Amazon Inspector Findings

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the navigation panel, under Dashboard section, choose Findings. If no potential security issues were found during your assessment runs, the Findings list will be empty, otherwise the Findings dashboard will list all the issues found based on their severity.

04 Select the Finding that you want to examine and click the Show/Hide Details button:

to expand the finding details panel.

05 Analyze the selected Amazon Inspector Findings entry by checking the following attributes:

1. Finding – the name of the finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
2. Severity – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
3. Description – a concise summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
4. Recommendation – suggested steps that you can complete to fix the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

06 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to analyze other Amazon Inspector Findings available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run list-findings command (OSX/Linux/UNIX) to list the Amazon Resource Names (ARNs) of all Amazon Inspector Findings currently available in the selected region:

aws inspector list-findings
	--region us-east-1

02 The command output should return a table with the requested IDs:

{
    "findingArns": [
       "arn:aws:inspector:us-east-1:123456789012:
target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
"arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-LSblo0dW"
    ]
}

03 Run describe-findings command (OSX/Linux/UNIX) using the ARN returned at the previous step as identifier to describe the selected finding generated by Amazon Inspector in the current region:

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj

04 The command output should return the metadata for selected finding:

{
    "failedItems": {},
    "findings": [
        {
            "assetType": "ec2-instance",
            "confidence": 10,
            "numericSeverity": 6.0,
            "description": "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.",
            "service": "Inspector",
            "title": "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.",
            "indicatorOfCompromise": false,
            "assetAttributes": {
                "schemaVersion": 1,
                "agentId": "i-0bdaf6743a3e8bde5",
                "ipv4Addresses": []
            },
            "userAttributes": [],
            "createdAt": 1493546543.248,
            "recommendation": "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use **sudo** to escalate privileges when necessary. To disable SSH root logins, set **PermitRootLogin** to \"no\" in **/etc/ssh/sshd_config** and restart sshd.",
            "updatedAt": 1493546543.248,
            "attributes": [
                {
                    "value": "i-0bdaf6743a3e8bde5",
                    "key": "INSTANCE_ID"
                }
            ],
            "schemaVersion": 1,
            "serviceAttributes": {
                "schemaVersion": 1,
                "rulesPackageArn": "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q",
                "assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0"
            },
            "id": "Disable root login over SSH",
            "arn": "arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-MHrQE148/run/0-SqPRlfv0/finding/0-hGDNZFIi",
            "severity": "Medium"
        }
    ]
}

05 Analyze the selected finding metadata returned at the previous step by checking the following output attributes:

1. "title" – the name of the Amazon Inspector finding, e.g. "Instance i-0bdaf6743a3e8bde5 is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack."
2. "severity" – the severity of the finding, e.g. "Medium". Possible values are High, Medium, Low, and Informational.
3. "description" – the summary of the finding, e.g. "This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root."
4. "recommendation" – recommended steps that you can follow to solve the potential security issue described by the selected finding, e.g. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

06 Repeat steps no. 3 – 5 to verify other Amazon Inspector Findings available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Inspector dashboard at https://console.aws.amazon.com/inspector/.

03 In the left navigation panel, under Dashboard section, choose Findings.

04 Choose the Amazon Inspector finding that you want to resolve (see Audit section part I to identify the right resource) and click the Show/Hide Details button:

to expand the finding details panel.

05 On the selected finding details panel, locate the AWS agent ID attribute and click on its value (link), e.g.

The AWS agent ID attribute shares the same ID with the selected finding assessment target (i.e. the EC2 instance evaluated by the Amazon Inspector service).

06 Select the EC2 instance identified by the AWS agent ID assigned to the selected finding then click the Connect button from the dashboard top menu to get the information required to connect to the selected EC2 instance via SSH.

07 Within Connect To Your Instance dialog box, choose whether to use a standalone SSH client like PuTTY or a Java SSH client directly from your browser to connect to the selected EC2 instance in order to solve the potential security issue found during the assessment.

08 Once you have connected to your EC2 instance operating system via SSH, follow the instructions provided by the Amazon Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

09 Repeat steps no. 4 – 8 to solve other Amazon Inspector Findings discovered for the EC2 instances provisioned in the current region.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run describe-findings command (OSX/Linux/UNIX) using custom query filters and the ARN of the finding that you want to solve as identifier (see Audit section part II to identify the right ARN) to describe the AWS agent ID for selected Amazon Inspector finding. The finding AWS agent ID shares the same ID with the EC2 instance evaluated by the Amazon Inspector service:

aws inspector describe-findings
	--region us-east-1
	--finding-arns arn:aws:inspector:us-east-1:123456789012:target/0-6hPYTJ1n/template/0-kIyGBQXy/run/0-B50lLgrL/finding/0-BZKn1UWj
	--query 'findings[*].assetAttributes.agentId'

02 The command output should return the ID of the EC2 instance targeted by the selected Amazon Inspector finding:

[
    "i-0bdaf6743a3e8bde5"
]

03 Now run describe-instances command (OSX/Linux/UNIX) using the EC2 resource ID returned at the previous step to describe the configuration attributes of the EC2 instance targeted by the selected Inspector finding:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-0bdaf6743a3e8bde5

04 The command output should return the requested EC2 instance configuration details such as instance Public/Elastic IP, SSH key name, AMI ID, etc:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-0407438b3488ce325",
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "PublicDnsName": "ec2-34-201-70-11.compute-1...",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2017-04-29T05:08:56.000Z",
                    "PublicIpAddress": "34.201.70.11",
                    "PrivateIpAddress": "172.31.14.27",
                    "InstanceId": "i-0bdaf6743a3e8bde5",
                    "EnaSupport": true,
                    "ImageId": "ami-c58c1de1",
                    "PrivateDnsName": "ip-172-31-14-27.ec2.internal",

                    ...

                    "KeyName": "ssh-access-key",
                    "SecurityGroups": [
                        {
                            "GroupName": "launch-wizard-5",
                            "GroupId": "sg-315a34f5"
                        }
                    ],
                    "SubnetId": "subnet-2b394201",
                    "InstanceType": "c4.large",
                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1a"
                    },
                    "Hypervisor": "xen",
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

05 Use the instance configuration details (Public IP, SSH key name, etc) returned at the previous step with your favorite SSH client to connect to the selected EC2 instance in order to solve the potential security issue found during the evaluation performed by Amazon Inspector.

06 Once you have connected to your EC2 instance using SSH, follow the instructions provided by the Amazon Inspector finding in the Recommendation section, i.e. "It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd."

07 Repeat steps no. 1 – 6 to solve other Amazon Inspector Findings discovered for your EC2 instances provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.