Team we45
June 20, 2018

How to Configure AWS Inspector with Terraform


This blog will take you through the step by step process of scenario where Terraform is used as a way to provision and configure an Amazon EC2 Server (In this scenario, we will be using Ubuntu) and configure Amazon Inspector to scan the server for finding the security vulnerabilities, once provisioned.

I have been playing around with Terraform for sometime now, and I really enjoy working on it. The entire approach to Infrastructure as Code, especially the modular parts, are not only powerful, but extremely intuitive and easy-to-use, once you get used to the HCL (Hashicorp Configuration Language).

AWS Inspector Overview

Amazon (AWS) Inspector is a service that Amazon provides for its customers on AWS. This service allows you to configure a vulnerability scanner to identify and flag vulnerabilities in your server environment.

In short, Amazon Inspector is a Vulnerability Scanner (similar to Nessus/Qualys/etc) that scans the target server for security vulnerabilities to captures these vulnerabilities in a set of reports that can be used by the DevOps team to patch and remediate as required.

AWS inspector is an agent-based service, which needs to be deployed on the servers that needs to assess for vulnerabilities. Unlike several vulnerability scanners, Amazon Inspector cannot be run remotely against a target to identify flaws.

Amazon inspector uses “Rules Packages” to identify vulnerabilities against the target packages. These Packages contain different signatures, rules and payloads that would be used to identify security vulnerabilities on the target system. They are:

  • Common Vulnerabilities and Exposures (CVE Database): A popular database of existing vulnerabilities against commonly used software components
  • Center for Internet Security (CIS) Hardening Benchmarks for commonly used software components
    Security Best Practices: A specific list of good security practices that one should follow while running servers
  • Runtime Behavior Analysis: Security analysis based on the services deployed on the target EC2 instance. Typically includes Insecure ports and services, Unused TCP ports, Insecure Client protocols, among others

Details of these rule packages can be found here.

Amazon Inspector can be run against specific Linux and Windows Operating System versions and Distros. You can find that list here. In addition, AWS Inspector works only for deployments in specific AWS regions.

What is Terraform ?

Terraform is a tool for build, changing and versioning Infrastructure as code, plan execution, resource graph and change automation.It is controlled via Command Line Interface which can manage existing and popular service providers as well as custom solutions.

Terraform is an open source as code software that provides a consistent CLI workflow to manage different cloud services for AWS, Azure, Google Cloud platform and Terraform cloud. It will support Windows,Mac and Linux OS by downloading the binary or by using package manager.

Configuring Terraform with AWS Inspector

As AWS Inspector is an agent-based service. You would need to download the agent to the EC2 server(s) that you want to run security assessments against to target for identifying the vulnerabilities. Obviously, when you have a small set of servers, manually installing the agent is not very complex, but when you are running deployments at (massive) scale, you would need automated orchestration to handle this for you, and that’s where Terraform comes in.

In this example, I will be using Terraform to provision an Ubuntu 16.X server on Amazon EC2. To use AWS Inspector, this server needs to be part of a “Resource Group”, that is used by Terraform to identify the specific targets that it would need to be run against. Subsequently, I will generate Amazon Inspector-specific configurations to specify an “Assessment Template” which is Amazon speak for “configure a set of rules to be run against the target(s)”. Finally, after this has been provisioned, you can actually “run” the assessment.

Code Snippet:

resource "aws_key_pair" "inspectkey" { public_key = "${file(var.PATH_TO_PUB_KEY)}" } resource "aws_instance" "inspector-instance" { ami = "${lookup(var.AMIS, var.AWS_REGION)}" instance_type = "m1.small" key_name = "${aws_key_pair.inspectkey.key_name}" security_groups = ["inspect"] tags { Name = "InspectInstances" } provisioner "remote-exec" { connection { type = "ssh" user = "ubuntu" private_key = "${file("${var.PATH_TO_PRIVATE_KEY}")}" host = "${aws_instance.inspector-instance.public_ip}" } inline = [ "wget -P /tmp/", "sudo bash /tmp/install" ] } }


  • In the above code snippet, I am provisioning an AWS EC2 ubuntu instance, using a generated keypair to inject ssh keys into the newly provisioned instance
  • In line 12: I am adding this EC2 server to a tag called “InspectInstances” which I will be using subsequently to run Inspector assessments against (Resource Group)
  • Line 15–26: I am downloading and installing the Amazon Inspector agent from an approved source. Consider hash-matching for higher security

Code Snippet:

resource "aws_inspector_resource_group" "bar" { tags { Name = "${aws_instance.inspector-instance.tags.Name}" } } resource "aws_inspector_assessment_target" "myinspect" { name = "inspector-instance-assessment" resource_group_arn = "${}" } resource "Image1- Assessment Targets were specified with Tag Name inside the AWS Inspector" "foo" { name = "bar template" target_arn = "${aws_inspector_assessment_target.myinspect.arn}" duration = 3600 rules_package_arns = [ "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h", ] }


  • In this segment of the file, I am initializing a Resource Group that will be used by Amazon Inspector to perform its security scan. (Line 1–5)
  • Subsequently, I am adding all the servers in that Resource Group to be targets of my security assessment. Please note that this will only work against servers that have the agents installed
  • Lines 12–23, I am defining an Assessment Template. In this case, my server is hosted in the us-east-1 region. So the rules for CVE, CIS, etc are specific to the region. You can find this list of Amazon Resource Names (arns) here and here

Please note that this code is only for demonstration purposes. I have not added several other security features to the EC2 deployment like VPCs, and more restrictive security groups. That’s beyond the scope of this article.

Now, once I run “terraform apply”, I would find that the EC2 server (ubuntu 16) gets provisioned and the inspector agent gets installed in the server.

Subsequently, an Amazon Inspector Assessment also gets provisioned, based on the Resource Group, Assessment Rules and Targets.


Image 1 - Assessment Targets were specified with Tag Name inside the AWS Inspector


Image 2 - Assessment Template provisioned by Terraform for specific target “bar template”

All that remains now is to actually “run” the assessment. Unfortunately, I didnt find any terraform modules that run the assessment for you (I may be wrong). However, since AWS can be completely controlled with its SDK, you can use boto (or equivalent) to invoke the “run_assessment()” function.

For this example, I manually invoked the “Run Assessment” and these are the example of some of the results.


Image 3 - Assessment was run for template which was identified few issues and report gets generated inside the Inspector


Image 4 - AWS  Inspector runs on assessment against specified target and found few issues with High severity


  • AWS Inspector is a Vulnerability Scanning Service from Amazon that works in an “agent-based” mode against specific Operating Systems on EC2
  • Terraform has comprehensive modules that allow you to not only provision and setup infrastructure on cloud environments, but also invoke APIs related to ancillary services like Amazon Inspector

Are you interested in reading more such How To's or DIYs? Read the articles on automating BURP with Jenkins CI and ZAP with Jenkins CI at these links.