How to Use Amazon Inspect ...
    28 September 22

    How to Use Amazon Inspector

    Posted byINE

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!


    When we push a docker image on ECR, it is very possible that we have pushed an image with vulnerabilities that an attacker could exploit. As a result, having a service that can detect such vulnerabilities becomes vital. In this article, we will learn how to install a vulnerable component on an EC2 instance, pack it as a docker image, push it to ECR, and detect the vulnerability using the Amazon Inspector service.

    Technical difficulty:

    |   Novice   |   Beginner   |   Competent   |   Proficient   |   Expert

    What is Amazon Elastic Container Registry?

    Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM.

    This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.

    What is Amazon Inspector service?

    Amazon Inspector is a vulnerability management service that scans your AWS workloads for vulnerabilities on a continuous basis. Amazon Inspector detects and scans Amazon EC2 instances and container images in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

    Amazon Inspector1.png

    Amazon Inspector generates a finding when a software vulnerability or network issue is discovered. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and offers remediation advice. Details of an account finding can be analyzed in a variety of ways using the Amazon Inspector console, or you can view and process your findings using other AWS services.

    Finding types in Amazon Inspector

    Amazon Inspector generates findings for the following AWS resources: Amazon EC2 instances, and container images residing in Amazon ECR repositories.

    Following are the finding types identified by Amazon Inspector:

    • Package vulnerability
    • Network reachability

    Package vulnerability findings identify software packages in your environment that are exposed to common vulnerabilities and exposures (CVEs). Attackers can use unpatched vulnerabilities to compromise data confidentiality, integrity, or availability, as well as gain access to other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures.  Package vulnerability findings are generated for both Amazon EC2 instances and ECR container images.

    Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges such as an internet gateway, a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, ACLs, or IGWs, or that may allow for potentially malicious access. Network reachability findings are generated only for Amazon EC2 resources.

    Now that we have covered all the key terms for the lab, let's carry out the experiment.

    Lab Scenario

    We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

    Lab Link: Amazon Inspector


    Install a vulnerable component in the Amazon EC2 instance and pack the vulnerable component on the container image residing in ECR and detect the vulnerability using the Amazon inspector.


    Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

    Amazon Inspector3.png

    Step 2: Search for inspector in the search bar and navigate to the Inspector dashboard.

    Amazon Inspector4.pngAmazon Inspector5.png

    Step 4: Enable the inspector by clicking the “Enable Inspector” button.

    Amazon Inspector6.png

    The Amazon Inspector dashboard provides a snapshot of aggregated statistics for your Amazon resources. These statistics include key metrics for resource coverage and active vulnerabilities. The dashboard also displays groups of aggregated findings data for your account, such as EC2 instances with most critical findings.

    The Environment coverage section provides statistics about the resources scanned by Amazon Inspector. In this section, you can see the count and percentage of Amazon EC2 instances and Amazon ECR images scanned by Amazon Inspector.

    Amazon Inspector7.png

    Now create an EC2 instance and install a vulnerable package.

    Step 5: Search for EC2 in the search bar and navigate to the EC2 dashboard.

    Amazon Inspector8.png

    Step 6: Click on the “Launch instance” option.

    Amazon Inspector9.png

    Step 7: Set name as “lab-instance” and choose “Amazon Linux” from Quick Start.

    Amazon Inspector10.png

    Step 8: In the key pair section, choose the option to proceed without a key pair.

    Amazon Inspector11.png

    Step 9: Now choose “Create security group” and allow SSH traffic.

    Amazon Inspector12.png

    Step 10: Click on the “Launch instance” button.

    Amazon Inspector13.png

    In order for Amazon Inspector to detect software vulnerabilities for an EC2 instance, the instance must be a managed instance in Amazon EC2 Systems Manager (SSM). An SSM managed instance has the SSM Agent installed and running, and has an attached IAM instance profile that allows SSM to manage the instance.

    Step 11: Click the instance id after the state turns “Running”.

    Amazon Inspector14.png

    Step 12: Select “Modify IAM role” from Security under the actions drop-down.

    Amazon Inspector15.png

    Step 13: Click on “Create new IAM role”.

    Amazon Inspector16.png

    Step 14: Click on “Create role”.

    Amazon Inspector17.png

    Step 15: Choose trusted entity type as “AWS service” and use case as “EC2”.

    Amazon Inspector18.png

    Step 16: Search “ssmfull” in policies search bar and select “AmazonSSMFullAccess” and click on “Next” button.

    AmazonSSMFullAccess policy is a user trust policy that grants full access to the Systems Manager API and documents.

    Amazon Inspector19.png

    Step 17: Set role name as “SSM_Full_Access”.

    Amazon Inspector20.png

    Step 18: Click on “Create role”.

    Amazon Inspector21.png

    Step 19: Navigate back to the EC2 instance and attach a role with the instance. Click on the refresh button.

    Amazon Inspector22.png

    Step 20: Select “SSM_Full_Access” and click on the “Update IAM role” button.

    Amazon Inspector23.png

    Successfully attached an IAM role with the instance.

    Amazon Inspector24.png

    Step 21: Now stop and start the instance to make the configuration to take effect. Click on “Stop” under the “Instance state”.

    Amazon Inspector25.png

    Click on “Stop” and confirm.

    Amazon Inspector26.png

    Successfully “Stopped” the instance.

    Amazon Inspector27.png

    Step 22: Click on “Start instance” under “Instance state”.

    Amazon Inspector28.png

    Successfully started the instance.

    Amazon Inspector29.png

    Step 23: Now, click on “Connect”.

    Amazon Inspector30.png

    Step 24: Select “Session Manager” and click on the “Connect” button.

    Note: If it shows any configuration issue, start and stop the instance again.

    Amazon Inspector31.png

    Step 25: Select bash shell and switch to root user and execute the following commands in the shell to install a vulnerable httpd package.

    Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side connection header hop-by-hop mechanism. An unauthenticated attacker with network access to the data plane may exploit this vulnerability to bypass IP-based authentication on the origin server or application (CVE-2022-31813)



    sudo su

    yum -y update && yum -y install httpd-2.4.53

    Amazon Inspector32.png

    Successfully installed httpd package with version 2.4.53.

    Amazon Inspector33.png

    Now create an image repository and push a docker image.

    Step 26: Search for “Elastic container registry” in the search bar and navigate to the ECR dashboard.

    Amazon Inspector34.png

    Step 27: Click on “Get Started”.

    Amazon Inspector35.png

    Step 28: Set visibility as “Private” and repository name as “web-server”.

    Amazon Inspector36.png

    Step 29: Click on the “Create repository” button.

    Amazon Inspector37.png

    Step 30: Successfully created a private repository. Click on “web-server”.

    Amazon Inspector38.png

    There are no images available in the repository.

    Amazon Inspector39.png

    Step 31: Click on “View push commands”.

    Amazon Inspector40.png

    Follow these steps in the local machine to push the image to the created repository.

    Amazon Inspector41.png

    Step 32: Switch to root user.

    Command: sudo su

    Amazon Inspector42.png

    Step 33: Configure AWS CLI using the provided credentials.

    Command: aws configure

    Amazon Inspector43.png

    Step 34: Retrieve an authentication token and authenticate your Docker client to your registry.

    Command: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin

    Amazon Inspector44.png

    Step 35: Create a new directory to setup a Dockerfile.

    Command: mkdir ecr

    Amazon Inspector45.png

    Step 36: Navigate to the “ecr” directory.

    Command: cd ecr

    Amazon Inspector46.png

    Step 37: Use nano to create a Dockerfile with the following code.

    Command: nano Dockerfile

    Amazon Inspector47.png

    Paste the following code into the file. This code will pack the vulnerable httpd package into an image after build.


    FROM amazonlinux:latest

    USER root

    RUN yum -y update && yum -y install httpd-2.4.53

    Amazon Inspector48.png

    Step 38: Build your Docker image using the following command.

    Command: docker build -t web-server.

    Amazon Inspector49.png

    Step 39: Tag the image to push the image to the created repository.

    Command: docker tag web-server:latest

    Amazon Inspector50.png

    Step 40: Execute the following command to push this image to your newly created AWS repository.

    Command: docker push

    Amazon Inspector51.png

    Successfully pushed the created image.

    Amazon Inspector52.png

    Step 41: Navigate back to the Inspector dashboard and check out the environment coverage.

    Now we have one instance and one repository with 100% coverage.

    Amazon Inspector53.png

    Step 42: Click on “By vulnerability” under findings in the navigation pane.

    Amazon Inspector54.png

    Notice the vulnerability detected by the inspector. The following vulnerabilities are related to the httpd package that we have installed in the instance and repository.

    Amazon Inspector55.png

    Step 43: Click on “CVE-2022-31813” to get more information about the detected vulnerability.

    Amazon Inspector56.png

    Click on the title and check the finding details.

    Amazon Inspector57.png

    Click on “By instance” to get the vulnerability details from the instance.

    Amazon Inspector58.png

    Click on “By container image” to get the vulnerability details from the image.

    Amazon Inspector59.png

    Click on “All findings” to get all the vulnerability details.

    Amazon Inspector60.png

    Successfully enabled Amazon Inspector and detected the vulnerabilities from the instance and container image.



    Congratulations! We successfully Installed a vulnerable component in the Amazon EC2 instance and packed the vulnerable component on the container image residing in ECR and detected the vulnerability using the Amazon inspector.

    Try out Amazon Inspector hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo