How to Configure AWS Inspector with Terraform

Team we45
June 20, 2018
How to Configure AWS Inspector with Terraform

Introduction

This blog will take you through the step by step process of scenario where Terraform is used as a way to provision and configure an Amazon EC2 Server (In this scenario, we will be using Ubuntu) and configure Amazon Inspector to scan the server for finding the security vulnerabilities, once provisioned.

I have been playing around with Terraform for sometime now, and I really enjoy working on it. The entire approach to Infrastructure as Code, especially the modular parts, are not only powerful, but extremely intuitive and easy-to-use, once you get used to the HCL (Hashicorp Configuration Language).

AWS Inspector Overview

Amazon (AWS) Inspector is a service that Amazon provides for its customers on AWS. This service allows you to configure a vulnerability scanner to identify and flag vulnerabilities in your server environment.

In short, Amazon Inspector is a Vulnerability Scanner (similar to Nessus/Qualys/etc) that scans the target server for security vulnerabilities to captures these vulnerabilities in a set of reports that can be used by the DevOps team to patch and remediate as required.

AWS inspector is an agent-based service, which needs to be deployed on the servers that needs to assess for vulnerabilities. Unlike several vulnerability scanners, Amazon Inspector cannot be run remotely against a target to identify flaws.

Amazon inspector uses “Rules Packages” to identify vulnerabilities against the target packages. These Packages contain different signatures, rules and payloads that would be used to identify security vulnerabilities on the target system. They are:

Details of these rule packages can be found here.

Amazon Inspector can be run against specific Linux and Windows Operating System versions and Distros. You can find that list here. In addition, AWS Inspector works only for deployments in specific AWS regions.

What is Terraform ?

Terraform is a tool for build, changing and versioning Infrastructure as code, plan execution, resource graph and change automation.It is controlled via Command Line Interface which can manage existing and popular service providers as well as custom solutions.

Terraform is an open source as code software that provides a consistent CLI workflow to manage different cloud services for AWS, Azure, Google Cloud platform and Terraform cloud. It will support Windows,Mac and Linux OS by downloading the binary or by using package manager.

Configuring Terraform with AWS Inspector

As AWS Inspector is an agent-based service. You would need to download the agent to the EC2 server(s) that you want to run security assessments against to target for identifying the vulnerabilities. Obviously, when you have a small set of servers, manually installing the agent is not very complex, but when you are running deployments at (massive) scale, you would need automated orchestration to handle this for you, and that’s where Terraform comes in.

In this example, I will be using Terraform to provision an Ubuntu 16.X server on Amazon EC2. To use AWS Inspector, this server needs to be part of a “Resource Group”, that is used by Terraform to identify the specific targets that it would need to be run against. Subsequently, I will generate Amazon Inspector-specific configurations to specify an “Assessment Template” which is Amazon speak for “configure a set of rules to be run against the target(s)”. Finally, after this has been provisioned, you can actually “run” the assessment.

Code Snippet:

resource "aws_key_pair" "inspectkey" { public_key = "${file(var.PATH_TO_PUB_KEY)}" } resource "aws_instance" "inspector-instance" { ami = "${lookup(var.AMIS, var.AWS_REGION)}" instance_type = "m1.small" key_name = "${aws_key_pair.inspectkey.key_name}" security_groups = ["inspect"] tags { Name = "InspectInstances" } provisioner "remote-exec" { connection { type = "ssh" user = "ubuntu" private_key = "${file("${var.PATH_TO_PRIVATE_KEY}")}" host = "${aws_instance.inspector-instance.public_ip}" } inline = [ "wget https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install -P /tmp/", "sudo bash /tmp/install" ] } }

Explanation:

Code Snippet:

resource "aws_inspector_resource_group" "bar" { tags { Name = "${aws_instance.inspector-instance.tags.Name}" } } resource "aws_inspector_assessment_target" "myinspect" { name = "inspector-instance-assessment" resource_group_arn = "${aws_inspector_resource_group.bar.arn}" } resource "Image1- Assessment Targets were specified with Tag Name inside the AWS Inspector" "foo" { name = "bar template" target_arn = "${aws_inspector_assessment_target.myinspect.arn}" duration = 3600 rules_package_arns = [ "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q", "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h", ] }

Explanation:

Please note that this code is only for demonstration purposes. I have not added several other security features to the EC2 deployment like VPCs, and more restrictive security groups. That’s beyond the scope of this article.

Now, once I run “terraform apply”, I would find that the EC2 server (ubuntu 16) gets provisioned and the inspector agent gets installed in the server.

Subsequently, an Amazon Inspector Assessment also gets provisioned, based on the Resource Group, Assessment Rules and Targets.

Blog1

Image 1 - Assessment Targets were specified with Tag Name inside the AWS Inspector

Blog2

Image 2 - Assessment Template provisioned by Terraform for specific target “bar template”

All that remains now is to actually “run” the assessment. Unfortunately, I didnt find any terraform modules that run the assessment for you (I may be wrong). However, since AWS can be completely controlled with its SDK, you can use boto (or equivalent) to invoke the “run_assessment()” function.

For this example, I manually invoked the “Run Assessment” and these are the example of some of the results.

Blog3

Image 3 - Assessment was run for template which was identified few issues and report gets generated inside the Inspector

Blog4

Image 4 - AWS  Inspector runs on assessment against specified target and found few issues with High severity

Conclusion

Are you interested in reading more such How To's or DIYs? Read the articles on automating BURP with Jenkins CI and ZAP with Jenkins CI at these links.