Professional Documents
Culture Documents
Inspector
Chris Johnson, Solutions Architect
November 1, 2016
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session
“[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.
#!/bin/bash
wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install
chmod a+x /home/ec2-user/install
/home/ec2-user/install
$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, "AWSInstall.exe")
& .\AWSInstall.exe /quiet • Chef, SaltStack, Puppet, Ansible
• AWS CodeDeploy
• EC2 user-data
• EC2 RunCommand
• cfn-init
• AWS OpsWorks
• CloudInit
Supported Agent Operating Systems
• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information-gathering activities
CIS Secure Configuration Benchmarks
CIS delivers
Confidence in the Connected World
CIS can help your organization
Our Mission:
• Create and promote best practices in
cybersecurity
• Deliver solutions to prevent and rapidly
respond to cyber incidents
• Build trust in cyberspace
Our Programs:
• MS-ISAC (SLTT support)
• CIS Critical Security Controls
• CIS Security Benchmarks
What is a “Benchmark?”
Why to do it…
How to do it…
22
Amazon and CIS
•CIS AWS Foundations Benchmark:
• Provides recommendations for the security
of your AWS account
Amazon Inspector:
• CIS Security Software Vendor Membership
and certification service assesses against
the following CIS Benchmark:
Amazon Linux 2014.09-2015.03
Add’l CIS Benchmarks scheduled
CIS Amazon Machine Images (AMIs)
•AWS Marketplace
•CIS Security Benchmarks Membership
Future plans:
•GovCloud - More details to come in May
•Intelligence Community (IC) Marketplace
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
Security Best Practices
• Authentication
• Network Security
• Operating System
• Application Security