Configure Amazon Inspector using Cloudformation

What is Amazon Inspector?

Amazon Inspector is an AWS service which analyzes EC2 instances for known vulnerabilities and other issues.

There are 4 predefined rule packages, my template opts to use all of them:

• Common Vulnerabilities and Exposures
• Center for Internet Security Benchmarks
• Network Reachability
• Security Best Practices

To take full advantage of Amazon Inspector you will also want to be sure to install Amazon Inspector agents, this post does not cover that.

How can I use Cloudformation to deploy and configure Amazon Inspector?

If you dont care about whats going on inside, no need to read any further simply deploy this template out of my s3 bucket: https://beverts-templates.s3-us-west-2.amazonaws.com/inspector.yml. It will configure inspector to run once a day against the configured targets using all 4 rule packages. It takes 4 parameters:

• TagKey - tag key to match ec2 instances on
• TagValue - tag value to match ec2 instances on
• ResourceNamePrefix - used in naming of created resources
• SubscriptionEmailAddress - email address to send scan findings to

It is very straightforward to write a template that deploys the all the Inspector and SNS components that will be used to define the scan parameters and sns topic/subscription. The problem is that (at time of writing) AWS::Inspector::AssessmentTemplate does not have parameters for configuring the run schedule or the notification topic (although these is easily achieved in the UI).

In order to resolve this we will make 2 lambdas:

• InspectorConfigureFunction - This uses the inspector api to configure notifications to an SNS topic created by the template. This lambda will be invoked by this custom function when the template is deployed in order to configure the subscription
• InspectorRunFunction - This uses the inspector api to kick off a scan, it will be invoked once daily by this event rule

These are the inspector resources which get deployed:

• InspectorTarget - holds the group
• InspectorGroup - this is what is used to group the ec2 instances. All instances that have the tag key/value specified in the parameters will be added to the group
• InspectorTemplate - this is the main inspector resource that gets created, it ties together the group and the rule packages.

These are the SNS resources which get deployed:

• InspectorTopic - SNS topic for scan findings to be posted to
• InspectorSubscription - Subscribes to the topic, the email address passed in as a parameter will automatically be subscribed to the topic

My tagging strategy is complex, this template wont satisfy my needs

No problem! This template can be easily extended to support a specific tag combination. First create another parameter like TagKey and another parameter like TagValue. You could name them TagKey2 and TagValue2

Then add references to your new parameters in the ResourceGroupTags array just like the entry that is already there.

Upload the new template to your bucket and you should be good to go!

I want to make this part of my deploy

Nested stacks are a great strategy for keeping your templates modular and this template can be easily be included (one or more times) as a nested stack. Nested stacks can be achieved by using the AWS::CloudFormation::Stack resource type.

• ←Previous
Next→