Amazon Inspector Classic
Amazon Inspector Classic is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector Classic automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector Classic produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
Note
ThreatLockDown does not yet support the new Amazon Inspector module, but it has support for the Amazon Inspector Classic service.
Amazon configuration
To start using Amazon Inspector Classic, go to the Amazon Web Services management console and search for the Inspector service. Once there, click on the left side menu.
Click on Switch to Inspector Classic.
Click on Get started.
Click on Advanced setup.
Configure the assessment target:
Choose a name for the assessment target.
Select if you are going to include all EC2 instances in the scans or if you prefer to filter them based on a tag by enabling or disabling the Include all EC2 instances in this AWS account and region checkbox.
If you prefer to install the agents by hand, disable the Install the Amazon Inspector Agent on all EC2 instances in this assessment target checkbox.
Click on Next.
Note
If you prefer to install the Inspector Classic agents by hand follow the instructions on the AWS documentation's agent installation section.
Configure the assessment template. Choose the name, duration, and periodicity of the analysis and click on Next.
Finally, review the details of the configured target and template and click on Next.
Policy configuration
To create a policy using the Amazon Web Services console, follow the AWS documentation.
Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.
To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"inspector:ListFindings",
"inspector:DescribeFindings"
],
"Resource": "*"
}
]
}
Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.
ThreatLockDown configuration
Open the ThreatLockDown configuration file (
/var/ossec/etc/ossec.conf
) and add the following configuration block to enable the integration with Inspector Classic:<wodle name="aws-s3"> <disabled>no</disabled> <interval>10m</interval> <run_on_start>no</run_on_start> <skip_on_error>no</skip_on_error> <service type="inspector"> <aws_profile>default</aws_profile> </service> </wodle>
Users must specify at least a region. Multiple regions can be added separated by commas.
Note
Check the AWS S3 module reference manual to learn more about each setting.
Restart ThreatLockDown in order to apply the changes:
If you're configuring a ThreatLockDown manager:
# systemctl restart wazuh-manager
# service wazuh-manager restart
If you're configuring a ThreatLockDown agent:
# systemctl restart wazuh-agent
# service wazuh-agent restart