AWS Inspector

Overview

• Automated security assessment

Model

• Vulnerability Scanner
• Designed to be run during Continous Integration deployment pipeline
  • NOT designed for Continous Seployment
• Intended to be run on TEST environment
• Not a Intrusion Detection System (IDS)
• Not a Intrustion Prevention System (IPS)
• Uses agent that includes sensors
  • Report telemetry to central service

Assessment Target

• Assessed by Inspector
• Set of EC2 instances that accomplish a goal
• Must be described to Inspector

Assessment Template

• Instruction to analyze application for security vulnerabilities
• Contains 1+ Rules Package

Rules Package

• Set of security checks ("rules")
• Rules are grouped in packages to address common goal
• Example
  • PCI rules package
  • Network Security Best Practices
  • Authentication Best Practices

Assessment Run

• Individual assessment of the target based on the template

Finding

• Potential security threat
• Results when telemetry gathered during assessment matches the rule
• Detailed description, context, etc.
• Have attributes (metadata)
  • Can be used to create a "workflow" (Status = New, Status = Triage)