How to Use Amazon Inspector
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Purpose:
When we push a docker image on ECR, it is very possible that we have pushed an image with vulnerabilities that an attacker could exploit. As a result, having a service that can detect such vulnerabilities becomes vital. In this article, we will learn how to install a vulnerable component on an EC2 instance, pack it as a docker image, push it to ECR, and detect the vulnerability using the Amazon Inspector service.
Technical difficulty:
| Novice | Beginner | Competent | Proficient | Expert
What is Amazon Elastic Container Registry?
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM.
This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
What is Amazon Inspector service?
Amazon Inspector is a vulnerability management service that scans your AWS workloads for vulnerabilities on a continuous basis. Amazon Inspector detects and scans Amazon EC2 instances and container images in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.
Amazon Inspector generates a finding when a software vulnerability or network issue is discovered. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and offers remediation advice. Details of an account finding can be analyzed in a variety of ways using the Amazon Inspector console, or you can view and process your findings using other AWS services.
Finding types in Amazon Inspector
Amazon Inspector generates findings for the following AWS resources: Amazon EC2 instances, and container images residing in Amazon ECR repositories.
Following are the finding types identified by Amazon Inspector:
- Package vulnerability
- Network reachability
Package vulnerability findings identify software packages in your environment that are exposed to common vulnerabilities and exposures (CVEs). Attackers can use unpatched vulnerabilities to compromise data confidentiality, integrity, or availability, as well as gain access to other systems. The CVE system is a reference method for publicly known information security vulnerabilities and exposures. Package vulnerability findings are generated for both Amazon EC2 instances and ECR container images.
Network reachability findings indicate that there are allowed network paths to Amazon EC2 instances in your environment. These findings appear when your TCP and UDP ports are reachable from the VPC edges such as an internet gateway, a VPC peering connection, or a VPN through a virtual gateway. These findings highlight network configurations that may be overly permissive, such as mismanaged security groups, ACLs, or IGWs, or that may allow for potentially malicious access. Network reachability findings are generated only for Amazon EC2 resources.
Now that we have covered all the key terms for the lab, let's carry out the experiment.
Lab Scenario
We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab Link: Amazon Inspector
Objective
Install a vulnerable component in the Amazon EC2 instance and pack the vulnerable component on the container image residing in ECR and detect the vulnerability using the Amazon inspector.
Solution
Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.
Step 2: Search for inspector in the search bar and navigate to the Inspector dashboard.
Step 4: Enable the inspector by clicking the “Enable Inspector” button.
The Amazon Inspector dashboard provides a snapshot of aggregated statistics for your Amazon resources. These statistics include key metrics for resource coverage and active vulnerabilities. The dashboard also displays groups of aggregated findings data for your account, such as EC2 instances with most critical findings.
The Environment coverage section provides statistics about the resources scanned by Amazon Inspector. In this section, you can see the count and percentage of Amazon EC2 instances and Amazon ECR images scanned by Amazon Inspector.
Now create an EC2 instance and install a vulnerable package.
Step 5: Search for EC2 in the search bar and navigate to the EC2 dashboard.
Step 6: Click on the “Launch instance” option.
Step 7: Set name as “lab-instance” and choose “Amazon Linux” from Quick Start.
Step 8: In the key pair section, choose the option to proceed without a key pair.
Step 9: Now choose “Create security group” and allow SSH traffic.
Step 10: Click on the “Launch instance” button.
In order for Amazon Inspector to detect software vulnerabilities for an EC2 instance, the instance must be a managed instance in Amazon EC2 Systems Manager (SSM). An SSM managed instance has the SSM Agent installed and running, and has an attached IAM instance profile that allows SSM to manage the instance.
Step 11: Click the instance id after the state turns “Running”.
Step 12: Select “Modify IAM role” from Security under the actions drop-down.
Step 13: Click on “Create new IAM role”.
Step 14: Click on “Create role”.
Step 15: Choose trusted entity type as “AWS service” and use case as “EC2”.
Step 16: Search “ssmfull” in policies search bar and select “AmazonSSMFullAccess” and click on “Next” button.
AmazonSSMFullAccess policy is a user trust policy that grants full access to the Systems Manager API and documents.
Step 17: Set role name as “SSM_Full_Access”.
Step 18: Click on “Create role”.
Step 19: Navigate back to the EC2 instance and attach a role with the instance. Click on the refresh button.
Step 20: Select “SSM_Full_Access” and click on the “Update IAM role” button.
Successfully attached an IAM role with the instance.
Step 21: Now stop and start the instance to make the configuration to take effect. Click on “Stop” under the “Instance state”.
Click on “Stop” and confirm.
Successfully “Stopped” the instance.
Step 22: Click on “Start instance” under “Instance state”.
Successfully started the instance.
Step 23: Now, click on “Connect”.
Step 24: Select “Session Manager” and click on the “Connect” button.
Note: If it shows any configuration issue, start and stop the instance again.
Step 25: Select bash shell and switch to root user and execute the following commands in the shell to install a vulnerable httpd package.
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side connection header hop-by-hop mechanism. An unauthenticated attacker with network access to the data plane may exploit this vulnerability to bypass IP-based authentication on the origin server or application (CVE-2022-31813)
Commands:
bash
sudo su
yum -y update && yum -y install httpd-2.4.53
Successfully installed httpd package with version 2.4.53.
Now create an image repository and push a docker image.
Step 26: Search for “Elastic container registry” in the search bar and navigate to the ECR dashboard.
Step 27: Click on “Get Started”.
Step 28: Set visibility as “Private” and repository name as “web-server”.
Step 29: Click on the “Create repository” button.
Step 30: Successfully created a private repository. Click on “web-server”.
There are no images available in the repository.
Step 31: Click on “View push commands”.
Follow these steps in the local machine to push the image to the created repository.
Step 32: Switch to root user.
Command: sudo su
Step 33: Configure AWS CLI using the provided credentials.
Command: aws configure
Step 34: Retrieve an authentication token and authenticate your Docker client to your registry.
Command: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 843926034173.dkr.ecr.us-west-2.amazonaws.com
Step 35: Create a new directory to setup a Dockerfile.
Command: mkdir ecr
Step 36: Navigate to the “ecr” directory.
Command: cd ecr
Step 37: Use nano to create a Dockerfile with the following code.
Command: nano Dockerfile
Paste the following code into the file. This code will pack the vulnerable httpd package into an image after build.
Dockerfile:
FROM amazonlinux:latest
USER root
RUN yum -y update && yum -y install httpd-2.4.53
Step 38: Build your Docker image using the following command.
Command: docker build -t web-server.
Step 39: Tag the image to push the image to the created repository.
Command: docker tag web-server:latest 843926034173.dkr.ecr.us-west-2.amazonaws.com/web-server:latest
Step 40: Execute the following command to push this image to your newly created AWS repository.
Command: docker push 843926034173.dkr.ecr.us-west-2.amazonaws.com/web-server:latest
Successfully pushed the created image.
Step 41: Navigate back to the Inspector dashboard and check out the environment coverage.
Now we have one instance and one repository with 100% coverage.
Step 42: Click on “By vulnerability” under findings in the navigation pane.
Notice the vulnerability detected by the inspector. The following vulnerabilities are related to the httpd package that we have installed in the instance and repository.
Step 43: Click on “CVE-2022-31813” to get more information about the detected vulnerability.
Click on the title and check the finding details.
Click on “By instance” to get the vulnerability details from the instance.
Click on “By container image” to get the vulnerability details from the image.
Click on “All findings” to get all the vulnerability details.
Successfully enabled Amazon Inspector and detected the vulnerabilities from the instance and container image.
References:
Amazon Inspector (https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)
CVE-2022-31813 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813)
Conclusion
Congratulations! We successfully Installed a vulnerable component in the Amazon EC2 instance and packed the vulnerable component on the container image residing in ECR and detected the vulnerability using the Amazon inspector.
Try out Amazon Inspector hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
