dev-resources.site
for different kinds of informations.
Amazon Inspector Deep-Dive : CIS Benchmark, Container image and SBOM
In the first part of our Amazon Inspector series, we covered basics Amazon Inspector and covered EC2 and Lambda scanning part.
Now, let’s explore more feature within Inspector: ECR scanning, CIS benchmarks, and SBOM generation. These features give you a more thorough view of your security posture, from container image vulnerabilities to best-practice configurations and software transparency. Whether you’re safeguarding your containerized workloads, ensuring compliance, or tracking your software components, Amazon Inspector has the tools to enhance your security strategy.
ECR Scan - Scanning Docker Images
Amazon Inspector scans container images in Amazon Elastic Container Registry (ECR) for software vulnerabilities, generating findings on package risks. When you enable Amazon Inspector as the preferred scanning service for your private registry, you have two options:
- Basic Scanning: Configure repositories to scan images on push or perform manual scans.
- Enhanced Scanning: Perform deeper scans at the registry level, detecting vulnerabilities in operating system and programming language packages.
Let's do quick demo. I assume here, you have activate ECR scan type in Amazon Inspector. If not, you can do it by going to Inspector → In the navigation pane, choose Account management → Select Scan Type and activate.
ECR Scan Demo
For this blog purpose, I have dockerise simple NodeJS app which has express dependency. I'm using outdate packages and image here.
- app.js
const express = require('express');
const app = express();
const port = 3000;
// Basic route to trigger a response
app.get('/', (req, res) => {
res.send('Hello, this is a vulnerable Node.js app!');
});
// Start the server
app.listen(port, () => {
console.log(`App listening at http://localhost:${port}`);
});
- package.json
{
"name": "vulnerable-node-app",
"version": "1.0.0",
"description": "A vulnerable Node.js app",
"main": "app.js",
"dependencies": {
"express": "3.0.0"
}
}
- Dockerfile
# Node.js vulnerable Dockerfile
# Use an outdated Node.js base image
FROM node:10
# Set working directory
WORKDIR /usr/src/app
# Copy package.json and install outdated dependencies
COPY package.json ./
RUN npm install
# Copy app source code
COPY . .
# Expose the app port
EXPOSE 3000
# Start the app
CMD ["node", "app.js"]
Build docker image and push to ECR repository. Within few minutes, Inspector will scan ECR repository and images and will generate findings.
Understanding Findings
To view findings Go to Inspector → Findings → Container Images
Findings will give us:
- CVEs which are critical to fix.
- On selection of specific CVEs, it gives which package is currently installed and which package will solve vulnerability.
- Under remediation, it will give us hint what needs to be done.
Here fix is easy, we just need update LTS of NodeJs image and express.
CIS Scan
Amazon Inspector’s CIS scans assess your EC2 instance configurations against Center for Internet Security (CIS) benchmarks to ensure they meet security standards. You can run these scans on-demand or on a schedule after enabling EC2 scanning.
To target specific instances, create a scan configuration with instance tags and a CIS Benchmark level, which can be applied across multiple accounts if you’re a delegated administrator.
Configuring CIS Scan
To grant permissions to run CIS scans, attach AmazonSSMManagedInstanceCore
and AmazonInspector2ManagedCispolicy
to EC2 instance role.
- Go to Inspector → CIS Scan → Create Scan
- Enter required details. LEVEL_1 corresponds to foundational security and LEVEL_2 is for more critical workload for data security.
- In this demo, I'm targeting EC2 instance which have tag
CISScan=True
Below screenshot is for individual account.
If you would like to configure CIS scan from delegated admin i.e. from central account , it is also possible. From central setting you should able to specify more than one account, also manage setting centrally.
Understanding Scan
Within few minutes, CIS scan should be complete.
As we can see :
- Under Resource Status you should able to see ❌ which means CIS checks failed, ➖ means resources is not evaluated and ✅ CIS checks are passed.
- If you click on specific title, it gives you details about that CIS checks e.g. in my case we see journald should be configured to write logfiles to persistent disk.
Running CIS on Private EC2 instance
When running CIS scans on private instances, you’ll need VPC endpoints for Systems Manager services. Key endpoints include:
- ssm.amazonaws.com
- ssmmessages.amazonaws.com
- ec2messages.amazonaws.com
Inspector uses OVAL (Open Vulnerability and Assessment Language) definitions for assessments, stored in Amazon S3. Allow listing these Amazon S3 buckets in VPCs ensures access to the required definitions for CIS scans:
- inspector2.amazonaws.com
- s3.amazonaws.com
- ssm.amazonaws.com
- ssmmessages.amazonaws.com
This setup allows Inspector to benchmark, assess, and secure EC2 instances according to CIS standards.
Software Bill of Materials - SBOM
A Software Bill of Materials (SBOM) lists all open-source and third-party components in your codebase. Amazon Inspector generates SBOMs for monitored resources, which can be exported in CycloneDX or SPDX formats to an Amazon S3 bucket. Note that SBOM export is not currently supported for Windows EC2 instances.
Why SBOMs are important :
- SBOM provides a detailed inventory of software components, allowing organizations to identify and address vulnerabilities in third-party and open-source components more effectively.
- SBOM ensures transparency by documenting all components within the software, which is vital for regulatory compliance and meeting industry standards.
- In the event of a security incident, an SBOM allows teams to quickly locate and assess affected components, speeding up response and mitigation efforts.
Now, let's start for quick demo.
Before starting with SBOM export, we need to have Customer Managed KMS and S3 bucket created in advance.
I have created Customer Managed KMS with below policy:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/<rolename>"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand"
],
"Resource": "*"
},
{
"Sid": "Allow Amazon Inspector to use the key",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:report/*"
}
}
}
]
}
Also, create S3 bucket with below policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-inspector",
"Effect": "Allow",
"Principal": {
"Service": "inspector2.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::<bucketname>/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:report/*"
}
}
},
{
"Sid": "allow-role-access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/<rolename>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:PutBucketPolicy"
],
"Resource": [
"arn:aws:s3:::<bucketname>",
"arn:aws:s3:::<bucketname>/*"
]
}
]
}
Once we have KMS and S3 bucket in place, let's export SBOM for EC2.
- Go Inspector → In Navigation choose Export SBOM.
- On the Export SBOMs page, use the Add filter menu to select specific resources for the report. Without filters, Amazon Inspector will export reports for all active resources. For this demo purpose, I'm exporting EC2 which has specific tag.
- Select Export format. Choose anyone.
- Choose S3 bucket and KMS key we have created in above steps and Start Export.
Let's wait to finish export. Once finished, go to S3 bucket.
For now, we will just download file and try to understand it. Below I have pasted part of downloaded file.
{
"bomFormat":"CycloneDX",
"specVersion":"1.4",
"version":1,
"metadata":{
"timestamp":"2024-11-09T14:48:33Z",
"component":{
"type":"operating-system",
"name":"AMAZON_LINUX_2023"
},
"properties":[
{
"name":"amazon:inspector:ami",
"value":"ami-063d43db0594b521b"
},
{
"name":"amazon:inspector:arch",
"value":"x86_64"
},
{
"name":"amazon:inspector:account_id",
"value":"11112222333"
},
{
"name":"amazon:inspector:resource_type",
"value":"AWS_EC2_INSTANCE"
},
{
"name":"amazon:inspector:instance_id",
"value":"i-0a4358565c08e4"
},
{
"name":"amazon:inspector:resource_arn",
"value":"arn:aws:ec2:us-east-1:11112222333:instance/i-0a4358565c08e4"
}
]
},
"components":[
{
"type":"application",
"name":"libedit",
"purl":"pkg:rpm/[email protected]?arch=X86_64&epoch=0&upstream=libedit-3.1-38.20210714cvs.amzn2023.0.2.src.rpm",
"version":"3.1",
"bom-ref":"40853ebb7fa05c9370e08063b4fd6e94"
},
{
"type":"application",
"name":"python3-libcomps",
"purl":"pkg:rpm/[email protected]?arch=X86_64&epoch=0&upstream=python3-libcomps-0.1.20-1.amzn2023.src.rpm",
"version":"0.1.20",
"bom-ref":"b85e33c25b9c33135da9c73eb32c429c"
},
File contains:
- Properties for EC2 instance like AMI-ID, architecture.
- Under components, you see all packages on EC2 instance, its version.
But there is no fun just to have JSON in S3, download and checking manually, so what we can do:
- Connect it to Athena to search for specific package.
- Integrate with OpenSearch to build package search engine.
- Analyze File with Lambda as soon as SBOM export done for any specific package.
But these points are for other blogs or some other day ;)
In this second part of Inspector series, we explored how Amazon Inspector’s ECR scanning, CIS benchmarks, and SBOM exports strengthen your cloud security. These tools help you detect vulnerabilities, ensure compliance, and gain visibility into your software components. In next part, we will be checking on what services we can integrate with Amazon Inspector.
Appreciate your time and passion for reading blog !!!
Featured ones: