Skip to content

Identifying and Remediating Host Vulnerabilities - Host Layer Round - Assess Phase

In the previous Build Phase, you deployed a CloudFormation stack that contains some Amazon EC2 instances behind an application load balancer. You are now going to learn about AWS Inspector. AWS Inspector assesses the instances and identifies security findings that can be remediated.

To save time, the CloudFormation teamplate will run an initial Inspector assessment for you. In later phases of the workshop, you will apply patches using AWS Systems Manager and then run another Inspector assessment to see if there is any change in the number of findings.

Before you can assess the instances with Amazon Inspector, you need to identify the instances that you want to assess. In small environments, you can select the instance IDs from a list but in environments with hundreds or thousands of instance, you need an easier way to select them. For this reason, you are going to learn how to use tags to select the instances on which you will install the Amazon Inspector agent. Tags are labels that can be attached to AWS resources to make it easier to act on them collectively.

In this section you will do the following tasks:

  1. Examine the CloudFormation stack you built to learn about the tags that were applied by AWS CloudFormation.
  2. Learn about Amazon Inspector targets, templates, and rules packages.
  3. Examine Amazon Inspector findings
Workshop Architecture

Workshop Architecture

Examine the stack that you built and its tags

  1. Go to the CloudFormation console in the same AWS region where the stack was created. You should see a list of stacks similar to the figure below. Your console layout may look different depending on the preferences in your account. Locate the stack you created. In this documentation, the name of the stack is pww. If you are doing this workshop at an AWS event, the stackname may be much longer. Make sure you can see the entire stack name. Copy the stack name into a scratch file on your workstation in case you need it later.


  2. If you see a check box to the left of the stack name, click the check box to the left of the stack name and then click the Resources tab. If you don't see a check box, just click the Resources tab. You will see a list of resources that were deployed by the stack as shown in the figure below.


    The Type column lists the type of the resouces. Notice that you will not see any resources of type AWS::EC2::Instance even though there are now EC2 instances running. The reason for this is that the CloudFormation stack did not deploy any - at least not directly. The stack did, however, deploy an auto scaling group with a launch configuration that in turn launched the instances. You will now look at the auto scaling group and see how it supports tagging.

  3. Continue scrolling through the resources shown by CloudFormation and look for a resource named AutoScalingGroup as shown in the picture below.

    CloudFormation Auto Scaling Group

    Click the hyperlink next to AutoScalingGroup. This will take you to the Amazon EC2 console and display the auto scaling group. Scroll down and click on the Tags tab to see how the auto scaling group handles tags. Your console display should look similar to the picture below.

    EC2 Auto Scaling Group

    The picture above shows that there are four tags that are propogated to every EC2 instance created by the auto scaling group. The tags include a Name tag and three additional tags that are generated by CloudFormation. This tells us that every EC2instance that is launched by the auto scaling group will have a Name tag with the value of pww-node.

    In a production environment, you may have a large number of resources that spin up and spin down because of the elasticity that AWS offers. If you understand how tags are applied you can more easily manage the environment regardless of how many instances exist at any point in time. You will now learn how to look up the Amazon EC2 instances using tags.

  4. Go to the Amazon EC2 console and look for instances having a name that begins with the stack name followed by -node, pww-node in this example. If you cannot see them, type the instance name (pww-node in this case) into the search box. Select one of them by checking the box to the left of the instance and then click on the Tags tab. You should see a table like that in the figure below.


  5. Notice that the instance has tags reflecting the CloudFormation stack name and stack id. These tags are added because of settings in the auto scaling group which propogate tags to newly created instances.

    You have now learned about the tags that you can use to look up AWS resources. You will now learn how tags can be used within Amazon Inspector to select the instances that will be assessed.

Explore Amazon Inspector

Understanding Amazon Inspector targets

  1. Go to the Amazon Inspector console.

  2. Click Assessment Targets on the left menu. Assessment targets represent a group of EC2 instances that Inspector will assess. You will see a target whose name begins with InspectorTarget. Click on the arrow widget to open the target and display the details. You should see something similar to the image below.

    Amazon Inspector Targets

    In the figure above, notice that the Use Tags section contains a key/value pair with the entries aws:cloudformation:stack-name and pww respectively. This Inspector target is configured to select all instances that were started by the CloudFormation stack.

  3. Click the Preview Target button. A new window opens as shown below.

    Amazon Inspector Targets

    You now see there are three Instances that Inspector will assess based on the configuration of the target.

  4. Click the Assessment Templates on the left menu. A list of assessment templates appears as shown below.

    Amazon Inspector Targets

    You will see an assement template whose name begins with AssessmentTemplate. Assessment templates represent the selection of a target and one or more rules packages. A rules package is a collection of rules that represent security checks. This template assesses the previously mentioned target against the following two rules packages:

    Common Vulnerabilities and Exposures: The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. For more information, see{target=_blank}. You typically remediate findings from this rules package by installing patches.

    Security Best Practices: The rules in this package help determine whether your systems are configured securely. For example, one rule in this package checks to see if root login has been disabled over ssh. You typically remediate the findings by adjusting configuration settings.

  5. On the Amazon Inspector menu, click Assessment runs. You should see an entry for the assesment that was started on your behalf. If the status is not, Analysis complete, then periodically refresh the screen until the status changes to Analysis complete as shown in the figure below.

    Amazon Inspector Runs

  6. On the line that represents your most recent run, make note of the number in the Findings column (177 in this diagram). After you perform the remediation later in this workshop, that number should decrease. Click on the number in the Findings column. The findings associated with the run will appear as shown below.

    Amazon Inspector Findings

    You will see one of the findings has been expanded to reveal more details. The middle section of the finding has been removed to save space.

  7. Now that you have learned about Inspector assessments, you are ready to perform some remediation. You will then run an Inspector assessment yourself to see if the number of findings has changed.

    Click here to proceed to the Remediate Phase.