Vulnerability Management using Amazon Inspector

Amazon Inpector is a service provided by AWS for Vulnerability Management. It continuously scans your infrastructure workloads for vulnerabilities. These vulnerabilities can be Software Package vulnerabilities, Network reachability scans etc. ?Amazon Inspector scans Amazon EC2 instances, Amazon Elastic container registry, and now AWS Lambda functions also. The result of the scan is called the findings.?

How does Amazon Inspector work?

Following is the process of scanning using AWS Inspector?-

1. Agent Installation on the instance.
2. Define Assessment templates.
3. Assessment runs and Vulnerability scanning process.
4. Findings and Risks Scoring system.
5. Prioritise vulnerability and Remediation of Vulnerabilities.?

Features of Amazon Inspector-

1) Integration with other services like AWS Security Hub, and AWS Event Bridge to automate the security workflow.

Inspector findings can be automatically sent to AWS Security Hub, which acts as a centralized hub for security-related findings and insights across your AWS environment. Security Hub provides a comprehensive view of your overall security posture. For example, you can configure Security Hub to trigger an automated response when critical or high-risk findings are detected. This automation can include actions like sending notifications, generating tickets, or triggering remediation processes.

2) Automated Vulnerability Assessment

The software package vulnerabilities include finding identified from AWS workloads that are exposed to Common Vulnerabilities and Exposures, CVEs. Network reachability findings reveal that there are accessible network paths to your Amazon EC2 instances within your environment. These findings bring attention to network configurations that may be excessively permissive, such as poorly managed security groups, Access Control Lists, or internet gateways, which could potentially allow for unauthorized access or malicious activity.

3) All findings

The "All findings" table provides a comprehensive compilation of all active findings within your environment. This inclusive table encompasses various finding types based on the Amazon Inspector scanning configurations you have activated, including Package and Network Reachability findings for Amazon EC2 instances, as well as Package vulnerabilities for Amazon ECR container images and Lambda functions.

4) Vulnerability Scores

AWS Inspector assigns a risk score, ranging from 0.0 to 10.0, indicating the potential impact and risk it poses to your environment. These findings are categorized into different severity of vulnerabilities.?

• Critical: Findings with a risk score of 9.0-10.0 signifies critical risks.
• High: Findings with a risk score of 7.0-8.9 signifies high-risk discoveries.
• Medium: Findings with a risk score of 4.0-6.9 signifies moderate-risk observations.
• Low: Findings with a risk score of 0.1-3.9 signifies low-risk identifications.
• Informational: Findings with a risk score of 0.0? signifies informational findings.

You can find these vulnerabilities by :?

By vulnerability: This view presents a list of the most critical vulnerabilities identified. You can select a vulnerability title to access additional details in a separate pane.

By account: This view is exclusive to delegated administrators and provides a list of your accounts. It showcases the Amazon Inspector scan coverage percentage for each account, as well as the total count of Critical and High severity findings in each account.

By instance: This view highlights the most vulnerable Amazon EC2 instances within your environment.

By container image: This view lists the most vulnerable Amazon ECR container images present in your environment.

By container repository: This view focuses on the repositories that have the highest number of vulnerabilities.

By Lambda function: This view displays the Lambda functions that have the most vulnerabilities.

5) Vulnerability Database search

?Using this feature, we can search if AWS Inspector covers particular CVEs in the scans or not. It will give you data from the National Vulnerability database data, CVSS Score, and EPSS score.?

6) Suppression Rules:?

A suppression rule serves as a predefined set of filter criteria that effectively excludes findings meeting those criteria from appearing in your active findings lists. By automatically changing their status from "Active" to "Suppressed," these findings are prevented from triggering unnecessary alerts or cluttering your Amazon Inspector findings lists. Suppression rules are particularly useful for eliminating low-value findings or findings that are irrelevant to your specific environment.

7. Account Management

The Account management page on the Amazon Inspector console is a valuable resource for assessing and interpreting the coverage of Amazon Inspector in your AWS environment. It helps us to manage aggregate statistics, resource-level statistics, delegated administrative access, etc.

Hence, we studied and learned about Vulnerability Management using Amazon Inspector. With features such as automated discovery, continual scanning, and centralized management, Amazon Inspector provides near real-time vulnerability findings and a comprehensive view of security posture. Hence, Amazon Inspector is an important service.

Let's connect,