Security, Identity & Compliance | Amazon Inspector Flashcards
What is Amazon Inspector?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector is an automated security assessment service that helps you test the security state of your applications running on Amazon EC2.
What can I do with Amazon Inspector?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of development and IT operations. Amazon Inspector is agent-based, API-driven, and delivered as a service to make it easy to deploy, manage, and automate.
What makes up the Amazon Inspector service?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector consists of an Amazon-developed agent that is installed in the operating system of your Amazon EC2 instances and a security assessment service that uses telemetry from the agent and AWS configuration to assess instances for security exposures and vulnerabilities.
What is an assessment template?
General
Amazon Inspector | Security, Identity & Compliance
An assessment template is a configuration that you create in Amazon Inspector to define your assessment run. This assessment template includes a rules package against which you want Amazon Inspector to evaluate your assessment target, the duration of the assessment run, Amazon Simple Notification Service (SNS) topics to which you want Amazon Inspector to send notifications about assessment run states and findings, and Amazon Inspector-specific attributes (key/value pairs) that you can assign to findings generated by the assessment run.
What is an assessment run?
General
Amazon Inspector | Security, Identity & Compliance
An assessment run is the process of discovering potential security issues through the analysis of your assessment target’s configuration and behavior against specified rule packages. During an assessment run, the agent monitors, collects, and analyzes behavioral data (telemetry) within the specified target, such as the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, the agent analyzes the data and compares it against a set of security rule packages specified in the assessment template used during the assessment run. A completed assessment run produces a list of findings - potential security issues of various severity.
Is there any performance impact during an Amazon Inspector assessment run?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector and the Amazon Inspector Agent have been designed for minimal performance impact during the assessment run process.
What is an assessment target?
General
Amazon Inspector | Security, Identity & Compliance
An assessment target represents a collection of AWS resources that work together as a unit to help you accomplish your business goal(s). Amazon Inspector evaluates the security state of the resources that constitute the assessment target. You create an assessment target by using Amazon EC2 tags, and you can then define these tagged resources as an assessment target for an assessment run defined by the assessment template.
What is a finding?
General
Amazon Inspector | Security, Identity & Compliance
A finding is a potential security issue discovered during the Amazon Inspector assessment run of the specified target. Findings are displayed in the Amazon Inspector console or retrieved through the API, and contain both a detailed description of the security issue and a recommendation on how to fix it.
What is a rules package?
General
Amazon Inspector | Security, Identity & Compliance
A rules package is a collection of security tests that can be configured as part of an assessment template and assessment run. Amazon Inspector has many rules packages including common vulnerabilities and exposures (CVE), Center for Internet Security (CIS) Operating System configuration benchmarks, and security best practices. See the Amazon Inspector documentation for a full list of rules packages available.
Can I define my own rules for assessment templates?
General
Amazon Inspector | Security, Identity & Compliance
No. Only the pre-defined rules will initially be allowed for assessment runs. However, over time we are exploring the inclusion of both premium rules sets from vendors in the AWS Marketplace and self-developed custom rules.
Which applications can Inspector analyze for vulnerabilities?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector finds applications by querying the package manager or software installation system on the operating system where the agent is installed. This means that software that was installed through the package manager is assessed for vulnerabilities. The version and patch level of software that is not installed through these methods is not recognized by Inspector. For example, software installed via apt, yum, or Microsoft Installer will be assessed by Inspector. Software installed through make config / make install, or binary files copied directly to the system using automation software such as Puppet or Ansible will not be assessed by Inspector.
What is an assessment report, and what does it include?
General
Amazon Inspector | Security, Identity & Compliance
An Amazon Inspector assessment report can be generated for an assessment run once it has been successfully completed. An assessment report is a document that details what is tested in the assessment run, and the results of the assessment. The results of your assessment are formatted into a standard report, which can be generated to share results within your team for remediation actions, to enrich compliance audit data, or to store for future reference.
You can select from two types of report for your assessment, a findings report or a full report. The findings report contains an executive summary of the assessment, the instances targeted, the rules packages tested, the rules that generated findings, and detailed information about each of these rules along with the list of instances that failed the check. The full report contains all the information in the findings report, and additionally provides the list of rules that were checked and passed on all instances in the assessment target.
What happens if some of my targets are unavailable when I run an assessment?
General
Amazon Inspector | Security, Identity & Compliance
Amazon Inspector will gather vulnerability data for all available targets configured for the assessment template and return any appropriate security findings for the available targets. If there are no available targets for the assessment template when the run is started, the system will report that the assessment could not be run and will return the following notification: “The assessment run could not executed at this time as there are no targeted instances available for the selected assessment template.”
How do Targets become unavailable?
General
Amazon Inspector | Security, Identity & Compliance
Targets in an assessment could be unavailable for a number of reasons, such as: the EC2 instance is down or unresponsive; the Tagged (targeted) instance does not have the Amazon Inspector Agent installed; the installed Amazon Inspector Agent is unavailable or cannot return vulnerability data.
What is the pricing for Amazon Inspector?
General
Amazon Inspector | Security, Identity & Compliance
Inspector pricing is based on the number of assessment runs and the number of agents or systems that were assessed during those runs. We call this “agent-assessments.” An on-demand billing period is one calendar month like all AWS services. For example:
1 assessment run against 1 agent = 1 agent-assessment
1 assessment run against 10 agents = 10 agents-assessments
10 assessment runs against 2 agents each = 20 agent-assessments
30 assessment runs against 10 agents each = 300 agent-assessments
If the above represented the Amazon Inspector assessment runs activity in your account for a given billing period, you would be charged for 331 total agent-assessments.
The price of each individual agent-assessment is based on a tiered pricing model. As you move up the volume of agent-assessments in a given billing period, you pay a lower price per agent-assessment. For example, the first two tiers of agent-assessment pricing are:
First 250 agent-assessments = $0.30 per agent-assessment
Next 750 agent-assessments = $0.25 per agent-assessment
So for our example above of 331 total agent-assessments in a given billing period, you would be charged $0.30 for the first 250 and $0.25 for the next 81, or $95.25 total for the billing period. See the Amazon Inspector pricing page for the full pricing table.
Is there a free trial for Amazon Inspector?
General
Amazon Inspector | Security, Identity & Compliance
Yes. Amazon Inspector offers the first 250 agent-assessments at no cost for the first 90 days of using the service. All AWS accounts new to the Amazon Inspector service are eligible.