Check for Amazon Inspector Exclusions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: Inspector-003

Check for Amazon Inspector assessment exclusions and resolve them step by step to ensure that your assessment runs can be successfully executed. Exclusions are an output of Amazon Inspector assessment runs that show which of your security checks can't be completed and how to fix the issues that stopped the security checks. For example, issues can be caused by the absence of an agent on the specified target, the use of an unsupported Operating System (OS), or unexpected errors.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Amazon Inspector is an AWS service that helps you improve the security and compliance of your cloud resources. Amazon Inspector assessment exclusions can show you which security checks and resources are not evaluated in an assessment run and provide guidance on how to solve the issues associated with those exclusions. Assessment runs can fail to execute or might complete with errors for multiple reasons. Use exclusions to get guidance and pinpoint the assessment issues, solve them, and successfully execute the assessment runs.

Note: As example, this conformity rule will demonstrate how to analyze and resolve an "Agent not found" assessment exclusion that is produced when the Amazon Inspector agent was not found on the target EC2 instance(s).


Audit

To check for Amazon Inspector post-assessment exclusions, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector console at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard, choose Assessment runs.

04 Choose the assessment run that you want to examine and check the Exclusions column for any exclusions produced by the selected assessment run. If one or more assessment exclusions are found, click on the number of exclusions (active link) listed in the Exclusions column to view the post-assessment exclusions found.

05 On the assessment exclusions panel, analyze each entry by checking the following attributes:

  1. Title – the name of the exclusion, e.g. "Agent not found".
  2. Instance affected – the identifier (ID) of the affected Amazon EC2 instance.
  3. Rules Packages affected – the name of the Amazon Inspector rules package.
  4. Description – the description of the exclusion, e.g. "The Inspector agent was not found on this instance. You can run agentless Network Reachability assessments on this instance but cannot run any assessments that need the agent. "
  5. Recommendation – suggested steps that you can complete to fix the issue that caused the exclusion, e.g. "Install or re-install the Inspector Agent on this instance."

06 Based on the information returned at the previous step you can analyze the selected exclusion and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to check other Amazon Inspector assessment runs available within the current region, for post-assessment exclusions.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-assessment-runs command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all Amazon Inspector assessment runs available in the selected AWS region:

aws inspector list-assessment-runs
	--region us-east-1
	--query 'assessmentRunArns[*]'

02 The command output should return an array with the requested ARNs:

[
"arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd",
"arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aaaabbbb"
]

03 Run list-exclusions command (OSX/Linux/UNIX) using the ARN of the assessment run that you want to examine as identifier parameter, to list the ARN of each post-assessment exclusion (if any) produced by the selected assessment run:

aws inspector list-exclusions
	--region us-east-1
	--assessment-run-arn arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd
	--query 'exclusionArns[*]'

04 The command output should return one or more exclusion ARNs or an empty array (i.e. []) if there are no post-assessment exclusions found:

[
"arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd/exclusion/0-1234abcd",
"arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd/exclusion/0-abcd1234"
]

05 Run describe-exclusions command (OSX/Linux/UNIX) using the ARN of the assessment exclusion that you want to examine (analyze) as identifier parameter and custom query filters, to describe the selected Amazon Inspector assessment exclusion:

aws inspector describe-exclusions
	--region us-east-1
	--exclusion-arns arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd/exclusion/0-1234abcd
	--query 'exclusions'

06 The command output should return the information available for the selected assessment exclusion:

{
    "arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd/exclusion/0-1234abcd": {
        "scopes": [
            {
                "value": "i-0abcd1234abcd1234",
                "key": "instanceId"
            }
        ],
        "description": "The Inspector agent was not found on this instance. You can run agentless Network Reachability assessments on this instance but cannot run any assessments that need the agent.",
        "title": "Agent not found",
        "recommendation": "Install or re-install the Inspector Agent on this instance.",
        "attributes": [
            {
                "value": "i-0abcd1234abcd1234",
                "key": "INSTANCE_ID"
            }
        ],
        "arn": "arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd/template/0-12341234/run/0-aabbccdd/exclusion/0-1234abcd"
    }
}

07 Examine the exclusion information returned at the previous step by checking the following output attributes:

  1. "title" – the name of the exclusion, e.g. "Agent not found".
  2. "scopes" – the identifier(s) of the AWS cloud resource(s) for which the exclusion pertains, e.g. the ID of the affected Amazon EC2 instance.
  3. "description" – the summary of the exclusion, e.g. "The Inspector agent was not found on this instance. You can run agentless Network Reachability assessments on this instance but cannot run any assessments that need the agent."
  4. "recommendation" – recommended steps that you can follow to fix the issue that caused the exclusion, e.g. "Install or re-install the Inspector Agent on this instance."

08 Based on the information returned at the previous step you can analyze the selected exclusion and make a plan to implement the recommended fix (see Remediation/Resolution section).

09 Repeat steps no. 5 – 8 to verify other Amazon Inspector assessment runs available in the selected region, for post-assessment exclusions.

10 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To solve the exclusions produced by your Amazon Inspector assessment runs in order to ensure that the assessment runs can be successfully executed, perform the following operations:

Note: As example, this section provides step by step instructions on how to install the Amazon Inspector agent on Linux-based EC2 instances.

Using AWS Console

01 Sign in to AWS Management Console.

02 To install the Amazon Inspector agent on targeted EC2 instances using the Systems Manager Run Command, navigate to Amazon Systems Manager console at https://console.aws.amazon.com/systems-manager/.

03 In the navigation panel, under Instances & Nodes, choose Run Command, and click on the Run command button from the console top menu to execute a new command.

04 Click on the identifier (ID) of the managed instance that you want to examine.

05 On the Run a command page, perform the following:

  1. Select the AmazonInspector-ManageAWSAgent document from the Command document list. This document contains the script for installing the Amazon Inspector agent on your Amazon EC2 instances.
  2. For Command parameters, choose Install. This represents the AWS Agent-related action to perform.
  3. For Targets, select Choose instances manually to manually select the resources that you want to register as targets. Select the targeted Amazon EC2 instance from the Instances list (see Audit section part I to identify the affected EC2 instance).
  4. (Optional) For Output options, chooses whether or not to write the command output to an Amazon S3 bucket or an Amazon CloudWatch Logs log group for auditing purposes.
  5. Choose Run to execute your command. Once the command has been successfully executed on the specified instance, the SSM command status should change from In Progress to Success.

06 Repeat steps no. 2 – 5 to solve other exclusions produced by Amazon Inspector assessment runs within the current AWS region.

07 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run send-command command (OSX/Linux/UNIX) to install the Amazon Inspector agent on targeted EC2 instance (see Audit section part II to identify the affected EC2 instance) using the Systems Manager Run Command. The following command example installs the Amazon Inspector agent on a Linux-based EC2 instance identified by the ID "i-0abcd1234abcd1234":

aws ssm send-command
	--region us-east-1
	--document-name "AmazonInspector-ManageAWSAgent"
	--document-version "12"
	--targets '[{"Key":"InstanceIds","Values":["i-0abcd1234abcd1234"]}]'
	--parameters '{"Operation":["Install"]}'
	--timeout-seconds 600
	--max-concurrency "50"
	--max-errors "0"
	--cloud-watch-output-config '{"CloudWatchOutputEnabled":false}'

02 The command output should return the metadata for the executed Systems Manager command (including the SSM command ID – highlighted):

{
    "Command": {
        "MaxErrors": "0",
        "Parameters": {
            "Operation": [
                "Install"
            ]
        },
        "DocumentName": "AmazonInspector-ManageAWSAgent",
        "OutputS3BucketName": "",
        "OutputS3KeyPrefix": "",
        "StatusDetails": "Pending",
        "RequestedDateTime": 1603737455.596,
        "Status": "Pending",
        "TimeoutSeconds": 600,
        "TargetCount": 0,
        "NotificationConfig": {
            "NotificationArn": "",
            "NotificationEvents": [],
            "NotificationType": ""
        },
        "InstanceIds": [],
        "ErrorCount": 0,
        "MaxConcurrency": "50",
        "ServiceRole": "",
        "CloudWatchOutputConfig": {
            "CloudWatchLogGroupName": "",
            "CloudWatchOutputEnabled": false
        },
        "DocumentVersion": "12",
        "CompletedCount": 0,
        "Comment": "",
        "ExpiresAfter": 1603739688.596,
        "DeliveryTimedOutCount": 0,
        "CommandId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "Targets": [
            {
                "Values": [
                    "i-0abcd1234abcd1234"
                ],
                "Key": "InstanceIds"
            }
        ]
    }
}

03 Run ssm list-commands command (OSX/Linux/UNIX) using the ID of the Systems Manager command executed at the previous steps as identifier parameter, to return the command status:

aws ssm list-commands
	--region us-east-1
	--command-id abcdabcd-1234-abcd-1234-abcd1234abcd
	--query 'Commands[*].Status'

04 The command output should return the requested status. If the command has been successfully executed on the specified EC2 instance, the SSM command status should be set to Success, i.e.:

[
    "Success"
]

05 Repeat steps no. 1 – 4 to solve other exclusions generated by Amazon Inspector assessment runs in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date May 2, 2016

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Amazon Inspector Exclusions

Risk level: Medium