【Table of contents】

  1. 1. What is Amazon Inspector?
  2. 2. Amazon Inspector vs Amazon GuardDuty
  3. 3. How to use Amazon Inspector?
  4. 4. What can Amazon Inspector do in combination with other AWS-related services?
  5. 5. Amazon Inspector Pricing
  6. 6. Conclusion
  • 1. What is Amazon Inspector?

    Amazon Inspector is, to put it simply, "a service that automatically performs vulnerability diagnosis on AWS EC2 instances".

    Vulnerability diagnosis is a system to determine the security level of a specific website or public server by sending packets of methods commonly used in cyber-attacks.

    Some vulnerability diagnoses are done regularly, such as once a month or once in a few days, while others are done only once, such as when a site is completed or when an audit is conducted.

    One of the benefits of vulnerability diagnosis is that it allows you to discover security risks without suffering real cyber damage by launching a pseudo-cyber-attack on the actual server.

    If a company has a critical public server, they must have incorporated vulnerability diagnosis like many companies.

    Amazon Inspector provides that vulnerability diagnosis for EC2 at a low cost.

    If you want to assess the security risks of your EC2 instances, Amazon Inspector is exactly what you need to do.

    • a) Who can use Amazon Inspector?

      Let's take a look at what kind of cases are available for Amazon Inspector, and information about the supported OS and regions.

      First, Amazon Inspector is only available for those that have EC2 instances.

      Please note that it is not possible to diagnose vulnerabilities to other companies' clouds, etc.

      In terms of OS, a wide range of OS’es are available, including Amazon Linux, Ubuntu, and RHEL for Linux, and from 2008 R2 to 2016 base for Windows.

      For more information, please refer to the official AWS link below.
      (Linux-based operating system supported by the Amazon Inspector agent)
      https://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html#inspector_supported-linux-os
      (Windows-based operating system supported by the Amazon Inspector Agent)https://docs.aws.amazon.com/inspector/latest/userguide/inspector_supported_os_regions.html#inspector_supported-win-os

      Amazon Inspector is supported in the following AWS Regions:

      • ・US East (Ohio)
      • ・US East (N. Virginia)
      • ・US West (N. California)
      • ・US West (Oregon)
      • ・Asia Pacific (Mumbai)
      • ・Asia Pacific (Seoul)
      • ・Asia Pacific (Sydney)
      • ・Asia Pacific (Tokyo)
      • ・Europe (Frankfurt)
      • ・Europe (Ireland)
      • ・Europe (London)
      • ・Europe (Stockholm)
      • ・AWS GovCloud (US East)
      • ・AWS GovCloud (US-West)
    • b) What can you learn from Amazon Inspector?

      What Amazon Inspector can do is assess whether there are any potential security risks that need to be addressed in the host and aggregate of hosts being evaluated by AWS.

      However, you can't address vulnerabilities just by doing an assessment.

      The security risks identified by the assessment must be ensured by the EC2 administrator himself to correct them.
       

    • c) What is Amazon Inspector's rules package?

      A rule package is a set of test items to be tested when evaluating vulnerabilities in Amazon Inspector.

      There are two main types of rule packages.

      • ・Network reachability
        It is a package of security assessment items that are assessed for accessibility over the network. It evaluates whether the corresponding EC2 can be accessed via a port-based or VPC peering connection or VPN via the Internet.
         
      • ・Host evaluation
        This is a security evaluation package for Amazon EC2 instance (host) itself, which checks for vulnerabilities and problematic settings in EC2 itself.
         
    • d) What do you do when you find a vulnerability in Amazon Inspector?

      Running Amazon Inspector generates a list of results that vary in severity, urgency, and user interest based on security goals and approaches.

      As mentioned earlier, when a vulnerability is discovered in Amazon Inspector, there is no automatic repair function for the vulnerability.

      As soon as Amazon Inspector finds a vulnerability in the target EC2, users need to consider how to fix it by themselves, such as changing settings and applying patches.

      If there is an urgent security issue, it is better to take the recommended steps in the results section to resolve it immediately.

      However, depending on the compatibility with other systems, it may be better to hold off until the next service update or service outage, or to look for other solutions.
       

  • 2. Amazon Inspector vs Amazon GuardDuty

    The difference between Amazon Inspector and Amazon GuardDuty is that the former "checks what happens when you actually get an attack" and the latter "analyzes the actual logs to check if a threat exists".

    The purpose of Amazon Inspector is to test whether you are addressing common security risks in the target AWS.

    Check that "Is the settings and specifications set up so that there is no problem even if EC2 in operation is attacked like A?"

    In contrast, Amazon GuardDuty analyzes the actual events that happened in the AWS that it is running.

    Therefore, while it is possible to analyze any security risks that may have occurred within the event, it is generally not possible to check whether you are prepared for all major security risks and cyber-attacks.
     

  • 3. How to use Amazon Inspector?

    There are two ways to install Amazon Inspector, one is to install the agent on the corresponding EC2 and the other is to not install it.

    Evaluating Amazon Inspector using the network reachability rule package can be done without an agent on the Amazon EC2 instance, but the host evaluation rule package requires an agent.

    It is possible to display the results in more detail with the agent installed, but the diagnosis time will be longer.

    However, it doesn't make much difference how much effort it takes to set up the evaluation to start.
     

    • a) Using without an agent (agentless)

      To use Amazon Inspector, first define an EC2 or a group of EC2s to be evaluated, called an evaluation target, in the following steps.

      • ① Sign in to the AWS console(https://console.aws.amazon.com/inspector/
      • ② In the navigation pane, click on 'Assessment Targets' and then 'Create'.
      • ③ Enter the name of the EC2 to be evaluated in the "Name" field (input name is optional).
      • ④ To select an EC2 for evaluation, do one of the following.
          ・Check "All instances"
          ・Enter a tag key name and a key/value in the "Use Tags" field.
      • ⑤ Save

      Once you've set up your evaluation targets, create an evaluation template that defines what you want to evaluate.

      • ① Sign in to the AWS console(https://console.aws.amazon.com/inspector/
      • ② In the navigation pane, click Assessment templates > Create.
      • ③ Enter the name of the evaluation template in the "Name" field (input name is optional).
      • ④ Select the evaluation target to be analyzed using "Target name".
      • ⑤ Select one or more rule packages to evaluate in "Rules packages".
      • ⑥ In "Duration", specify the period during which the evaluation template is valid.
      • ⑦ In "SNS Topic", specify the SNS to which the evaluation status and result notifications will be sent.
      • ⑧ Do "Create and run" or "Create" to create and run the template, or create it only.

      All that's left to do is run an automatic security check based on the AWS program.

      You can see the results on the Results page of the Amazon Inspector console.
       

    • b) Installing an agent

      In the above agentless procedure, the agent is installed by checking the "Install Agents" checkbox while creating the target.

      However, please note that it is assumed that the SSM agent is installed on the EC2 instance and that the IAM role that allows Run Command is installed.
       

  • 4. What can Amazon Inspector do in combination with other AWS-related services?

    Amazon Inspector also allows you to combine it with other Amazon services for more convenience.

    • ・Amazon CloudTrail
        Creating logs of Amazon Inspector API calls
       
    • ・Amazon CloudWatch
        Collecting Amazon Inspector monitoring raw data and processing it into a near real-time readable state.
       
  • 5. Amazon Inspector Pricing

    Here are some of the fees you might be interested in for Amazon Inspector.
     

    Number of times Cost per instance evaluation
    Network evaluation 250 times (90 day free period) Free
    ~250 times
    (After the free period, same as below)
    0.15USD
    ~750 times 0.13USD
    ~4,000 times 0.10USD
    ~45,000 times 0.07USD
    More than that 0.04USD
    Host evaluation 250 times (90 day free period) Free
    ~250 times
    (After the free period, same as below)
    0.30USD
    ~750 times 0.25USD
    ~4,000 times 0.15USD
    ~45,000 times 0.10USD
    more than that 0.05USD

    ※Information as of December 2019.
     
    The price of Amazon Inspector is determined by the number of evaluations.

    The number of times means, for example, that a single evaluation on 10 EC2s is counted as 10 evaluations.
     

  • 6. Conclusion

    With the increasing variety of threats in cyberspace, efforts to assess vulnerabilities have become indispensable.

    In addition, as the number of websites and public servers managed in the cloud continues to increase, it is a fact that the points to be aware of have changed compared to when operating on-premises.

    That's where Amazon Inspector comes in handy to measure your AWS security risk.

    It is easy to set up and inexpensive, so the hurdle of implementation is low.