At the recent Re:Invent conference, Amazon announced a new security assessment and compliance service. The service is called Amazon Inspector and is currently in preview.
Andy Jassy, svp at Amazon Web Services, positions the service in the following way: "Inspector is an automated security assessment service that finds security or compliance issues when deploying applications on AWS."
As organizations leverage the cloud for the rapid delivery of applications and services, opportunities arise where security vulnerabilities may be overlooked as a tradeoff for speed. Jeff Barr, chief evangelist for Amazon Web Services, sees this service as a way to “shorten the time between code complete and code tested and deployed.” Barr also adds that “many organizations do not have enough security personnel on staff to perform time-consuming manual checks on individual servers and other resources.”
Amazon Inspector removes manual compliance checks and is capable of outputting reports automatically for use in audits. In order to set up an Inspector job, administrators must first define an application where metadata can be attached including the environment such as Production, QA, UAT etc. Next, an administrator needs to configure a set of Rule packages they would like to apply. Rule packages may include:
- Application Security Best Practices
- Network Security Best Practices
- Authentication Best Practices
- Operating System Security Best Practices
- Application Security Best Practices
- PCI DSS 3.0 Assessments (for customers needing to demonstrate Payment Card Industry compliance)
Since Amazon Inspector is a managed service, Amazon currently provides hundreds of rules and will continue to add to their library as their team of AWS security researchers develop them. As a result, this allows customers to augment their existing security teams with the knowledge that Amazon continues to develop.
The next configuration that an administrator needs to make is the duration the assessment will run for. During the Inspector execution, an Inspector Agent will be running on EC2 instances which will be monitoring network, file system and process activity. Assessments can run for 15 minutes, 1 hour, 8 hours, 12 hours or one full day. Amazon recommends running the assessment for 24 hours in order to deliver more comprehensive results.
Image Source: https://aws.amazon.com/blogs/aws/amazon-inspector-automated-security-assessment-service/
After the assessment has run, administrators can expect an Amazon Inspector Findings report. The report will highlight a prioritized list of recommendations including which rule package identified the deficiency. The following image is representative of a report an administrator can expect to see after an assessment has run.
Image Source: http://aws.amazon.com/inspector/
Amazon isn’t the only company to provide a cloud-based security assessment and compliance service. They face competition from the likes of Microsoft and Nessus who also provides PCI DSS compliance assessments. PowerUpCloud, a cloud consulting services company, recently blogged about their experience with AWS Inspector and provided a comparison to Nessus. “AWS Inspector aims to do what Nessus does so we took it for a spin. While Inspector is still new and it will get a lot better, it doesn't replace Nessus immediately. It is currently only supported on Amazon Linux and Ubuntu instances. But we were impressed with Inspector and the ease of use.”
Microsoft has also recently entered the cloud security assessment and compliance space by introducing Azure Security Center at their recent AzureCon event.