Open menu

AWS Inspector Findings

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Home Knowledge Base Inspector AWS Inspector Findings
Security

Risk level: Medium (should be achieved)

Check for AWS Inspector Findings and resolve them step by step to ensure that your systems are configured securely. Inspector is an AWS service that helps improve the security and compliance of your AWS resources. Inspector Findings are potential security issues found during the service evaluation of the selected resources (also known as Amazon Inspector assessment targets).

With Inspector Findings you can evaluate your operating system environments and applications deployed on AWS for potential security issues and common vulnerabilities in an automated way. Note 1: As of April 2017, the Amazon Inspector assessment targets can consist only of EC2 instances that run on certain Linux-based and Windows-based operating systems.
Note 2: As example, this conformity rule will demonstrate how to analyze and solve a finding (security vulnerability) generated automatically by AWS Inspector after evaluating a group of EC2 instances (AWS Inspector assessment target).

Audit

To check for Amazon Inspector Findings within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard section, choose Findings. If no potential security issues were found during your assessment runs, the Inspector Findings list will be empty, otherwise the Findings dashboard will list all the issues found based on their severity.

04 Select the Inspector finding that you want to examine and click the Show/Hide Details button:

Show/Hide Details

to expand the finding details panel.

05 Analyze the selected AWS Inspector Findings entry by checking the following attributes:

  1. Finding – the name of the finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
  2. Severity – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
  3. Description – a concise summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
  4. Recommendation – suggested steps that you can complete to fix the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

06 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to analyze other Amazon Inspector Findings available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all AWS Inspector Findings currently available in the selected region: 

aws inspector list-findings
	--region us-east-1

02 The command output should return a table with the requested IDs: 

{
    "findingArns": [
       "arn:aws:inspector:us-east-1:123456789012:
target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-LSblo0dW"
    ]
}

03 Run describe-findings command (OSX/Linux/UNIX) using the ARN returned at the previous step as identifier to describe the selected finding generated by Amazon Inspector in the current region: 

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj

04 The command output should return the metadata for selected finding: 

{
    "failedItems": {},
    "findings": [
        {
            "assetType": "ec2-instance",
            "confidence": 10,
            "numericSeverity": 6.0,
            "description": "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.",
            "service": "Inspector",
            "title": "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.",
            "indicatorOfCompromise": false,
            "assetAttributes": {
                "schemaVersion": 1,
                "agentId": "i-0bdaf6743a3e8bde5",
                "ipv4Addresses": []
            },
            "userAttributes": [],
            "createdAt": 1493546543.248,
            "recommendation": "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use **sudo** to escalate privileges when necessary. To disable SSH root logins, set **PermitRootLogin** to \"no\" in **/etc/ssh/sshd_config** and restart sshd.",
            "updatedAt": 1493546543.248,
            "attributes": [
                {
                    "value": "i-0bdaf6743a3e8bde5",
                    "key": "INSTANCE_ID"
                }
            ],
            "schemaVersion": 1,
            "serviceAttributes": {
                "schemaVersion": 1,
                "rulesPackageArn": "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q",
                "assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0"
            },
            "id": "Disable root login over SSH",
            "arn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
            "severity": "Medium"
        }
    ]
}

05 Analyze the selected finding metadata returned at the previous step by checking the following output attributes:

  1. "title" – the name of the AWS Inspector finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
  2. "severity" – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
  3. "description" – the summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
  4. "recommendation" – recommended steps that you can follow to solve the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

Note: If there are no potential security issues found during your assessment runs, AWS Inspector generates a finding with the "title" attribute value set to "No potential security issues found".

06 Repeat steps no. 3 – 5 to verify other Amazon Inspector Findings available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To solve any Amazon Inspector Findings discovered for your EC2 resources provisioned within your AWS account, perform the following:

Note: As example, this rule will provide step by step instructions on how to configure your EC2 instances running on a Linux-based OS distribution to prevent root account logins over SSH.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the left navigation panel, under Dashboard section, choose Findings.

04 Choose the AWS Inspector finding that you want to resolve (see Audit section part I to identify the right resource) and click the Show/Hide Details button:

Show/Hide Details button

to expand the finding details panel.

05 On the selected finding details panel, locate the AWS agent ID attribute and click on its value (link), e.g.

AWS agent ID

The AWS agent ID attribute shares the same ID with the selected finding assessment target (i.e. the EC2 instance evaluated by the AWS Inspector service).

06 Select the EC2 instance identified by the AWS agent ID assigned to the selected finding then click the Connect button from the dashboard top menu to get the information required to connect to the selected EC2 instance via SSH.

07 Within Connect To Your Instance dialog box, choose whether to use a standalone SSH client like PuTTY or a Java SSH client directly from your browser to connect to the selected EC2 instance in order to solve the potential security issue found during the assessment.

08 Once you have connected to your EC2 instance operating system via SSH, follow the instructions provided by the AWS Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

09 Repeat steps no. 4 – 8 to solve other Amazon Inspector Findings discovered for the EC2 instances provisioned in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-findings command (OSX/Linux/UNIX) using custom query filters and the ARN of the finding that you want to solve as identifier (see Audit section part II to identify the right ARN) to describe the AWS agent ID for selected Amazon Inspector finding. The finding AWS agent ID shares the same ID with the EC2 instance evaluated by the AWS Inspector service: 

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj
	--query 'findings[*].assetAttributes.agentId'

02 The command output should return the ID of the EC2 instance targeted by the selected AWS Inspector finding: 

[
    "i-0bdaf6743a3e8bde5"
]

03 Now run describe-instances command (OSX/Linux/UNIX) using the EC2 resource ID returned at the previous step to describe the configuration attributes of the EC2 instance targeted by the selected Inspector finding: 

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0bdaf6743a3e8bde5

04 The command output should return the requested EC2 instance configuration details such as instance Public/Elastic IP, SSH key name, AMI ID, etc: 

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-0407438b3488ce325",
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "PublicDnsName": "ec2-34-201-70-11.compute-1...",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2017-04-29T05:08:56.000Z",
                    "PublicIpAddress": "34.201.70.11",
                    "PrivateIpAddress": "172.31.14.27",
                    "InstanceId": "i-0bdaf6743a3e8bde5",
                    "EnaSupport": true,
                    "ImageId": "ami-c58c1de1",
                    "PrivateDnsName": "ip-172-31-14-27.ec2.internal",

                    ...

                    "KeyName": "ssh-access-key",
                    "SecurityGroups": [
                        {
                            "GroupName": "launch-wizard-5",
                            "GroupId": "sg-315a34f5"
                        }
                    ],
                    "SubnetId": "subnet-2b394201",
                    "InstanceType": "c4.large",
                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1a"
                    },
                    "Hypervisor": "xen",
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

05 Use the instance configuration details (Public IP, SSH key name, etc) returned at the previous step with your favorite SSH client to connect to the selected EC2 instance in order to solve the potential security issue found during the evaluation performed by Amazon Inspector.

06 Once you have connected to your EC2 instance using SSH, follow the instructions provided by the AWS Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

07 Repeat steps no. 1 – 6 to solve other Amazon Inspector Findings discovered for your EC2 instances provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date May 2, 2016

Related Inspector rules