AppGambit
Published in

AppGambit

Terraform — Deploy AWS Inspector A cloud-based Vulnerability Assessment Tools

In this article, we are talking about How we can deploy AWS Inspector on your AWS account using terraform.

Amazon Inspector is an automated security assessment service that helps to improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

Pre-Requisites

  • We require AWS IAM API keys (access key and secret key) for creating and deleting permissions for all AWS resources.
  • Terraform should be installed on the machine. If Terraform does not exist you can download and install it from here.

Amazon Resources Created Using Terraform

We have 3 modules in Terraform script and under that, it will create AWS resources.

A Terraform module is a set of Terraform configuration files in a single directory. Even a simple configuration consisting of a single directory with one or more .tf files is a module. When you run Terraform commands directly from such a directory, it is considered the root module

So in this demo, we create the following resources using our terraform script.

  1. AWS Inspector Module
  • AWS Inspector Resource Group
  • AWS Inspector Assessment Target
  • AWS Inspector Assessment Template

2. IAM Module

  • IAM Role and policy

3. CloudWatch Module

  • CloudWatch Event rule
  • CloudWatch Event Target

1. AWS Inspector Module

  • Amazon Inspector resource group:

To create an assessment group for Amazon Inspector to assess, you start by tagging the EC2 instances that you want to include in your group. Tags are words or phrases that act as metadata for identifying and organizing your instances and other AWS resources. Amazon Inspector uses the tags that you create to identify the instances that belong to your group.

The instances that you wish to be covered by AWS Inspector scan must be tagged with their corresponding Tag name. For example, we have used the Tag name = "GroupName” and Tag value = “Production”.

This tag should be attached with 1 or many EC2 Instances so Inspector automatically identifies those instances and start scanning.

  • Amazon Inspector Assessment Target:

Inspector resource group attached to Inspector Assessment Target

Amazon Inspector uses the Inspector resource group that you create to identify the group of instances that belong to your target.

  • Amazon Inspector Assessment Template:

An assessment template allows you to specify a configuration for your assessment runs, including the following:

  • Rules packages that Amazon Inspector uses to evaluate your assessment target
  • Duration of the assessment run — You can set the duration of an assessment run anywhere between 3 minutes to 24 hours. We recommend setting the duration of assessment runs to 1 hour.
  • Amazon SNS topics that Amazon Inspector sends notifications to about your assessment run states and findings (Not supported with Terraform)
  • Amazon Inspector attributes (key-value pairs) that you can assign to findings that are generated by the assessment run that uses this assessment template

2. IAM Module

IAM module creates IAM role with inspector:startAssessmentRun permission to start Inspector run. We will attach this role with the CloudWatch event rule to run inspector on EC2 Instances.

To run the Inspector assessment, you need an IAM role that allows the AWS CloudWatch rule to start the runs and write log messages about the runs, including any errors. CloudWatch assumes this role for every recurring automated run.

3. CloudWatch Module

CloudWatch module creates CloudWatch event rule as well as CloudWatch event target. CloudWatch event rule schedule execution for added target in CloudWatch event target.

If you want to set up a recurring schedule for your assessment, you can configure your assessment template to run automatically by creating a CloudWatch event target.

You can use the following repository to deploy your Inspector setup.

After cloning the repo, just run the following commands.

Thank you for reading, if you have anything to add please send a response or add a note!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prashant Bhatasana

AWS Community Builder | Terraform Associate | Infra. Automation Engineer, Love to work with #AWS #Terraform #Jenkins #kubernetes #Docker #Ansible #Selenium