Automate security scans for cross-account workloads using Amazon Inspector and AWS Security Hub - AWS Prescriptive Guidance

Automate security scans for cross-account workloads using Amazon Inspector and AWS Security Hub

Created by Ramya Pulipaka (AWS) and Mikesh Khanal (AWS)

Environment: Production

Technologies: Security, identity, compliance; Management & governance

AWS services: Amazon Inspector; Amazon SNS; AWS Lambda; AWS Security Hub; Amazon CloudWatch

Summary

This pattern describes how to automatically scan for vulnerabilities in cross-account workloads on the Amazon Web Services (AWS) Cloud.

The pattern helps create a schedule for host-based scans of Amazon Elastic Compute Cloud (Amazon EC2) instances that are grouped by tags or for network-based Amazon Inspector scans. An AWS CloudFormation stack deploys all the required AWS resources and services to your AWS accounts.

The Amazon Inspector findings are exported to AWS Security Hub and provide insights into vulnerabilities across your accounts, AWS Regions, virtual private clouds (VPCs), and EC2 instances. You can receive these findings by email or you can create an Amazon Simple Notification Service (Amazon SNS) topic that uses an HTTP endpoint to send the findings to ticketing tools, security information and event management (SIEM) software, or other third-party security solutions.

Prerequisites and limitations

Prerequisites 

  • An existing email address to receive email notifications from Amazon SNS. 

  • An existing HTTP endpoint used by ticketing tools, SIEM software, or other third-party security solutions.

  • Active AWS accounts that host cross-account workloads, including a central audit account. 

  • Security Hub, enabled and configured. You can use this pattern without Security Hub, but we recommend using Security Hub because of the insights it generates. For more information, see Setting up Security Hub in the AWS Security Hub documentation.

  • An Amazon Inspector agent must be installed on each EC2 instance that you want to scan. You can install the Amazon Inspector agent on multiple EC2 instances by using AWS Systems Manager Run Command

Skills 

  • Experience using self-managed and service-managed permissions for stack sets in AWS CloudFormation. If you want to use self-managed permissions to deploy stack instances to specific accounts in specific Regions, you must create the required AWS Identity and Access Management (IAM) roles. If you want to use service-managed permissions to deploy stack instances to accounts managed by AWS Organizations in specific Regions, you don’t need to create the required IAM roles. For more information, see Create a stack set in the AWS CloudFormation documentation. 

Limitations 

  • If no tags are applied to EC2 instances in an account, then Amazon Inspector scans all the EC2 instances in that account.

  • The AWS CloudFormation stack sets and the onboard-audit-account.yaml file (attached) must be deployed in the same Region.

  • By default, Amazon Inspector Classic doesn't support aggregated findings. Security Hub is the recommended solution to viewing assessments for multiple accounts or AWS Regions.

  • This pattern’s approach can scale under the publish quota of 30,000 transactions per second (TPS) for an SNS topic in the US East (N. Virginia) Region (us-east-1), although limits vary by Region. To scale more effectively and avoid data loss, we recommend using Amazon Simple Queue Service (Amazon SQS) in front of the SNS topic.

Architecture

The following diagram illustrates the workflow for automatically scanning EC2 instances.

An AWS account for running scans, and a separate audit account for sending notifications.

The workflow consists of the following steps:

1. An Amazon EventBridge rule uses a cron expression to self-initiate on a specific schedule and initiates Amazon Inspector.   

2. Amazon Inspector scans the tagged EC2 instances in the account. 

3. Amazon Inspector sends the findings to Security Hub, which generates insights for workflow, prioritization, and remediation.

4. Amazon Inspector also sends the assessment’s status to an SNS topic in the audit account. An AWS Lambda function is invoked if a findings reported event is published to the SNS topic. 

5. The Lambda function fetches, formats, and sends the findings to another SNS topic in the audit account.

6. Findings are sent to the email addresses that are subscribed to the SNS topic. The full details and recommendations are sent in JSON format to the subscribed HTTP endpoint.

Technology stack  

  • AWS Control Tower

  • EventBridge 

  • IAM

  • Amazon Inspector

  • Lambda

  • Security Hub

  • Amazon SNS

Tools

  • AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications.

  • AWS CloudFormation StackSets – AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation.

  • AWS Control Tower – AWS Control Tower creates an abstraction or orchestration layer that combines and integrates the capabilities of several other AWS services, including AWS Organizations.

  • Amazon EventBridge – EventBridge is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources.

  • AWS Lambda – Lambda is a compute service that helps you run code without provisioning or managing servers.

  • AWS Security Hub – Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.

  • Amazon SNS – Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers.

Epics

TaskDescriptionSkills required

Deploy the AWS CloudFormation template in the audit account.

Download and save the onboard-audit-account.yaml file (attached) to a local path on your computer. 

Sign in to the AWS Management Console for your audit account, open the AWS CloudFormation console, and then choose Create stack

Choose Prepare template in the Prerequisites section, and then choose Template is ready. Choose Template source in the Specify template section, and then choose Template is ready. Upload the onboard-audit-account.yaml file and then configure the remaining options according to your requirements.  

Important: Make sure that you configure the following input parameters:

  • DestinationEmailAddress – Enter an email address to receive findings.

  • HTTPEndpoint – Provide an HTTP endpoint for your ticketing or SIEM tools.

You can also deploy the AWS CloudFormation template by using AWS Command Line Interface (AWS CLI). For more information about this, see Creating a stack in the AWS CloudFormation documentation.

Developer, Security engineer

Confirm the Amazon SNS subscription.

Open your email inbox and choose Confirm subscription in the email that you receive from Amazon SNS. This opens a web browser window and displays the subscription confirmation.

Developer, Security engineer
TaskDescriptionSkills required

Create stack sets in the audit account.

Download the vulnerability-management-program.yaml file (attached) to a local path on your computer.

On the AWS CloudFormation console, choose View stacksets and then choose Create StackSet. Choose Template is ready, choose Upload a template file, and then upload the vulnerability-management-program.yaml file. 

If you want to use self-managed permissions, follow the instructions from Create a stack set with self-managed permissions in the AWS CloudFormation documentation. This creates stack sets in individual accounts. 

If you want to use service-managed permissions, follow the instructions from Create a stack set with service-managed permissions in the AWS CloudFormation documentation. This creates stack sets in your entire organization or specified organizational units (OUs).

Important: Make sure that the following input parameters are configured for your stack sets:

  • AssessmentSchedule – The schedule for EventBridge using cron expressions. 

  • Duration – The duration of the Amazon Inspector assessment run in seconds.

  • CentralSNSTopicArn – The Amazon Resource Name (ARN) for the central SNS topic.

  • Tagkey – The tag key that is associated with the resource group. 

  • Tagvalue – The tag value that is associated with the resource group. 

If you want to scan EC2 instances in the audit account, you must run the vulnerability-management-program.yaml file as an AWS CloudFormation stack in the audit account.

Developer, Security engineer

Validate the solution.

Check that you receive findings by email or HTTP endpoint on the schedule that you specified for Amazon Inspector.

Developer, Security engineer

Related resources

Attachments

To access additional content that is associated with this document, unzip the following file: attachment.zip