’s #awsreinvent is the new version of Amazon Inspector - a vulnerability management tool. Let’s have a play...

How is the new Amazon Inspector different from the old one? Main things to me are 1) Container (ECR) support 2) Continuous Scanning and 3) Scans via the SSM agent that is built-in to most AMIs already

Now down to the nitty gritty, I’ll deploy a few old boxes to get some test data. Russian Windows Server 2012? Yeah!

Ah but note that the new Amazon Inspector appears not to directly support Windows yet (https://markn.ca/2021/first-look-at-the-brand-new-amazon-inspector/…) even though SSM does run on Windows. Anyway, lets turn Amazon Inspector on...

After a single click (yup!) the scan is starting...

It sees a few relevant systems

Ok it took an hour to scan a few systems and found.. 819 “telemetry messages” and 219 findings:

Note that the first findings/Rules Packages here are classic cloud security posture management “Root user allowed”, “RDP port reachable” etc.

Here’s an example of a CVE/Vulnerability finding for an install of an old version of Amazon Linux. As usual with these things it’s pretty noisy and it’s up to you to sort through and work out what really is a “High”

Auditors on your back? The PDF export is nice and fast. 160 pages of findings for 6 test systems - It would be a pretty big PDF doc for a realistically sized account with thousands of systems! One way to keep the auditors busy I guess...

Overall - very impressed with how easy it was to deploy (a couple of clicks), and as you would expect it has good findings given it combines host and network data.