Skip to content

Vulnerability Related

Inspector

  • Evaluates the security status of EC2, ECR, Lambda
  • Automatically assesses applications for vulns or deviations from best practices
  • Uses automated reasoning to analyze network access policies and alert about breaches

Information gathering

Gathering Level Assessment Type Description
Network Network Assessment Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents)
OS & apps Host Assessment
  • Monitors file system/processes
  • Via an Amazon Inspector Agent (requires linked role to enumerate EC2 instances and network config)

Components

Component Description
Rule
  • Predefined security check to evaluate against an EC2
  • Severity levels: high, medium, low, informational
Rule Packages
  • Collection of rules
  • Examples:
    • Common vulnerabilities and Exposures (CVEs)
    • CIS Benchmarks (OS Security Configuration)
    • Security Best Practices (OS config including remote access)
    • Runtime Behavior Analysis (protocols, ports, software config)
Assessment Target List of EC2 instances (can filter by tags)
Assessment Template
  • Defines which Rule Packages run on which Assessment Target
  • Can be run multiple times
Assessment Run Contains results (findings) of each Assessment Template run
Finding
  • Stored as a JSON
  • Each contains:
    • Severity
    • Date of discovery
    • Description
    • Recommendations

Delivery of Findings

Delivery Type Description
PDF/HTML Report
  • Can be generated for each assessment run
  • Inspector collects instances' telemetry data in JSON-formatted files and stores them in an Inspector-owned S3 bucket
  • You cannot access these files (after a 30-day retention period they are automatically deleted)
Stream
  • Define an SNS topic in the assessment template
  • The topic will receive notifications when a finding is reported and when an assessment run starts, finishes, or changes its state

Security Hub

  • Centralize security related alerts across accounts, and provides a UI for viewing these
  • The biggest limitation is it does not centralize alerts across regions, only across accounts
  • Findings from:
    • GuardDuty
    • Config
    • Inspector
    • Macie
    • Firewall Manager
    • IAM Access Analyzer
    • third party
    • self-generated against CIS standards

Components

Component Description
Security Standard
  • A list of security controls and the definition of how those should be configured
  • Security Hub compares the current environment status with the expected controls the security standard establishes
    • Change-triggered checks: run when a change in the monitored resource is detected (requires the resource to be supported by AWS Config)
    • Scheduled checks: periodic check no later than 12h after the last execution
  • As a result of the comparison, Security Hub produces a verdict of compliance for each of the controls
Workflow
  • Describes a series of stages in which a finding can be positioned at any point in time
  • Finding attributes:
    • WorkflowStatus: New, Notified, Suppressed, Resolved
    • RecordState: Active, Archived
Insights Filters and groupings that allow to see affected resources in groups to facilitate analysis

Delivery

  • Security Hub integrates with EventBridge at two levels
    1. EventBridge captures in the default bus the findings reported by Security Hub
    2. Configure custom actions
      • Configure a unique ID related to a custom action name, and a custom action to execute
      • Security Hub will report an event to EventBridge, sending the findings or insights information in conjunction with an attribute to distinguish this event as a custom action and another attribute including the custom action's unique ID
  • You can apply a custom action for up to 20 findings and up to 100 resource identifiers (from insights) at the same time

Remediation

Approach Description
Manual
Semi-Automatic Use predefined custom actions
Automatic
  • All findings from Security Hub generate CloudWatch Events
  • From the Amazon CloudWatch Events console, you can create a rule using Security Hub as the service name and setting Security Hub Findings - Imported as Event Type

Detective

General Info
  • Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
  • Automatically correlates user activity without the need for you to enable, store, or retain logs manually

Trusted Advisor

  • Makes recommendations on cost reductions, rlieability, performance, and security
  • Monitors how close you are to reaching service limits
  • Need a business/enterprise subscription for all features
  • Operations
    • Checks resources throughout all regions
    • It is enabled or disabled at the account level
    • Exclusions
      • Can exclude resources from all checks
      • Can't suppress individual checks

Checks

Categories Core Checks Security Checks
  1. Cost Optimization
  2. Security
  3. Fault Tolerance
  4. Performance
  5. Service Limits
  1. S3 Bucket Permissions
  2. Security Groups - Specific Ports Unrestricted
  3. IAM Use
  4. MFA on Root Account
  5. EBS Public Snapshots
  6. RDS Public Snapshots
  7. Service Limits
  • Security group open access to specific high-risk ports
  • Security group unrestricted access
  • Open write and List access to S3 buckets
  • MFA on root account
  • Overly permissive RDS security group
  • Use of cloudtrail
  • Route 53 MX records have SPF records
  • ELB with poor or missing HTTPS config
  • ELB security groups missing or overly permissive
  • CloudFront cert checks - expired, weak, misconfigured
  • IAM access keys not rotated in last 90 days
  • Exposed access keys on GitHub etc
  • Public EBS or RDS snapshots
  • Missing or weak IAM password policy