Amazon Inspector 是一项漏洞管理服务，可持续扫描AWS漏洞的工作负载。Amazon Inspector会自动发现并扫描驻留在 Amazon 弹性容器注册表 (Amazon ECR) 中的 Amazon EC2 实例和容器映像，以查找软件漏洞和意外的网络暴露。

Inspector扫描EC2安全评估漏洞自动推送安全报告(Inspector对接KMS认证和Lambda脚本触发CloudWatch定时任务导出安全报告到S3存储)。

一、角色权限

1、EC2 IAM角色策略配置

新建AmazonSSMRoleForInstancesQuickSetup角色赋予策略权限为iam_eni_policy.json、CloudWatchAgentServerPolicy、AmazonSSMManagedInstanceCore、AmazonSSMPatchAssociation：

iam_eni_policy.json策略
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“iam:*”,
“ec2:*”
],
“Resource”: “*”
}
]
}

2、EC2 IAM角色赋予权限

EC2实例主机在安全版块IAM角色授权：AmazonSSMRoleForInstancesQuickSetup权限：

二、Inspector配置调式

1、Inspector服务开启EC2扫描

启用Inspector服务，扫描类型只针对EC2：

查看按漏洞或按实例展示漏洞信息，扫描结果进行分析统计：

在所有结果查询位置按照资源类型: AWS EC2 Instance进行分类：

报表信息点击Export Findings，导出操作：

筛选资源类型为EC2 Instance,选择导出格式为CSV、S3存储位置Bucket、KMS密钥信息：

2、KMS密钥信息配置

· 别名名称 S3-ECR

· 别名 ARN arn:aws:kms:ap-southeast-1:xxx2492xxxxx:alias/S3-ECR

· 密钥使用用户 xx.xxx

· 账户id xxx2492xxxxx

· aws:SourceArn”: “arn:aws:inspector2:ap-southeast-1:xxx2492xxxxx:report/*

· kms配置密钥策略配置

注：请修改策略配置内容中的账户id和密钥使用用户信息

{
“Version”: “2012-10-17”,
“Id”: “key-consolepolicy-3”,
“Statement”: [
{
“Sid”: “Enable IAM User Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::账户id:root”
},
“Action”: “kms:*”,
“Resource”: “*”
},
{
“Sid”: “Allow access for Key Administrators”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::账户id:user/密钥使用用户”
},
“Action”: [
“kms:Create*”,
“kms:Describe*”,
“kms:Enable*”,
“kms:List*”,
“kms:Put*”,
“kms:Update*”,
“kms:Revoke*”,
“kms:Disable*”,
“kms:Get*”,
“kms:Delete*”,
“kms:TagResource”,
“kms:UntagResource”,
“kms:ScheduleKeyDeletion”,
“kms:CancelKeyDeletion”
],
“Resource”: “*”
},
{
“Sid”: “Allow use of the key”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::账户id:user/密钥使用用户”
},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:GenerateDataKey*”,
“kms:DescribeKey”
],
“Resource”: “*”
},
{
“Sid”: “Allow attachment of persistent resources”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::账户id:user/密钥使用用户”
},
“Action”: [
“kms:CreateGrant”,
“kms:ListGrants”,
“kms:RevokeGrant”
],
“Resource”: “*”,
“Condition”: {
“Bool”: {
“kms:GrantIsForAWSResource”: “true”
}
}
},
{
“Sid”: “Allow inspector to perform kms actions”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “inspector2.amazonaws.com”
},
“Action”: [
“kms:Decrypt”,
“kms:GenerateDataKey*”
],
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“aws:SourceAccount”: “账户id”
},
“ArnLike”: {
“aws:SourceArn”: “arn:aws:inspector2:ap-southeast-1:账户id:report/*”
}
}
}
]
}

密钥类型：对称

密钥使用情况：加密和解密

3、s3存储配置

阻止公开访问：关闭

存储桶策略配置

注：存储bucket名称修改为新建bucket名称, 账户id修改为实际的id

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Allow inspector to perform Put and Delete actions on s3”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “inspector2.amazonaws.com”
},
“Action”: [
“s3:PutObject”,
“s3:PutObjectAcl”,
“s3:AbortMultipartUpload”
],
“Resource”: “arn:aws:s3:::存储bucket名称/*”,
“Condition”: {
“StringEquals”: {
“aws:SourceAccount”: “账户id”
},
“ArnLike”: {
“aws:SourceArn”: “arn:aws:inspector2:ap-southeast-1:账户id:report/*”
}
}
}
]
}

跨源资源共享(CORS)：

[
{
“AllowedHeaders”: [
“*”
],
“AllowedMethods”: [
“GET”,
“HEAD”,
“PUT”,
“POST”,
“DELETE”
],
“AllowedOrigins”: [
“*”
],
“ExposeHeaders”: [
“ETag”
],
“MaxAgeSeconds”: 3000
}
]

三、使用Lambda函数调用Inspector为自动导报表

1、Lambda名称为Inspector-Findings ，运行在Python 3.9

权限配置：Inspector-Findings-role-qlz0f062(账户id修改为实际的id)

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “logs:CreateLogGroup”,
“Resource”: “arn:aws:logs:ap-southeast-1:账户id:*”
},
{
“Effect”: “Allow”,
“Action”: [
“logs:CreateLogStream”,
“logs:PutLogEvents”
],
“Resource”: [
“arn:aws:logs:ap-southeast-1:账户id:log-group:/aws/lambda/Inspector-Findings:*”
]
},
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “inspector2:CreateFindingsReport”,
“Resource”: “*”
}
]
}

python3.9代码

注：需要安装python模块打包成zip格式上传到lambda Inspector-Findings，修改bucketname和账户id信息：

import json
import boto3
def lambda_handler(event, context):
client = boto3.client(‘inspector2′, region_name=’ap-southeast-1’)
response = client.create_findings_report(
filterCriteria= {
‘resourceType’: [
{
‘comparison’: ‘EQUALS’,
‘value’: ‘AWS_EC2_INSTANCE’
}
],
‘findingStatus’: [
{
‘comparison’: ‘EQUALS’,
‘value’: ‘ACTIVE’
}
]
},
reportFormat=’CSV’,
s3Destination={
‘bucketName’: ‘s3存储bucket’,
‘kmsKeyArn’: ‘arn:aws:kms:ap-southeast-1:账户id:key/a3ecc003-b96e-4865-902b-d69804f32fc0’
})
print(response)
return {
‘statusCode’: 200,
‘body’: json.dumps(response)
}

上传python zip文件包到代码源位置：

2、配置Cloudwatch为自定触发生成报表

CloudWatch新建规则触发器：

Cron 5 8 ? * FRI * 计划时间，见图表达式格式：

添加触发器为CloudWatch配置计划任务信息，特定的时间内触发生成安全评估报告

3、Inspector报表CSV格式文件生成到S3

定期生成Inspector安全评估报表，知晓服务器漏洞安全合规性进行分析汇总：

4、脚本任务编排

脚本任务编排有助于任务自动化和漏洞查杀任务处理：

运行命令–命令文档(AWS-RunShellScript)–命令参数shell格式(测试输入的uname -a)

可以根据特定实例EC2或者资源组实例标签进行分类

output查看输出uname -a结果详细信息

安全是重中之重之事，实时预警与加强管控，有效安全防护与定期安全检查。