Amazon Inspector Classic assessment templates and assessment runs - Amazon Inspector Classic

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/, and then choose Amazon Inspector Classic in the navigation pane.

Amazon Inspector Classic assessment templates and assessment runs

Amazon Inspector Classic helps you discover potential security issues by using security rules to analyze your AWS resources. Amazon Inspector Classic monitors and collects behavioral data (telemetry) about your resources. The data includes information about the use of secure channels, network traffic among running processes, and details of communication with AWS services. Next, Amazon Inspector Classic analyzes and compares the data against a set of security rules packages. Finally, Amazon Inspector Classic produces a list of findings that identify potential security issues of various levels of severity.

To get started, you create an assessment target (a collection of the AWS resources that you want Amazon Inspector Classic to analyze). Next, you create an assessment template (a blueprint that you use to configure your assessment). You use the template to start an assessment run, which is the monitoring and analysis process that results in a set of findings.

Amazon Inspector Classic assessment templates

An assessment template allows you to specify a configuration for your assessment runs, including the following:

  • Rules packages that Amazon Inspector Classic uses to evaluate your assessment target

  • Duration of the assessment run – You can set the duration of an assessment run anywhere between 3 minutes to 24 hours. We recommend setting the duration of assessment runs to 1 hour.

  • Amazon SNS topics that Amazon Inspector Classic sends notifications to about your assessment run states and findings

  • Amazon Inspector Classic attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template

After Amazon Inspector Classic creates the assessment template, you can tag it like any other AWS resource. For more information, see Tag Editor. Tagging assessment templates enables you to organize them and get better oversight of your security strategy. For example, Amazon Inspector Classic offers a large number of rules that you can assess your assessment targets against. You might want to include various subsets of the available rules in your assessment templates to target specific areas of concern or to uncover specific security issues. Tagging assessment templates allows you to locate and run them quickly at any time in accordance with your security strategy and goals.

Important

After you create an assessment template, you can't modify it.

Amazon Inspector Classic assessment templates limits

You can create up to 500 assessment templates for each AWS account.

For more information, see Amazon Inspector Classic service limits.

Creating an assessment template

To create an assessment template
  1. Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.

  2. In the navigation pane, choose Assessment Templates, and then choose Create.

  3. For Name, enter a name for your assessment template.

  4. For Target name, choose an assessment target to analyze.

    Note

    When you create an assessment template, you can use the Preview Target button on the Assessment Templates page to review all EC2 instances included in the assessment target. For each EC2 instance, you can review the hostname, instance ID, IP address, and, if applicable, the status of the agent. The agent status can have the following values: HEALTHY, UNHEALTHY, and UNKNOWN. Amazon Inspector Classic displays an UNKNOWN status when it can't determine whether there is an agent running on the EC2 instance.

    You can also use the Preview Target button on the Assessment Templates page to review EC2 instances that make up assessment targets included in your previously created templates.

  5. For Rules packages, choose one or more rules packages to include in your assessment template.

  6. For Duration, specify the duration for your assessment template.

  7. (Optional) For SNS topics, specify an SNS topic that you want Amazon Inspector Classic to send notifications to about assessment run states and findings. Amazon Inspector Classic can send SNS notifications about the following events:

    • An assessment run has started

    • An assessment run has ended

    • An assessment run's status has changed

    • A finding was generated

    For more information about setting up an SNS topic, see Setting up an SNS topic for Amazon Inspector Classic notifications.

  8. (Optional) For Tag, enter values for Key and Value. You can add multiple tags to the assessment template.

  9. (Optional) For Attributes added to findings, enter values for Key and Value. Amazon Inspector Classic applies the attributes to all findings that are generated by the assessment template. You can add multiple attributes to the assessment template. For more information about findings and tagging findings, see Amazon Inspector Classic findings.

  10. (Optional) To set up a schedule for your assessment runs using this template, select the Set up recurring assessment runs once every <number_of_days>, starting now check box and specify the recurrence pattern (number of days) using the up and down arrows.

    Note

    When you use this check box, Amazon Inspector Classic automatically creates an Amazon CloudWatch Events rule for the assessment runs schedule that you are setting up. Amazon Inspector Classic then also automatically creates an IAM role named AWS_InspectorEvents_Invoke_Assessment_Template. This role enables CloudWatch Events to make API calls against the Amazon Inspector Classic resources. For more information, see What is Amazon CloudWatch Events? and Using Resource-Based Policies for CloudWatch Events.

    Note

    You can also set up automatic assessment runs through an AWS Lambda function. For more information, see Setting up automatic assessment runs through a Lambda function.

  11. Choose Create and run or Create.

Deleting an assessment template

To delete an assessment template, perform the following procedure.

To delete an assessment template
  • On the Assessment Templates page, choose the template that you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.

    Important

    When you delete an assessment template, all assessment runs, findings, and versions of the reports associated with this template are also deleted.

You can also delete an assessment template by using the DeleteAssessmentTemplate API.

Assessment runs

After you create an assessment template, you can use it to start assessment runs. You can start multiple runs using the same template as long as you stay within the runs limit for each AWS account. For more information, see Amazon Inspector Classic assessment runs limits .

If you use the Amazon Inspector Classic console, you must start the first run of your new assessment template from the Assessment templates page. After you start the run, you can use the Assessment runs page to monitor the run's progress. Use the Run, Cancel, and Delete buttons to start, cancel, or delete a run. You can also view the run's details, including the ARN of the run, the rules packages selected for the run, the tags and attributes that you applied to the run, and more.

For subsequent runs of the assessment template, you can use the Run, Cancel, and Delete buttons on either the Assessment templates page or the Assessment runs page.

Deleting an assessment run

To delete an assessment run, perform the following procedure.

To delete a run
  • On the Assessment runs page, choose the run that you want to delete, and then choose Delete. When prompted for confirmation, choose Yes.

    Important

    When you delete a run, all findings and all versions of the report from that run are also deleted.

You can also delete a run by using the DeleteAssessmentRun API.

Amazon Inspector Classic assessment runs limits

You can create up to 50,000 assessment runs for each AWS account.

You can have multiple runs occurring at the same time as long as the targets used for the runs don't contain overlapping EC2 instances.

For more information, see Amazon Inspector Classic service limits.

Setting up automatic assessment runs through a Lambda function

If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a Lambda function using the AWS Lambda console. For more information, see Lambda Functions.

To set up automatic assessment runs using the AWS Lambda console, perform the following procedure.

To set up automatic runs through a Lambda function
  1. Sign in to the AWS Management Console, and open the AWS Lambda console.

  2. In the navigation pane, choose either Dashboard or Functions, and then choose Create a Lambda Function.

  3. On the Create function page, choose Browse serverless app repository, then enter inspector in the search field.

  4. Choose the inspector-scheduled-run blueprint.

  5. On the Review, configure, and deploy page, set up a recurring schedule for automated runs by specifying a CloudWatch event that triggers your function. To do this, enter a rule name and description, and then choose a schedule expression. The schedule expression determines how often the run occurs, for example, every 15 minutes or once a day. For more information about CloudWatch events and concepts, see What is Amazon CloudWatch Events?

    If you select the Enable trigger check box, the run begins immediately after you finish creating your function. Subsequent automated runs follow the recurrence pattern that you specify in the Schedule expression field. If you don’t select the Enable trigger check box while creating the function, you can edit the function later to enable this trigger.

  6. On the Configure function page, specify the following:

    • For Name, enter a name for your function.

    • (Optional) For Description, enter a description that will help you identify your function later.

    • For runtime, keep the default value of Node.js 8.10. AWS Lambda supports the inspector-scheduled-run blueprint only for the Node.js 8.10 runtime.

    • The assessment template that you want to run automatically using this function. You do this by providing the value for the environment variable called assessmentTemplateArn.

    • Keep the handler set to the default value of index.handler.

    • The permissions for your function using the Role field. For more information, see AWS Lambda Permissions Model.

      To run this function, you need an IAM role that allows AWS Lambda to start the runs and write log messages about the runs, including any errors, to Amazon CloudWatch Logs. AWS Lambda assumes this role for every recurring automated run. For example, you can attach the following sample policy to this IAM role:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "inspector:StartAssessmentRun", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
  7. Review your selections, and then choose Create function.

Setting up an SNS topic for Amazon Inspector Classic notifications

Amazon Simple Notification Service (Amazon SNS) is a web service that sends messages to subscribing endpoints or clients. You can use Amazon SNS to set up notifications for Amazon Inspector Classic.

To set up an SNS topic for notifications
  1. Create an SNS topic. See Tutorial: Creating an Amazon SNS Topic. When you create the topic, expand the Access policy - optional section. Then do the following to permit the assessment to send messages to the topic:

    1. For Choose method, choose Basic.

    2. For Define who can publish messages to the topic, choose Only the specified AWS accounts, and then enter the ARN for the account in the Region that you're creating the topic in:

      • US East (Ohio) - arn:aws:iam::646659390643:root

      • US East (N. Virginia) - arn:aws:iam::316112463485:root

      • US West (N. California) - arn:aws:iam::166987590008:root

      • US West (Oregon) - arn:aws:iam::758058086616:root

      • Asia Pacific (Mumbai) - arn:aws:iam::162588757376:root

      • Asia Pacific (Seoul) - arn:aws:iam::526946625049:root

      • Asia Pacific (Sydney) - arn:aws:iam::454640832652:root

      • Asia Pacific (Tokyo) - arn:aws:iam::406045910587:root

      • Europe (Frankfurt) - arn:aws:iam::537503971621:root

      • Europe (Ireland) - arn:aws:iam::357557129151:root

      • Europe (London) - arn:aws:iam::146838936955:root

      • Europe (Stockholm) - arn:aws:iam::453420244670:root

      • AWS GovCloud (US-East) - arn:aws-us-gov:iam::206278770380:root

      • AWS GovCloud (US-West) - arn:aws-us-gov:iam::850862329162:root

    3. For Define who can subscribe to this topic, choose Only the specified AWS accounts, and then enter the ARN for the account in the Region in which you're creating the topic.

    4. To protect yourself against Inspector being used as a confused deputy as detailed in Confused deputy problem in the IAM User Guide, do the following:

      1. Choose Advanced. This will navigate you to the JSON editor.

      2. Add the following condition:

        "Condition": { "StringEquals": { "aws:SourceAccount": <your account Id here>, "aws:SourceArn": "arn:aws:inspector:*:*:*" } }
    5. (Optional) For additional information about aws:SourceAccount and aws:SourceArn, see Global condition context keys in the IAM User Guide.

    6. Update other settings for the topic as needed, and then choose Create topic.

  2. (Optional) To create an encrypted SNS topic, see Encryption at rest in the SNS Developer Guide.

  3. To protect yourself against Inspector being used as a confused deputy for your KMS key, follow the additional steps below:

    1. Go to your CMK in the KMS console.

    2. Choose Edit.

    3. Add the following condition:

      "Condition": { "StringEquals": { "aws:SourceAccount": <your account Id here>, "aws:SourceArn": "arn:aws:sns:*:*:*" } }
  4. Create a subscription to the topic that you created. For more information, see Tutorial: Subscribing an Endpoint to an Amazon SNS Topic.

  5. To confirm that the subscription is configured correctly, publish a message to the topic. For more information, see Tutorial: Publishing a Message to an Amazon SNS Topic.