Amazon Inspector (Classic)

Check EC2 instances and their operating system, as well as container images in Amazon Elastic Container Registry, and AWS Lambda functions against vulnerabilities and deviations against best practices and unintended network exposure.

After the checks run Inspector generates Findings, each type with its Severity.

Inspector Network Assessment is agentless but if you want to go more in depth and you want to scan the host as well, then you need the agent.

Rules Packages

Network assessments

An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports. Do not install an agent on an operating system that Amazon Inspector Classic does not support.

Network Reachability: automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured.

Supported entities:

  • Amazon EC2 instances

  • Application Load Balancers

  • Direct Connect

  • Elastic Load Balancers

  • Elastic Network Interfaces

  • Internet Gateways (IGWs)

  • Network Access Control Lists (ACLs)

  • Route Tables

  • Security Groups (SGs)

  • Subnets

  • Virtual Private Clouds (VPCs)

  • Virtual Private Gateways (VGWs)

  • VPC peering connections

Supported Routes:

  • Internet - Internet gateways (including Application Load Balancers and Classic Load Balancers)

  • PeeredVPC - VPC peering connections

  • VGW - Virtual private gateways

Findings

UnrecogizedPortWithListener [Low severity]: An unrecognized port is reachable and has an active listening process on it, but without an agent no information about the process can be provided.

RecognizedPort [severity dipends on the well-known service]:

  • RecognizedPortWithListener: A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port.

  • RecognizedPortNoListener: A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port.

  • RecognizedPortNoAgent: A port is externally reachable from the public internet, but the presence of a process listening on the port can’t be determined without installing an agent on the target instance.

NetworkExposure [Informational]: aggregate information on the ports that are reachable.

Host assessments

  • Common vulnerabilities and exposures (CVE)https://cve.mitre.org/

  • Center for Internet Security (CIS) Benchmarks: The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.

  • Security best practices for Amazon Inspector Classic (available for Windows but only generate findings for Linux):

    • Disable root login over SSH

    • Support SSH version 2 only

    • Disable password authentication Over SSH

    • Configure password maximum age

    • Configure password minimum length

    • Configure password complexity

    • Enable Address Space Layout Randomization (ASLR): /proc/sys/kernel/randomize_va_space must be set to 2.

    • Enable Data Execution Prevention (DEP) (No ARM)

    • Configure permissions for system directories