AWS Inspector took 10 minutes to set up and a few seconds to run a check of all the most common security vulnerabilities, giving peace of mind to me and my clients.

Why?

Just this year, French security researcher Baptiste Robert (aka Elliot Alderson), discovered that the most popular Android file manager was running a server on users’ devices. And that server had a port open to the internet. Anyone connected to the same Wifi network could just grab any files from that user’s Android device.

Leaving a port open to the internet is a common security risk, and it’s one of the checks within the “Network Reachability” “Rules package” performed by AWS Inspector.

“The knock-on effect of a data breach can be devastating for a company. When customers start taking their business — and their money — elsewhere, that can be a real body blow.” — Christopher Graham, UK Information Commissioner

What is AWS Inspector?

It’s an AWS service with a free trial, that lets you run security tests on your AWS resources, such as EC2 instances and routing tables.

It uses Rules packages for these tests, sets of rules by the worldwide security community and by AWS. The current packages available are:

• Common Vulnerabilities and Exposures
• CIS Operating System Security Configuration Benchmarks
• Network Reachability
• Security Best Practices
• Runtime Behavior Analysis

The Common Vulnerabilities and Exposures package is interesting because it currently covers 115,183 vulnerabilities.

The CIS Operating System Security Configuration Benchmarks include operating system specific tests. Researchers from universities and corporations, including AWS, contribute to this organization’s collection of security benchmark tests. AWS currently freely offers 37 benchmark tests. Some of the operating systems AWS provides CIS Benchmarks for include:

• Amazon Linux 2014.09–2015.03, v1.1.0, Level 1 Profile
• Ubuntu Linux 16.04 LTS Benchmark v1.1.0 Level 1 Server
• Red Hat Enterprise Linux 7 Benchmark v2.1.1 Level 1 Server
• Microsoft Windows Server 2012 R2, v2.2.0, Level 1 Member Server Profile

You don’t need to go these websites yourself. AWS Inspector automatically runs the appropriate benchmark and security vulnerability tests for you.

Besides offering access to these open source security standards, AWS Inspector also includes rules packages for how cloud networking works on AWS. For example, its Network Reachability rules package checks:

• Amazon EC2 instances
• Application Load Balancers
• Direct Connect
• Elastic Load Balancers
• Elastic Network Interfaces
• Internet Gateways (IGWs)
• Network Access Control Lists (ACLs)
• Route Tables
• Security Groups (SGs)
• Subnets
• Virtual Private Clouds (VPCs)
• Virtual Private Gateways (VGWs)
• VPC peering connections

How do I set it up?

Here are instructions for setting up a one-time run of Inspector on all your instances using all available rules packages. All of these steps apply to the AWS console, but this can also be done with the AWS CLI or automated using CloudFormation.

1. Give AWS Inspector permissions to access your AWS resources. Open IAMand go to Roles.

2. Click Create role.

3. When prompted to choose the service that will use this role, choose Inspector.

4. Keep clicking Next, accepting the defaults:

• Next: Permissions
• Next: Tags
• Next: Review
• Create role

5. Error invalid input? No worries. Just click cancel. If you look at your list of roles, you’ll notice that the Inspector role has probably been created anyway.

6. Go to Services and search for Inspector. Open Inspector.

7. Click Get started.

8. Accept the defaults. Click Run once and then Ok.

9. You’re ready to run the tests. Select Assesment runs.

10. Check the box for your Assessment-Template-Default-All-Rules and Run.

11. That’s it. You’re done. You can refresh 🔄 this panel to see the Status update to “Analysis complete.” Or go straight to the Findings panel where you can read the report and recommendations.

When I ran Inspector on a client’s AWS resources following these steps, I got two findings. Fortunately, we were already aware of these findings and didn’t need to take any additional steps.

In under ten minutes, we ran through tens of thousands of security issues and confirmed that we were secure. The cost? Free for the first 250 instance-assessments in the first 90-days Using Amazon Inspector.

After that, it’s between 5 to 30 cents per agent-assessment. Here is a pricing example by AWS:

Consider a scenario where you have 10 Amazon EC2 instances in your assessment target with the Inspector Agent installed on each instance. During the billing period, you run one assessment that includes both host assessment rules packages (example: CVE, CIS, and security best practices) and the network reachability rules package.

In this example, you would be billed for 10 host agent-assessments and 10 network reachability instance-assessments. The Amazon Inspector charges for your account for this billing period would be:

For host assessment rules packages: 10 agent-assessments @ $0.30 per agent-assessment
For network reachability rules package: 10 instance-assessments @ $0.15 per instance-assessment
Adding them up, the Amazon Inspector bill would be $3.00 for host agent-assessments and $1.50 for network reachability instance-assessments, for a total of $4.50.

Source: aws.amazon.com/inspector/pricing

Time to start inspecting!