Amazon Inspector Connector User Guide

Overview

Amazon Inspector allows users to ingest Amazon Inspector data from their AWS cloud instance. Amazon Inspector tests the network accessibility of Amazon EC2 instances and the security state of applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings organized by severity level.

This connector pulls security-findings data based on the assessments configured on the AWS account. The data from Amazon Inspector scans is pulled into the Ivanti Neurons RBVM platform and can be used to prioritize and remediate those findings.

Connector Configuration

Amazon Inspector Setup

• Requires a active subscription to Amazon Inspector.
• AWS Region of the selected Amazon Inspector instance.
• Access Key and associated Secret Key for AWS User.

More details on Amazon Inspector can be found here: What is Amazon Inspector? - Amazon Inspector

User Prerequisites

To set up the connector, the user needs API access to an AWS account with full access to the Amazon Inspector service. The user needs the following permissions:

• AmazonInspectorFullAccess: Have an AWS admin provide AmazonInspectorFullAccess permissions to your AWS User ID.

AWS Amazon Inspector uses the service-linked role named AWSServiceRoleForAmazonInspector. The AWSServiceRoleForAmazonInspector service-linked role trusts Amazon Inspector to assume the role.

The role’s permissions policy allows Amazon Inspector to complete the following action on the specified resources:

• Action: iam:CreateServiceLinkedRole on arn:aws:iam::*:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector

To successfully create the AWSServiceRoleForAmazonInspector role, the IAM identity (user, role, or group) used when working with Amazon Inspector must have the required permissions. To grant the required permissions, attach the AmazonInspectorFullAccess managed policy to the IAM user, group, or role.

Connections

The following API calls are performed during a connector run to pull security vulnerabilities from Amazon Inspector into Ivanti Neurons.

API Type	Endpoint
Get Vulnerability Details	/findings/list

Ivanti Neurons Connector Setup

Log into the Ivanti Neurons RBVM platform.

Navigate to Automation > Integrations.

Using the search bar in the upper-right corner of the Integrations page, type AWS to find the connector.

This connector appears in both the Network and Compliance categories, which operate the same. Since it has both kinds of data based on the assessment’s rules packages, it appears under two categories.

Locate the AWS card on the page and click Configuration.

Complete the following fields. These fields include:

• Name: Connector name.
• Region: AWS Amazon region
• Access Key and Secret Key: AWS Amazon Inspector access key and secret key credentials for accessing the Amazon Inspector API endpoints.
• Network: Network name in Ivanti Neurons RBVM. Ingested data will be associated with this network.

Once the fields are complete, click Test Credentials to verify that the credentials are correct and enable the system to connect to the AWS instance.

Configure the desired schedule for the connector to retrieve results from the Amazon Inspector instance. Optionally turn on Enable auto URBA (Update Remediation by Assessment).

Ivanti Neurons RBVM pulls the latest assessment associated with each of the assessment templates. Once connector configuration is complete, click Save to create the connector.

As soon as the connector is created, it will begin pulling data from the Amazon Inspector platform. When the connector is set up, a new entry for it appears at the top of the Integrations page. The connector card will also show the next scheduled time and date results will be fetched. Check the connector’s status by clicking the History button.

To run the connector on demand, click the Sync icon.

Editing a Connector Configuration

Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.

Data Visualization in Ivanti Neurons

The data from a Amazon Inspector API is ingested into Ivanti Neurons as Hosts and Host Findings. The Scanner Name associated with these scans is AWS Inspector. Scanner Name can be used as a filter for Hosts and Host Findings.

Assets

Asset data extracted from Amazon Inspector API is shown on the Hosts page. Project and version details are also extracted from the endpoint.

Findings

Scan data pulled from AWS via the connector can be viewed on the Network > Hosts and Network > Host Findings pages. Assets discovered from the scan data are added to the Network > Hosts page.

The Network > Host Findings page displays all identified vulnerability details, as shown below.

Clicking any of the listed vulnerabilities provides additional details regarding that finding (exploits and malware associated) and possible solutions in the Host Finding Detail pane. Instance related data is available in the Cloud Information section under Asset Information in the Host Finding Detail pane.

Severity Mapping

Score	Severity
0	Informational
0.1–3.9	Low
4.0–6.9	Medium
7.0–8.9	High
9.0–10.0	Critical

Connector Data Mapping

This table maps the high-level fields from Amazon Inspector with that of the Ivanti Neurons platform.

Section	Ivanti Neurons Field	Amazon Inspector Field	Filterable
Hosts	AWS Image ID	findings → resources → details → awsEc2Instance → imageID	Yes
	IP Address	findings → resources → details → awsEc2Instance → ipv4addresses	Yes
	IP Addresses	findings → resources → details → awsEc2Instance → ipv4addresses	Yes
	Hostname	findings → resources → details → tags → Name	Yes
	AWS Resource Type	findings → resources → details → type	Yes
	AWS Key Name	findings → resources → details → awsEc2Instance → keyname	Yes
	AWS VPC ID	findings → resources → details → awsEc2Instance → vpcid	Yes
	AWS Project	findings → resources → details → tags → Project	Yes
	AWS Cloud	findings → resources → details → tags → Cloud	Yes
	AWS Environment	findings → resources → details → tags → Environment	Yes
	Possible solution	findings → remediation → recommendation → text	Yes
	Scanner name	AWS Inspector	Yes
	Plugin Details -> Source	findings → packageVulnerabilityDetails → source	Yes
	Plugin Details -> Source Status	Open	Yes
	CVE	findings → packageVulnerabilityDetails	Yes
	First Seen	findings-> firstObservedAt	Yes
	Last Seen	findings-> lastObservedAt	Yes
	Port	findings → networkReachabilityDetails → openPortRange → begin/end	Yes
	Protocol	findings → networkReachabilityDetails → protocol	Yes
	AWS Inspector Account ID	findings-> awsAccountId	Yes
	AWS Inspector Finding ARN	findings-> findingsARN	Yes
	AWS Image ID	findings → resources → details → awsInstanceProfileARN → imageId	Yes
	AWS Instance ID	findings → resources → id	Yes
	Plugin Details ->Instance ID	findings → resources → id	Yes
Host Findings	Title	findings → title	Yes
	Description	findings-> description	Yes
	Scanner plugin	findings-> findingsARN minus the first portion up to “findings/” leaving only the ending hash	Yes
	Severity	findings-> inspectorScore	Yes
	Scanner reported severity	findings-> severity	Yes
	Possible solution	findings → remediation → recommendation → text	Yes
	Scanner name	AWS Inspector	Yes
	Plugin Details -> Source	findings → packageVulnerabilityDetails → source	Yes
	Plugin Details -> Source Status	Open	Yes
	CVE	findings → packageVulnerabilityDetails	Yes
	First Seen	findings-> firstObservedAt	Yes
	Last Seen	findings → lastObservedAt	Yes
	Port	findings → networkReachabilityDetails → openPortRange → begin/end	Yes
	Protocol	findings → networkReachabilityDetails → protocol	Yes
	AWS Inspector Account ID	findings-> awsAccountId	Yes
	AWS Inspector Finding ARN	findings-> findingsARN	Yes
	AWS Image ID	findings → resources → details → awsInstanceProfileARN → imageId	Yes
	AWS Instance ID	findings → resources → id	Yes