Getting Started with Amazon

Inspector
Chris Johnson, Solutions Architect
November 1, 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 What to expect from this session

• Why did we build Amazon Inspector?

• What is Amazon Inspector?
• How much does it cost?
• What does it help protect against?
• How does it help me with remediation?
• Where do APN Technology Partners fit?
• What regions are supported?
• What’s next for Amazon Inspector?
 DevOps & Cloud
• Better alignment with customer needs

• Increased ownership by developers

• Continuous feedback & bug discovery
• Configuration & Infrastructure is part of the code
• More frequent code rollouts
• Automation
• Better focus on operational excellence

• Cloud provides infrastructure as code

• Improved availability
• Cost optimization
 Continuous Integration / Continuous Deployment

Source Code Running Host

 Traditional Security Processes

Asset Owner Security Team

Scan for Vulnerabilities

Asset AppSec Eng

• It’s not about DevOps + Security
• Not enough security professionals on the planet to do this

• Security teams need their own automation to keep up with automated

deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org
Amazon Inspector

• Vulnerability Assessment Service

• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
The Value of Vulnerability Assessments

“[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.

- Rob Joyce NSA TAO @ Enigma 2016

 Installing the Agents

#!/bin/bash
wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install
chmod a+x /home/ec2-user/install
/home/ec2-user/install

$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, "AWSInstall.exe")
& .\AWSInstall.exe /quiet • Chef, SaltStack, Puppet, Ansible
• AWS CodeDeploy
• EC2 user-data
• EC2 RunCommand
• cfn-init
• AWS OpsWorks
• CloudInit
 Supported Agent Operating Systems

• Amazon Linux (2015.03 or later)

• Ubuntu (14.04 LTS)
• Red Hat Enterprise Linux (7.2)
• CentOS (7.2)
• Windows Server 2008 R2,
• Windows Server 2012
• Windows Server 2012 R2
Assessments
 Pricing
• Free Trial
• 250 agent-assessments for first 90 days using the service

• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00

First 250 agent-assessments: $0.30

Next 750 agent-assessments: $0.25
Next 4000 agent-assessments: $0.15
Next 45,000 agent-assessments: $0.10
All other agent-assessments: $0.05
 Common Vulnerabilities & Exposures

• Tagged list of publicly known info security issues

• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information-gathering activities
 CIS Secure Configuration Benchmarks

Kathleen Patentreger Laurie Hester

Senior Vice President Program Executive
Center for Internet Security
Who is CIS?

• Pioneer in forming global IT communities

• Developer of key best practices for immediate

and effective defenses against cyber attacks

• Industry standard for security best practices

CIS delivers
Confidence in the Connected World
CIS can help your organization

Our Mission:
• Create and promote best practices in
cybersecurity
• Deliver solutions to prevent and rapidly
respond to cyber incidents
• Build trust in cyberspace

Our Programs:
• MS-ISAC (SLTT support)
• CIS Critical Security Controls
• CIS Security Benchmarks
What is a “Benchmark?”

• Security configuration guide

• Consensus-based development
process
• PDF versions are free via our
website
• 433K+ downloads last year
What’s inside a Benchmark?
What it applies to…
Who helped make it…
How to interpret…
What to do…

Why to do it…

How to do it…

How do you know you did it…

22
Amazon and CIS
•CIS AWS Foundations Benchmark:
• Provides recommendations for the security
of your AWS account

Amazon Inspector:
• CIS Security Software Vendor Membership
and certification service assesses against
the following CIS Benchmark:
Amazon Linux 2014.09-2015.03
Add’l CIS Benchmarks scheduled
CIS Amazon Machine Images (AMIs)

System is configured from launch to be in

conformance with the CIS Benchmark

AMIs currently available include:

• Amazon Linux 2014.09* -2015.03
• Debian 8*
• Microsoft Windows Server 2008, 2008 R2,
2012 & 2012 R2
• Red Hat Enterprise Linux 5*, 6 & 7
• SUSE Linux Enterprise Server 11* & 12*
• CentOS Linux 6* & 7
• Ubuntu 12.04* & 14.04 LTS Server

*Access via CIS Membership only, not available in AWS Marketplace

How to access the CIS Amazon Machine Images
(AMIs) in Amazon Elastic Compute Cloud (EC2)

•AWS Marketplace
•CIS Security Benchmarks Membership

Future plans:
•GovCloud - More details to come in May
•Intelligence Community (IC) Marketplace

For more information, visit https://benchmarks.cisecurity.org or contact

us at members@cisecurity.org.
Amazon Inspector

• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
 Security Best Practices

• Authentication
• Network Security
• Operating System
• Application Security

• Disable root login over SSH

• Password complexity
• Permissions for system directories
• Secure protocols
• Data execution prevention enabled
 Runtime Behavior Analysis

• Package analyzes machine behavior during an assessment

• Unused listening ports

• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols

• Impacts the severity of static findings

 Automating Remediation

• Findings are JSON formatted and taggable

• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps

• Lamd-ify your incident response

• Integrate with Jira-like services
• Integrate with Pagerduty-like services
Partners
 Regions Supported
• GA
• US West (Oregon)
• US East (N. Virginia)
• EU (Ireland)
• Asia Pacific (Incheon)
• Asia Pacific (Mumbai)
• Asia Pacific (Tokyo)
• Asia Pacific (Sydney)
Thank you!