Amazon Elastic Compute Cloud (EC2) is a popular cloud computing service offered by Amazon Web Services (AWS) that allows users to rent virtual machines (VMs) in the cloud.

Managing inventory for Amazon EC2 involves tracking the various components that make up EC2 instances, including the VMs themselves, the storage volumes, and the networking components.

This demo will cover EC2 instance management with AWS Services.It will be helpful for DevSecOps and Security Engineers who want check OS Level system metric, CCE, and CVEs automatically.

This Demo is based on ap-northeast-2 (Seoul region).

CCE(Common Configuration Enumeration): Vulnerabilities in system settings that allow operations beyond the user's permitted privileges or enable information viewing, falsification, or leakage beyond the scope.

CVE(Common Vulnerability and Exposures): publicly know information security vulnerabilities and exposures.

Inventory management

• Amazon EC2
• AWS Resource Groups & Tag Editor

Inspect and track EC2 vulnerability

• AWS Systems Manager
• Amazon Inspector

Monitoring Services and Notification

• Amazon SecurityHub
• Amazon SNS
• Amazon SES (Simple Email Services)

• AWS Account - Create AWS Account
• AWS CDK (python) - CDK Install Guide
• AWS CLI - AWS CLI Install Guide
• Email for Notification

Check Your Account Role or User

aws sts get-caller-identity

git clone https://github.com/aws-samples/inventory-management-for-amazon-ec2.git
cd images-for-amazon-ec2
cdk bootstrap

cdk deploy DemoVPCStack

cdk deploy InventoryManagementStack --parameters TargetEmail=YOUR_EMAIL@DOMAIN.COM

aws inspector2 enable --resource-types EC2

cdk deploy DailyEmailReportStack --parameters TargetEmail=YOUR_EMAIL@DOMAIN.COM

In the tag editor, You can search your aws resources by tags and export csv. \

Go to AWS Tag Editor

To collect more detailed system level metrics(system performance, CPU, Memory, access session), KSM encryption is required for session manager.

1. After deploy DemoVPCStack, ssm-session-key KSM Key is created.
2. Enable KMS encryption by KMS key (alias: ssm-session-key)
3. Monitor EC2 Instance OS Level metric and system

Go to Session Manager Preferences

Go to Systems Manager Inventory

After associating your managed instances with systems manager, the inventory data can be collected by ssm agent.

Go to Systems Manager Fleet Manager

1. Go to Resource Groups Console
   1. Select Resource Type: AWS::EC2::instance
   2. Select Tags: Env: Dev, InventoryCategory: WAS
   3. Group Name: DEVWasInstance

bash scripts/check_cce_param_by_resource_group.sh DevWASInstances

Outputs

{
    "Command": {
        "CommandId": "a48b66f4-ecab-4074-ad1c-5e9236afcb09",
        "DocumentName": "AWS-RunShellScript",
        "DocumentVersion": "1",
        "Comment": "",
        "ExpiresAfter": "2023-03-20T15:41:19.972000+09:00",
        "Parameters": {
            "commands": [
                "#!/bin/bash",
                "echo \"U-04. Check Password Max Days\"",
                "cat /etc/login.defs | grep PASS_MAX_DAYS",
                "echo \n\"U-06 (High): Check Home Env Path setting\"",
                "echo $PATH",
                "echo \n\"U-08 (High): Check /etc/passwd file owner and permission\"",
                "ls -l /etc/passwd",
                "echo \n\"U-09 (High): Check /etc/shadow file owner and permission\"",
                "ls -l /etc/passwd",
                "echo \n\"U-10 (High): Check /etc/hosts file owner and permission\"",
                "ls -l /etc/hosts",
                "echo \n\"U-15 (High): Check User, system init and env owner and permission\"",
                "cat /etc/passwd | grep /home"
            ],
            "executionTimeout": [
                "3600"
            ],
            "workingDirectory": [
                ""
            ]
        },
        "InstanceIds": [],
        "Targets": [
            {
                "Key": "resource-groups:Name",
                "Values": [
                    "DevWASInstances"
                ]
            }
        ],
        "RequestedDateTime": "2023-03-20T14:31:19.972000+09:00",
        "Status": "Pending",
        "StatusDetails": "Pending",
...

How it works?

1. After run CCE Check commands, you can get the detailed result in Systems Manager Run Command.
2. And The result is delivered to AWS Security Hub as findings via AWS CloudWatch and AWS Lambda.
3. Events for Registered Custom findings in AWS Security Hub will trigger Lambda(NotifyCCEFindings)
4. Notify CCE Findings Lambda send CCE check results via Amazon SNS(Simple Notification Service).

Go to Security Hub Console

After verify your email for SES, you can get daily security report for previous day at scheduled time.

If you want to get Daily Security Report for today now, run below script that invoke lambda with payload. In few minutes, you can get the report.

bash scripts/send_today_report.sh

cdk destroy DemoVPCStack

cdk destroy InventoryManagementStack

aws inspector2 disable --resource-type EC2

cdk destroy DailyEmailReportStack

See CONTRIBUTING for more information.

This library is licensed under the MIT-0 License. See the LICENSE file.