AWS inspector documentation change
Summary
Added documentation for Enhanced EC2 Scanning using Amazon Inspector VM Scanner, updated agent-based scanning details, specified VPC endpoint requirements for private instances, and removed outdated resource sync information.
Security assessment
The changes introduce a new Enhanced EC2 Scanning feature using VM Scanner and specify network security requirements (VPC endpoints) for private instances. While this enhances security documentation, there's no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/inspector/latest/user/scanning-ec2.md b/inspector/latest/user/scanning-ec2.md index d8d2d4f3e..051f7c970 100644 --- a//inspector/latest/user/scanning-ec2.md +++ b//inspector/latest/user/scanning-ec2.md @@ -13 +13 @@ Amazon Inspector Amazon EC2 scanning extracts metadata from your EC2 instance be -Package vulnerability scans can be performed using an [agent-based](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agent-based) or [agentless](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless) scan method. Both of these scan methods determine how and when Amazon Inspector collects the software inventory from an EC2 instance for package vulnerability scans. Agent-based scanning collects software inventory using the SSM agent, and agentless scanning collects software inventory using on Amazon EBS snapshots. +Package vulnerability scans can be performed using an [agent-based](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agent-based) or [agentless](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless) scan method. Both of these scan methods determine how and when Amazon Inspector collects the software inventory from an EC2 instance for package vulnerability scans. Agent-based scanning collects software inventory from your instances using the Amazon EC2 Systems Manager (SSM) agent, and agentless scanning collects software inventory using Amazon EBS snapshots. @@ -17 +17,11 @@ Amazon Inspector uses the scan methods that you activate for your account. When -###### Note +## Agent-based scanning + +### Enhanced EC2 Scanning + +Enhanced EC2 Scanning is performed using the [Amazon Inspector VM Scanner](./inspector-vm-scanner.html). This scanner is installed and updated using SSM associations. Customers can opt in by going to their Amazon Inspector console and visiting the **Settings** > **Scan Settings** page. Choose **Start Upgrade** to begin Enhanced EC2 Scanning. + + 1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. These associations install plugins on individual instances to collect inventory. + + 2. Using system tools like Systemd and Scheduled Tasks, Inspector VM Scanner extracts package inventory from an instance and communicates that information to Amazon Inspector. + + 3. Amazon Inspector evaluates the extracted inventory and generates findings for any detected vulnerabilities. @@ -19 +28,0 @@ Amazon Inspector uses the scan methods that you activate for your account. When -Amazon EC2 scanning does not scan filesystem directories related to virtual environment even if they are provisioned through deep inspection. For example, the path `/var/lib/docker/` is not scanned because it's commonly used for container run times. @@ -21 +29,0 @@ Amazon EC2 scanning does not scan filesystem directories related to virtual envi -## Agent-based scanning @@ -23 +31,4 @@ Amazon EC2 scanning does not scan filesystem directories related to virtual envi -Agent-based scans are performed continuously using the SSM agent on all eligible instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages in Linux-based instances through [Amazon Inspector deep inspection for Linux-based Amazon EC2 instances](./deep-inspection.html). + +### Standard scanning + +Agent-based scans are performed continuously using the Amazon Inspector SSM plugin on all eligible instances. For agent-based scans, Amazon Inspector uses SSM associations, and plugins installed through these associations, to collect software inventory from your instances. In addition to package vulnerability scans for operating system packages, Amazon Inspector agent-based scanning can also detect package vulnerabilities for application programming language packages through Amazon Inspector [deep inspection](./deep-inspection.html). @@ -27 +38 @@ The following process explains how Amazon Inspector uses SSM to collect inventor - 1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. For some Instance types (Windows, and Linux), these associations install plugins on individual instances to collect inventory. + 1. Amazon Inspector creates SSM associations in your account to collect inventory from your instances. These associations install plugins on individual instances to collect inventory. @@ -39,0 +51,25 @@ For agent-based scanning, the Amazon EC2 instance must be managed by SSM in same +### Amazon VPC endpoint requirements for Enhanced EC2 Scanning on private Amazon EC2 instances + +You can run Enhanced EC2 Scanning on Amazon EC2 instances over an Amazon network. However, if you want to run Enhanced EC2 Scanning on private Amazon EC2 instances, you must create Amazon VPC endpoints. The following endpoints are required: + + * `com.amazonaws.`region`.ec2messages` + + * `com.amazonaws.`region`.inspector2-telemetry` + + * `com.amazonaws.`region`.s3` + + * `com.amazonaws.`region`.ssm` + + * `com.amazonaws.`region`.ssmmessages` + + + + +Where `region` is the Region code for the applicable AWS Region. + +For more information, see [Improve the security of Amazon EC2 instances by using Amazon VPC endpoints for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html) in the _AWS Systems Manager User Guide_. + +###### Note + +Currently, some AWS Regions don't support the `com.amazonaws.`region`.inspector2-telemetry` endpoint. + @@ -48,2 +83,0 @@ Amazon Inspector will use the agent-based method to scan an instance if it meets - * The instance is SSM managed. For instructions on verifying and configuring the agent, see Configuring the SSM Agent. - @@ -82 +116 @@ The following procedure describes how to configure an Amazon EC2 instance as a m -You can also automate SSM management of all your EC2 instances, without the use of IAM instance profiles, by using SSM Default Host Management Configuration. For more information, see [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html). When an IAM instance profile is configured on an instance, Amazon Inspector uses that profile and ignores the Default Host Management Configuration (DHMC) role. +You can also automate SSM management of all your EC2 instances, without the use of IAM instance profiles, by using SSM Default Host Management Configuration. For more information, see [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/managed-instances-default-host-management.html). @@ -99,6 +132,0 @@ You can also automate SSM management of all your EC2 instances, without the use -###### Important - -Amazon Inspector requires a Systems Manager State Manager association in your account to collect software application inventory. Amazon Inspector automatically creates an association called `InspectorInventoryCollection-do-not-delete` if one doesn't already exist. - -Amazon Inspector also requires a resource data sync and automatically creates one called `InspectorResourceDataSync-do-not-delete` if one doesn't already exist. For more information, see [Configuring resource data sync for Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html) in the _AWS Systems Manager User Guide_. Each account can have a set number of resource data syncs per Region. For more information, see Maximum number of resource data syncs (per AWS account per Region) in [SSM endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm). - @@ -122,0 +151,5 @@ This is a resource data sync that Amazon Inspector uses to send collected invent +`InspectorVmScannerDistributor-do-not-delete` + + +This is an SSM association that Amazon Inspector uses to install and update the [Amazon Inspector VM Scanner](./inspector-vm-scanner.html) on your Amazon EC2 instances. +