Amazon Web Services (AWS) publicly released a new security vulnerability assessment tool called Amazon Inspector. Seeing as how we at Hurricane Labs are heavy users of both AWS and assorted vulnerability assessment tools, it seems like something worth inspecting (sorry). We’re going to take a look at what Inspector is, what’s interesting about it, testing just how ‘special’ it really is, and where it may be headed down the road.
For those of you that don’t have time to read my in-depth review, here is an executive summary: Amazon Inspector is a low-impact, low-cost vulnerability scanner that is beneficial when used in addition to comprehensive vulnerability scanners (such as Nessus or Qualys). Amazon Inspector has limited detection capabilities and a lackluster user interface, however, and should not be used as a substitute to a traditional vulnerability scanning solution.
So, what is Amazon Inspector?
At the most basic level, Amazon Inspector is an agent-based vulnerability assessment tool. What this means is that unlike traditional vulnerability assessment tools, which have centralized servers that scan multiple remote hosts, all scanning is conducted locally and requires the AWS agent to be installed on each target system. Installation is dead simple, and consists of running one executable file.
Like all agent based scanners, Inspector is only supported on a limited set of operating systems. See the official documentation for a full list, but at the time of writing, this includes only the major Linux-based releases like RedHat, CentOS, Ubuntu 14.04, and Amazon Linux. On the Windows side, Windows Server 2008 R2 and 2012 are also supported. This does cover a decent amount of what is commonly used in production, especially in AWS. However, operating system support is a non-issue for traditional vulnerability scanning solutions.
What’s special about this tool?
Amazon claims it “enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues.” It also gathers information about “network, file system, and process activity”, which it sends back to Amazon for analysis and reporting. These are some bold claims, especially inclusion of the word “behavior” which, at least in my opinion, implies a higher level of analysis than just basic checks.
Time to test these claims, here we go
Since Inspector seems to be targeted primarily at DevOps teams, I decided to design a basic Ubuntu 14.04 box with some operating system misconfigurations and a vulnerable WordPress installation. This is so that both halves of DevOps would be tested. The vulnerabilities I targeted are listed at the end of this blog, if you’re looking for specific details.
Next, I had to configure Inspector. This is a fairly simple guided process, consisting of a bit of permissions configuration, creating an Assessment Target, an Assessment Template, and then running an assessment with those previously created objects. First and foremost, Inspector will guide you through setting up an IAM role which gives Inspector limited access to your AWS account.
Then, you’ll create an “Assessment Target”. An Assessment Target is just a list of AWS instances, which is created based on tags that have been assigned to those instances — for example, name. For my testing, I just set this to the test instance I created. An Assessment Template is like a Nessus policy and determines which “Rules” Amazon will use to analyze the hosts, as well as the assessment duration. I selected all of the available rule sets for my test and the recommended duration of 1 hour. Lastly, in order to actually start the scan, just select the template you created, and click the “Run” button.
At this point, Inspector will begin gathering data from the agents on whatever targets you specified. You can expand the Assessment Run you created, and click Status, which will show you how many agents are active and how much telemetry has been obtained from those agents. As far as system resource usage goes, Inspector is extremely minimal. You won’t see any of the CPU/Network usage spikes like you would with Nessus or Qualys. Inspector makes very little noise on both the system and the network — this may be one of its best features.
After the assessment is finished, the results will automatically populate in the “Notable Findings” section of the Inspector Dashboard. If you’re used to navigating any of the AWS dashboards, the Inspector interface will feel very familiar. The interface is simple, but in my opinion it leaves quite a bit to be desired. My biggest complaint is that there is no way to see descriptions of all of the vulnerabilities returned by a particular scan in one place. It is possible to see a list of 10 findings at once, which contain CVE ID numbers. But, unless you’re in the practice of memorizing CVE numbers, that information is of very little value to you.