Enable and use Vulnerability Assessment for AWS

This page describes how to set up and use the Vulnerability Assessment for Amazon Web Services (AWS) service.

To enable Vulnerability Assessment for AWS, you need to create an AWS IAM role on the AWS platform, enable the Vulnerability Assessment for AWS service in Security Command Center, and then deploy a CloudFormation template on AWS.

Before you begin

To enable the Vulnerability Assessment for AWS service, you need certain IAM permissions and Security Command Center must be connected to AWS.

Roles and permissions

To complete the setup of the Vulnerability Assessment for AWS service, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.

Google Cloud roles

Make sure that you have the following role or roles on the organization: Security Center Admin Editor (roles/securitycenter.adminEditor)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.
  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

AWS roles

In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.

To create a Vulnerability Assessment role in AWS, follow these steps:

  1. Using an AWS administrative user account, go to the IAM Roles page in the AWS Management Console.
  2. Select lambda from the Service or Use Case menu.
  3. Add the following permission policies:
    • AmazonSSMManagedInstanceCore
    • AWSLambdaBasicExecutionRole
    • AWSLambdaVPCAccessExecutionRole
  4. Click Add Permission > Create Inline policy to create a new permission policy:
    1. Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS.
    2. In the JSON Editor, paste the policy.
    3. Specify a name for the policy.
    4. Save the policy.
  5. Open the Trust Relationships tab.
  6. Paste in the following JSON object, adding it to any existing statement array:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Statement1 or replace with a unique statementId",
          "Effect": "Allow",
          "Principal": {
            "Service": "cloudformation.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  7. Save the role.

You assign this role later when you install the CloudFormation template on AWS.

Collect information about the AWS resources to be scanned

During the steps to enable Vulnerability Assessment for AWS, you can customize the configuration to scan specific AWS regions, specific tags that identify AWS resources and specific Hard disk drive (HDD) volumes (both SC1 and ST1).

It helps to have this information available before configuring Vulnerability Assessment for AWS.

Confirm Security Command Center is connected to AWS

The Vulnerability Assessment for AWS service requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when Security Command Center is connected to AWS for vulnerability detection.

If a connection is not already established, you are required to set one up when you enable the Vulnerability Assessment for AWS service.

To set up a connection, see Connect to AWS for vulnerability detection and risk assessment.

Enable Vulnerability Assessment for AWS in Security Command Center

Vulnerability Assessment for AWS must be enabled on Google Cloud at the organization level.

  1. Go to the Risk overview page in Security Command Center:

    Go to Risk overview

  2. Select the organization you want to enable Vulnerability Assessment for AWS in.

  3. Click Settings.

  4. In the Vulnerability Assessment card, click Manage Settings. The Vulnerability Assessment page opens.

  5. Select the Amazon Web Services tab.

  6. In the Service enablement section, change the Status field to Enable.

  7. In the AWS connector section, verify that the status displays AWS Connector added. If the status displays No AWS connector added, click Add AWS connector. Complete the steps in Connect to AWS for vulnerability detection and risk assessment before you go to the next step.

  8. Configure the Scan settings for AWS compute and storage. To change the default configuration, click Edit scan settings. For information about each option, see Customize scan settings for AWS compute and storage.

  9. In the Scan settings section, click Download CloudFormation template. A JSON template downloads to your workstation. You need to deploy the template in each AWS account that you need to scan for vulnerabilities.

Customize scan settings for AWS compute and storage

This section describes options available to customize the scan of AWS resources. These custom options are under the Scan settings for AWS compute and storage section when editing a Vulnerability Assessment for AWS scan.

You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don't affect the AWS CloudFormation template. You don't need to redeploy the template. If a tag or instance ID value is not correct (for example, the value is misspelled) and the resource specified does not exist, the value is ignored during the scan.
Option Description
Scan interval Enter the number of hours between each scan. Valid values range from 6 to 24. The default value is 6. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges.
AWS regions

Choose a subset of regions to include in vulnerability assessment scanning.

Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan.

If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS.

AWS tags Specify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources.
Exclude by Instance ID

Exclude EC2 instances from each scan by specifying the EC2 instance ID. You can specify a maximum of 50 instance IDs. If invalid values are specified, they will be ignored. If you define multiple instance IDs, they are combined using the AND operator.

  • If you select Exclude instance by ID, enter each instance ID manually by clicking Add AWS EC2 instance, and then typing the value.
  • If you select Copy and paste a list of instance IDs to exclude in JSON format, do one of the following:

    • Enter an array of instance IDs. For example:

      [ "instance-id-1", "instance-id-2" ]
    • Upload a file with the list of instance IDs. The content of the file should be an array of instance IDs, for example:

      [ "instance-id-1", "instance-id-2" ]
Scan SC1 instance Select Scan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances.
Scan ST1 instance Select Scan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances.
Scan Elastic Container Registry (ECR) Select Scan Elastic Container Registry instance to scan container images stored in ECR and their installed packages. Learn more about Elastic Container Registry.

Deploy the AWS CloudFormation template

  1. Go to the AWS CloudFormation Template page in the AWS Management Console.
  2. Click Stacks > With new resources (standard).
  3. On the Create stack page, select Choose an existing template and Upload a template file to upload the CloudFormation template.
  4. After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
  5. Select Specify stack details. The Configure stack options page opens.
  6. Under Permissions, select the IAM Vulnerability Assessment Role that you created previously.
  7. Click Next.
  8. Check the box for acknowledgement.
  9. Click Submit to deploy the template. The stack takes a few minutes to start running.

The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting.

After scans start running, if any vulnerabilities are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console.

Review findings in the console

You can view Vulnerability Assessment for AWS findings in the Google Cloud console. The minimum IAM role that is required to view findings is Security Center Findings Viewer (roles/securitycenter.findingsViewer).

To review Vulnerability Assessment for AWS findings in Google Cloud console, follow these steps:

Google Cloud console

  1. In the Google Cloud console, go to the Findings page of Security Command Center.

    Go to Findings

  2. Select your Google Cloud project or organization.
  3. In the Quick filters section, in the Source display name subsection, select EC2 Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

Security Operations console

  1. In the Security Operations console, go to the Findings page.
    https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
    

    Replace CUSTOMER_SUBDOMAIN with your customer-specific identifier.

  2. In the Aggregations section, click to expand the Source Display Name subsection.
  3. Select EC2 Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
  4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
  5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
  6. Optional: To view the full JSON definition of the finding, click the JSON tab.

Troubleshooting

If you enabled the Vulnerability Assessment for AWS service, but scans are not running, check the following:

  • Check that the AWS connector is properly set up.
  • Confirm that the CloudFormation template stack deployed completely. Its status in the AWS account should be CREATION_COMPLETE.