Terraform — Deploy AWS Inspector A cloud-based Vulnerability Assessment Tools
In this article, we are talking about How we can deploy AWS Inspector on your AWS account using terraform.
Amazon Inspector is an automated security assessment service that helps to improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
Let’s start our Demo!
- We require AWS IAM API keys (access key and secret key) for creating and deleting permissions for all AWS resources.
- Terraform should be installed on the machine. If Terraform does not exist you can download and install it from here.
Amazon Resources Created Using Terraform
We have 3 modules in Terraform script and under that, it will create AWS resources.
A Terraform module is a set of Terraform configuration files in a single directory. Even a simple configuration consisting of a single directory with one or more .tf files is a module. When you run Terraform commands directly from such a directory, it is considered the root module
So in this demo, we create the following resources using our terraform script.
- AWS Inspector Module
- AWS Inspector Resource Group
- AWS Inspector Assessment Target
- AWS Inspector Assessment Template
2. IAM Module
- IAM Role and policy
3. CloudWatch Module
- CloudWatch Event rule
- CloudWatch Event Target
1. AWS Inspector Module
- Amazon Inspector resource group:
To create an assessment group for Amazon Inspector to assess, you start by tagging the EC2 instances that you want to include in your group. Tags are words or phrases that act as metadata for identifying and organizing your instances and other AWS resources. Amazon Inspector uses the tags that you create to identify the instances that belong to your group.
The instances that you wish to be covered by AWS Inspector scan must be tagged with their corresponding
Tag name. For example, we have used the
Tag name = "GroupName” and
Tag value = “Production”.
This tag should be attached with 1 or many EC2 Instances so Inspector automatically identifies those instances and start scanning.
- Amazon Inspector Assessment Target:
Inspector resource group attached to Inspector Assessment Target
Amazon Inspector uses the Inspector resource group that you create to identify the group of instances that belong to your target.
- Amazon Inspector Assessment Template:
An assessment template allows you to specify a configuration for your assessment runs, including the following:
- Rules packages that Amazon Inspector uses to evaluate your assessment target
- Duration of the assessment run — You can set the duration of an assessment run anywhere between 3 minutes to 24 hours. We recommend setting the duration of assessment runs to 1 hour.
- Amazon SNS topics that Amazon Inspector sends notifications to about your assessment run states and findings (Not supported with Terraform)
- Amazon Inspector attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template
2. IAM Module
IAM module creates IAM role with
inspector:startAssessmentRun permission to start Inspector run. We will attach this role with the CloudWatch event rule to run inspector on EC2 Instances.
To run the Inspector assessment, you need an IAM role that allows the AWS CloudWatch rule to start the runs and write log messages about the runs, including any errors. CloudWatch assumes this role for every recurring automated run.
3. CloudWatch Module
CloudWatch module creates CloudWatch event rule as well as CloudWatch event target. CloudWatch event rule schedule execution for added target in CloudWatch event target.
If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a CloudWatch event target.
You can use the following repository to deploy your Inspector setup.
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
After cloning the repo, just run the following commands.
change values of variables.
Thank you for reading, if you have anything to add please send a response or add a note!