Amazon Elastic Compute Cloud (EC2) is a popular cloud computing service offered by Amazon Web Services (AWS) that allows users to rent virtual machines (VMs) in the cloud.
Managing inventory for Amazon EC2 involves tracking the various components that make up EC2 instances, including the VMs themselves, the storage volumes, and the networking components.
This demo will cover EC2 instance management with AWS Services.It will be helpful for DevSecOps and Security Engineers who want check OS Level system metric, CCE, and CVEs automatically.
This Demo is based on ap-northeast-2
(Seoul region).
CCE(Common Configuration Enumeration): Vulnerabilities in system settings that allow operations beyond the user's permitted privileges or enable information viewing, falsification, or leakage beyond the scope.
CVE(Common Vulnerability and Exposures): publicly know information security vulnerabilities and exposures.
Inventory management
- Amazon EC2
- AWS Resource Groups & Tag Editor
Inspect and track EC2 vulnerability
- AWS Systems Manager
- Amazon Inspector
Monitoring Services and Notification
- Amazon SecurityHub
- Amazon SNS
- Amazon SES (Simple Email Services)
- AWS Account - Create AWS Account
- AWS CDK (python) - CDK Install Guide
- AWS CLI - AWS CLI Install Guide
- Email for Notification
Check Your Account Role or User
aws sts get-caller-identity
git clone https://github.com/aws-samples/inventory-management-for-amazon-ec2.git
cd images-for-amazon-ec2
cdk bootstrap
cdk deploy DemoVPCStack
cdk deploy InventoryManagementStack --parameters TargetEmail=YOUR_EMAIL@DOMAIN.COM
aws inspector2 enable --resource-types EC2
cdk deploy DailyEmailReportStack --parameters TargetEmail=YOUR_EMAIL@DOMAIN.COM
In the tag editor, You can search your aws resources by tags and export csv. \
Go to AWS Tag Editor
To collect more detailed system level metrics(system performance, CPU, Memory, access session), KSM encryption is required for session manager.
- After deploy DemoVPCStack,
ssm-session-key
KSM Key is created. Enable KMS encryption
by KMS key (alias: ssm-session-key)- Monitor EC2 Instance OS Level metric and system
Go to Session Manager Preferences
Go to Systems Manager Inventory
After associating your managed instances with systems manager, the inventory data can be collected by ssm agent.
Go to Systems Manager Fleet Manager
- Go to Resource Groups Console
- Select Resource Type:
AWS::EC2::instance
- Select Tags:
Env: Dev
,InventoryCategory: WAS
- Group Name:
DEVWasInstance
- Select Resource Type:
bash scripts/check_cce_param_by_resource_group.sh DevWASInstances
Outputs
{
"Command": {
"CommandId": "a48b66f4-ecab-4074-ad1c-5e9236afcb09",
"DocumentName": "AWS-RunShellScript",
"DocumentVersion": "1",
"Comment": "",
"ExpiresAfter": "2023-03-20T15:41:19.972000+09:00",
"Parameters": {
"commands": [
"#!/bin/bash",
"echo \"U-04. Check Password Max Days\"",
"cat /etc/login.defs | grep PASS_MAX_DAYS",
"echo \n\"U-06 (High): Check Home Env Path setting\"",
"echo $PATH",
"echo \n\"U-08 (High): Check /etc/passwd file owner and permission\"",
"ls -l /etc/passwd",
"echo \n\"U-09 (High): Check /etc/shadow file owner and permission\"",
"ls -l /etc/passwd",
"echo \n\"U-10 (High): Check /etc/hosts file owner and permission\"",
"ls -l /etc/hosts",
"echo \n\"U-15 (High): Check User, system init and env owner and permission\"",
"cat /etc/passwd | grep /home"
],
"executionTimeout": [
"3600"
],
"workingDirectory": [
""
]
},
"InstanceIds": [],
"Targets": [
{
"Key": "resource-groups:Name",
"Values": [
"DevWASInstances"
]
}
],
"RequestedDateTime": "2023-03-20T14:31:19.972000+09:00",
"Status": "Pending",
"StatusDetails": "Pending",
...
How it works?
- After run CCE Check commands, you can get the detailed result in Systems Manager Run Command.
- And The result is delivered to AWS Security Hub as findings via AWS CloudWatch and AWS Lambda.
- Events for Registered Custom findings in AWS Security Hub will trigger Lambda(NotifyCCEFindings)
- Notify CCE Findings Lambda send CCE check results via Amazon SNS(Simple Notification Service).
Go to Security Hub Console
After verify your email for SES, you can get daily security report for previous day at scheduled time.
If you want to get Daily Security Report for today now, run below script that invoke lambda with payload. In few minutes, you can get the report.
bash scripts/send_today_report.sh
cdk destroy DemoVPCStack
cdk destroy InventoryManagementStack
aws inspector2 disable --resource-type EC2
cdk destroy DailyEmailReportStack
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.