faq

avatar
Created by
PositiveRat85680

Cards (36)

  • What is the frequency for agentless scans?
    Amazon Inspector will automatically trigger a scan every 24 hours for instances that are marked for agentless scanning (preview). There will be no change to the continuous scanning behavior for instances marked for SSM agent-based scans. 
  • Can I activate Lambda code scanning without activating Lambda standard scanning?
    No. You have two options: either activate Lambda standard scanning alone or enable Lambda standard and code scanning together. Lambda standard scanning provides fundamental security protection against vulnerable dependencies used in the application deployed as Lambda functions and association layers. Lambda code scanning provides additional security value by scanning your custom proprietary application code within a Lambda function.
    • How can I export my findings, and what do they include?You can generate reports in multiple formats (CSV or JSON) with a few steps in the Amazon Inspector console or through the Amazon Inspector APIs.
    • How do suppression rules work?
    • Amazon Inspector allows you to suppress findings based on the customized criteria you define. You can create suppression rules for findings that are considered acceptable by your organization.
  • If a Lambda function has multiple versions, which version will Amazon Inspector assess?
    • Amazon Inspector will continually monitor and assess only the $LATEST version. Automated rescans will continue only for the latest version, so new findings will be generated only for the latest version. In the console, you will be able to see the findings from any version by selecting the version from the dropdown.
  • Can I exclude my resources from being scanned?
    • For Amazon EC2 instances: Yes, an EC2 instance can be excluded from scanning by adding a resource tag. You can use the key ‘InspectorEc2Exclusion’, and value is <optional>.
    • For container images residing in Amazon ECR: Yes. Although you can select which Amazon ECR repositories are configured for scanning, all images within a repository will be scanned. You can create inclusion rules to select which repositories should be scanned.
  • Can I exclude my resources from being scanned?
    • For Lambda functions: Yes, a Lambda function can be excluded from scanning by adding a resource tag. For standard scanning, use the key 'InspectorExclusion' and the value 'LambdaStandardScanning'. For code scanning, use the key 'InspectorCodeExclusion' and the value 'LambdaCodeScanning'.
  • How long are container images continually rescanned with Amazon Inspector?
    Container images residing in Amazon ECR repositories that are configured for continual scanning are scanned for the duration configured in the Amazon Inspector console or APIs. Available configurations are Lifetime (by default), 180 days, or 30 days.
    • All images pushed to ECR after Amazon Inspector ECR scanning is activated are continually scanned for configured duration i.e, Lifetime (by default), 180 days, or 30 days.
  • How often are the automated rescans performed?
    All scans are automatically performed based on events. All workloads are initially scanned upon discovery and subsequently rescanned.
    • For Amazon EC2 instances: Rescans are started when a new software package is installed or uninstalled on an instance, when a new CVE is published, and after a vulnerable package is updated (to confirm there are no additional vulnerabilities).
    • For Amazon ECR container images: Automated rescans are started for eligible container images when a new CVE affecting an image is published. 
  • How often are the automated rescans performed?
    • For Lambda functions: All new Lambda functions are initially assessed upon discovery, and continually  reassessed when there is an update to the Lambda function or a new CVE is published.
  • How can I install and configure the Amazon Systems Manager Agent?
    • To successfully scan Amazon EC2 instances for software vulnerabilities, Amazon Inspector requires that these instances are managed by AWS Systems Manager and the SSM agent.
  • Do I need any agents to use Amazon Inspector?
    • No, you don’t need an agent for scanning. For vulnerability scanning of Amazon EC2 instances, you can use the AWS Systems Manager Agent (SSM Agent) for an agent-based solution. Amazon Inspector also offers agentless scanning if you don’t have the SSM Agent deployed or configured. For assessing network reachability of Amazon EC2 instances, vulnerability scanning of container images, or vulnerability scanning of Lambda functions, no agents are necessary. 
  • Can I manage Amazon Inspector using my AWS Organizations structure?
    • Yes. Amazon Inspector is integrated with AWS Organizations. You can assign a DA account for Amazon Inspector, which acts as the primary administrator account for Amazon Inspector and can manage and configure it centrally. The DA account can centrally view and manage findings for all the accounts that are part of your AWS organization.
  • How do I delegate an administrator for the Amazon Inspector service?
    • The AWS Organizations Management account can assign a DA account for Amazon Inspector in the Amazon Inspector console or by using Amazon Inspector APIs.
  • If you’re starting Amazon Inspector for the first time, all scanning types, including EC2 scanning, Lambda scanning, and ECR container image scanning are activated by default. However, you can deactivate any or all of these across all accounts in your organization. Existing users can activate new features in the Amazon Inspector console or by using Amazon Inspector APIs.
  • IAM users are identities with long-term credentials. You might be using IAM users for workforce users. In this case, AWS recommends using an identity provider and federating into AWS by assuming roles. You also can use roles to grant cross-account access to services and features such as AWS Lambda functions. In some scenarios, you might require IAM users with access keys that have long-term credentials with access to your AWS account. For these scenarios, AWS recommends using IAM access last used information to rotate credentials often and remove credentials that are not being used.
    • To help you determine the specific permissions you require, use AWS Identity and Access Management (IAM) Access Analyzer, review AWS CloudTrail logs, and inspect last access information. You also can use the IAM policy simulator to test and troubleshoot policies.
  • Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. IAM Access Analyzer helps you streamline permissions management in each step of this cycle. Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.
    • Policy validation with IAM Access Analyzer uses more than 100 policy checks to guide you to author and validate secure and functional policies. You can use these checks while creating new policies or to validate existing policies. Custom policy checks are a paid feature to validate that developer-authored policies adhere to your specified security standards ahead of deployments. 
  • If you enable the unused access analyzer as a paid feature, IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings. The dashboard helps security teams review findings centrally and prioritize accounts based on the volume of findings. Security teams can use the dashboard to review findings centrally and prioritize which accounts to review based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users.
  • The IAM policy simulator evaluates policies you choose and determines the effective permissions for each of the actions you specify. Use the policy simulator to test and troubleshoot identity-based and resource-based policiesIAM permissions boundaries, and SCPs.
  • IAM Access Analyzer custom policy checks validate that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning—provable security assurance backed by mathematical proof— to enable security teams to proactively detect nonconformant updates to policies. 
  • IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. Security teams can use IAM Access Analyzer to gain visibility into unused access across their AWS organization and automate how they rightsize permissions. When the unused access analyzer is enabled, IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings. 
  • What are the key benefits of Amazon Detective?
    • Amazon Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. Amazon Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues. Amazon Detective maintains up to a year of aggregated data and makes it easily available through a set of visualizations that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings
  • Amazon Detective:
    • By exploring the behavior graph, you can analyze security events such as failed login attempts, suspicious APIs call, or finding groups to help you in investigating the root cause of your AWS Security Findings.
  • Is Amazon Detective a regional or global service?
    • Amazon Detective needs to be enabled on a region by region basis and enables you to quickly analyze activity across all your accounts within each region. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.
  • How do I enable Amazon Detective?
    • You can enable Amazon Detective from within the AWS Management Console or by using the Amazon Detective API. If you are already using the Amazon GuardDuty or AWS Security Hub Consoles, you should enable Amazon Detective with the same account that is the administrative account in Amazon GuardDuty or AWS Security Hub to enable the best cross-service experience.
  • Can I manage multiple accounts with Amazon Detective?
    Yes, Amazon Detective is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region. You can configure multi-account monitoring deployments in same way that you configure administrative and member accounts in Amazon GuardDuty and AWS Security Hub.
    • Amazon Detective requires that you have Amazon GuardDuty enabled on your accounts for at least 48 hours before you enable Detective on those accounts. However, you can use Amazon Detective to investigate more than just your Amazon GuardDuty findings. Amazon Detective provides detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses.
  • How can I stop Amazon Detective from looking at my logs and data sources?
    • Amazon Detective enables you to analyze and visualize security data from your AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and Amazon GuardDuty findings. To stop Amazon Detective from analyzing these logs and findings for your accounts please disable the service by using the API or from the settings section in the AWS Console for Amazon Detective.
  • How does Amazon Detective for AWS Security Hub work?
    • Once enabled, Amazon Detective automatically and continuously analyzes and correlates user, network, and configuration activity for AWS services integrated with AWS Security Hub. Amazon Detective automatically ingests security findings forwarded from AWS security services to AWS Security Hub through the optional data source called AWS Security Findings.
  • GuardDuty is a regional service. Even when multiple accounts are enabled and multiple AWS Regions are used, the GuardDuty security findings remain in the same Regions where the underlying data was generated. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.
  • However, you can choose to aggregate security findings produced by GuardDuty across Regions using Amazon EventBridge or pushing findings to your data store (like Amazon S3) and then aggregating findings as you see fit. You can also send GuardDuty findings to AWS Security Hub and use its cross-Region aggregation capability.
    • GuardDuty protection plans monitor other resource types, including CloudTrail S3 data events (S3 Protection), Amazon EKS audit logs and runtime activity for Amazon EKS (EKS Protection), Amazon ECS runtime activity (ECS Runtime Monitoring), Amazon EC2 runtime activity (EC2 Runtime Monitoring), Amazon EBS volume data (Malware Protection), Amazon Aurora login events (RDS Protection), and network activity logs (Lambda Protection).
  • Does GuardDuty manage or keep my logs?
    • No, GuardDuty does not manage or retain your logs. All data that GuardDuty consumes is analyzed in near real time and discarded thereafter. This allows GuardDuty to be highly efficient and cost effective, and to reduce the risk of data remanence.
    • You can prevent GuardDuty from analyzing your data sources at any time in the general settings by choosing to suspend the service. This will immediately stop the service from analyzing data, but it will not delete your existing findings or configurations. You can also choose to disable the service in the general settings. This will delete all remaining data, including your existing findings and configurations, before relinquishing the service permissions and resetting the service.
    • Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats or import compatible rules sourced from AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.