Amazon Inspector is a service that helps secure applications running on AWS by assessing them for security vulnerabilities without changing the shared responsibility model. It is designed to run during continuous integration deployments against test environments. An assessment involves running an agent on EC2 instances tagged with an application identifier and checking for potential issues based on selected rules packages. Findings generated during an assessment include detailed descriptions and remediation steps. The Inspector preview is available in one region and provides assessments for free. General availability later in 2016 will include more regions, operating systems, rules packages, and capabilities like reporting and auditing.
3. Inspector concepts
Application
• Something of yours that you want Inspector to assess
• A set of EC2 instances, defined by tags, that accomplishes a business goal
Assessment
• An instruction to analyze an application for security vulnerabilities
Rules Package
• A set of security checks (“rules”)
• Rules are grouped into packages to address common security goals
Finding
• A potential security issue in your application
• Results when telemetry gathered during an assessment matches a rule
• Contains a detailed description, context, and remediation steps
4. What is Inspector?
Inspector is a service to help secure the applications that you run
on top of AWS.
• Inspector does NOT change the shared responsibility model; it helps you reduce your effort.
Inspector is designed to run during a continuous integration (CI)
deployment pipeline.
• Inspector is NOT designed to run continuously.
We intended Inspector to be used against test environments.
Inspector uses sensors that are in an on-host agent.
5. Is Inspector point-in-time or continuous?
Inspector is a hybrid of these models
• At the beginning of an assessment it collects configuration type
telemetry
• For the rest of the duration of the assessment it collects behavioral
telemetry
You get the most security value from Inspector when you
assess an application that is being exercised, for example
during an integration test.
6. How do I get started?
Try it yourself:
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_quickstart.html
1. Launch or locate some EC2 instances (in Oregon)
• Preferably ones that are doing something
• Tag the instances so that you can target Inspector at them, ex:
• Key=“Application”, Value=“InspectorApp” (you can use whatever you want for either)
• Install the Inspector agent on the instances
• wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install
• sudo bash install
7. How do I get started (continued)
Next, in the Inspector console:
2. Create an application
• Use the tag key and value that you used to tag the instances from
the last step
3. Create an assessment
• Pick an application and some rules packages
4. Run the assessment
5. Review your findings
8. Workflow
Findings in Inspector have attributes
• Attributes are like tags
• You can set the initial value of an attribute from the assessment
• Ex: Key=“AssignedTo”, Value=“Triage”
• Ex: Key=“Status”, Value=“New”
• You can add/change/remove attributes on findings after they’re
generated
10. Resources
Documentation
https://aws.amazon.com/documentation/inspector
Programming Inspector
Everything in the Inspector console can be accomplished via our API
• Included in latest SDK: https://aws.amazon.com/tools
• Java:
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ser
vices/inspector/AmazonInspector.html
• Python: https://boto3.readthedocs.org/en/latest/reference/services/inspector.html
• CLI: https://docs.aws.amazon.com/cli/latest/reference/inspector/index.html
• API documentation:
https://docs.aws.amazon.com/inspector/latest/APIReference/Welcome.html
11. Talk to us
Support
• Forum:
https://forums.aws.amazon.com/forum.jspa?forumID=205
• AWS Premier support
• Support FAQ: During the preview, agent support for new Linux
kernels is slow
Feedback
• mailto:inspector-feedback@amazon.com (not for support)
12. Questions
FAQ - these are all subject to change
When is general availability (GA/launch)? Early Q2 CY2016
Regions for Preview? US-West-2 (Oregon) only
Regions for GA? United States, Europe, Asia-Pacific – more detail later
Can I point an agent in one region against the service in another? No.
Pricing? Preview is free. GA prices are not determined yet.
In general, pay-as-you-go, usage-based, price related to value of rules package(s)
Windows agent support? Yes, at GA
Linux support? Amazon Linux & Ubuntu LTS (now); RedHat & CentOS (GA)
13. More Questions
FAQ - these are all subject to change
Does running Inspector make me PCI compliant? No.
Are you a PCI ASV? Not at the current time.
Can I write my own rules packages? Not for GA; we’re investigating.
Can I view the collected telemetry? Not for GA.
How can I sign up for the preview? Next slide
14. How do I get access to the preview?
Fill out the form here: https://aws.amazon.com/inspector/preview
• Make sure to enter your AWS account number accurately - this is what gets
access
• 12 decimal digits with no punctuation
• Make sure to enter your email address correctly
Access usually takes 1 business day
• We grant access once per day
• No access grants around the holidays
If you fill out the request form before midnight, the specific account ID(s) that
you requested usually get access by 1pm US EST the next business day.
15. What’s coming for GA?
Note: everything is subject to change
More regions
Windows support
RedHat & CentOS support
More comprehensive rules packages
Reporting
Auditing (CloudTrail)
Multiple runs per assessment
SNS support (which brings SQS & Lambda support)
16. Thank you!
The Inspector team really appreciates the time you took to
hear about our service.
Please try out the preview and let us know if you have any
feedback (problems, suggestions, or requests)