© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tom Stickle

April 19, 2016

Getting Started with Amazon Inspector

What to expect from this session

• Why did we build Amazon Inspector?

• What is Amazon Inspector?

• How much does it cost?

• What does it help protect against?

• How does it help me with remediation?

• Where do APN Technology Partners fit?

• What regions are supported?

• What’s next for Amazon Inspector?

DevOps & Cloud

• Like Pretzels & Beer

• Better alignment with customer needs

• Increased ownership by developers

• Continuous feedback & bug discovery

• Configuration & Infrastructure is part of the code

• More frequent code rollouts

• Automation

• Better focus on operational excellence

• Cloud provides infrastructure as code

• Improved availability

• Cost optimization

Continuous Integration / Continuous Deployment

Source Code Running Host

Traditional Security Processes

Asset Owner Security Team

AppSec EngAsset

Scan for Vulnerabilities

• It’s not about DevOps + Security

• Not enough security professionals on the planet to do this

• Security teams need their own automation to keep up with automated

deployments!

• Security as code

• Seamless integration with CI/CD pipelines

• Ability to scan and run test suites in parallel

• Ability to automate remediation

• Consumable by APN technology partners as microservices

• www.devsecops.org

Amazon Inspector

• Vulnerability Assessment Service

• Built from the ground up to support DevSecOps

• Automatable via APIs

• Integrates with CI/CD tools

• On-Demand Pricing model

• Static & Dynamic Rules Packages

• Generates Findings

The Value of Vulnerability Assessments

“[With] any large network, I will tell you that persistence and

focus will get you in, we’ll achieve that exploitation without

the zero days,” he says. “There’s so many more vectors

that are easier, less risky and quite often more productive

than going down that route.” This includes, of course,

known vulnerabilities for which a patch is available but the

owner hasn’t installed it.

- Rob Joyce NSA TAO @ Enigma 2016

Installing the Agents

• Chef, SaltStack, Puppet, Ansible

• AWS CodeDeploy

• EC2 user-data

• EC2 RunCommand

• cfn-init

• AWS OpsWorks

• CloudInit

#!/bin/bash

wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install

chmod a+x /home/ec2-user/install

/home/ec2-user/install

$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, "AWSInstall.exe")

& .\AWSInstall.exe /quiet

Supported Agent Operating Systems

• Red Hat Enterprise Linux (7.2 or later)

• CentOS (7.2 or later)

• Ubuntu (14.04 LTS or later)

• Amazon Linux (2015.03 or later)

• Microsoft Windows (2012, 2008 R2) - Preview

Assessments

Pricing

• Free Trial• 250 agent-assessments for first 90 days using the service

• Based on Agent-Assessments• 1 assessment with 10 agents = 10 agent-assessments

• 5 assessments with 2 agents = 10 agent-assessments

• 10 assessments with 1 agent = 10 agent-assessments

• 10 agent-assessments = $3.00

First 250 agent-assessments:

Next 750 agent-assessments:

Next 4000 agent-assessments:

Next 45,000 agent-assessments:

All other agent-assessments:

$0.30

$0.25

$0.15

$0.10

$0.05

Anatomy of an attack

Service

XML Parser

Application

Database

SOAP Encode/Decode

Example Exploit

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

<!ELEMENT foo ANY>

<!ENTITY xxe SYSTEM "c:/boot.ini">

]>

<foo>&xxe;</foo>

Web Scale

Service

Stack

Service

Stack

Service

Stack

Service

Stack

Service

Stack

Service

Stack

Service

Stack

NLB

Example Vulnerability

<?xml version="1.0”>

<!DOCTYPE foo SYSTEM http://1.2.3.4/;>

<foo/>

Common Vulnerabilities & Exposures

• Tagged list of publicly known info security issues

• Vulnerabilities

• A mistake in software that can be used to gain unauthorized system access

• Execute commands as another user

• Pose as another entity

• Conduct a denial of service

• Exposures

• A mistake in software that allows access to information that can lead to

unauthorized system access

• Allows an attacker to hide activities

• Enables information-gathering activities

CIS Secure Configuration Benchmarks

Kathleen Patentreger Laurie Hester

Senior Vice President Program Executive

Center for Internet Security

Who is CIS?

• Pioneer in forming global IT communities

• Developer of key best practices for immediate

and effective defenses against cyber attacks

• Industry standard for security best practices

Confidence in the Connected WorldCIS delivers

CIS can help your organization

Our Mission:

• Create and promote best practices in

cybersecurity

• Deliver solutions to prevent and rapidly

respond to cyber incidents

• Build trust in cyberspace

Our Programs:

• MS-ISAC (SLTT support)

• CIS Critical Security Controls

• CIS Security Benchmarks

What is a “Benchmark?”

• Security configuration guide

• Consensus-based development

process

• PDF versions are free via our

website

• 433K+ downloads last year

What’s inside a Benchmark?

What it applies to…

Who helped make it…

How to interpret…

What to do…

Why to do it…

How to do it…

How do you know you did it…

26

Amazon and CIS

•CIS AWS Foundations Benchmark:

• Provides recommendations for the security

of your AWS account

Amazon Inspector:

• CIS Security Software Vendor Membership

and certification service assesses against

the following CIS Benchmark:

Amazon Linux 2014.09-2015.03

Add’l CIS Benchmarks scheduled

CIS Amazon Machine Images (AMIs)

System is configured from launch to be in

conformance with the CIS Benchmark

AMIs currently available include: • Amazon Linux 2014.09* -2015.03

• Debian 8*

• Microsoft Windows Server 2008, 2008 R2,

2012 & 2012 R2

• Red Hat Enterprise Linux 5*, 6 & 7

• SUSE Linux Enterprise Server 11* & 12*

• CentOS Linux 6* & 7

• Ubuntu 12.04* & 14.04 LTS Server

*Access via CIS Membership only, not available in AWS Marketplace

How to access the CIS Amazon Machine Images

(AMIs) in Amazon Elastic Compute Cloud (EC2)

•AWS Marketplace

•CIS Security Benchmarks Membership

Future plans:

•GovCloud - More details to come in May

•Intelligence Community (IC) Marketplace

For more information, visit https://benchmarks.cisecurity.org or contact

us at members@cisecurity.org.

Amazon Inspector

• Rules Packages

• Common Vulnerabilities & Exposures

• CIS Operating System Security Configuration

Benchmarks

• Security Best Practices

• Runtime Behavior Analysis

Security Best Practices

• Authentication

• Network Security

• Operating System

• Application Security

• Disable root login over SSH

• Password complexity

• Permissions for system directories

• Secure protocols

• Data execution prevention enabled

Runtime Behavior Analysis

• Package analyzes machine behavior during an assessment

• Unused listening ports

• Insecure client protocols

• Root processed with insecure permissions

• Insecure server protocols

• Impacts the severity of static findings

Automating Remediation

• Findings are JSON formatted and taggable

• Name of assessment target & template

• Start time, end time, status

• Name of rule packages

• Name & severity of the finding

• Description & remediation steps

• Lamd-ify your incident response

• Integrate with Jira-like services

• Integrate with Pagerduty-like services

Launch Partners

AWS Partner Network (APN)

• Technology Partner Program

• AWS Marketplace

• AWS Channel Reseller Program

• AWS Managed Service Partners

• AWS Partner Test Drives

Regions Supported

• GA

• US West (Oregon)

• EU (Ireland)

• US East (Virginia)

• Asia Pacific (Tokyo)

• GA + 1 Month

• Asia Pacific (Sydney)

• Asia Pacific (Seoul)

What’s Next for Amazon Inspector?

• Reporting

• AWS API Interception

• Threat Modeling

• Industry Specific Rules Packages

Remember to complete

your evaluations!