I’ve previously written about Observable software for interacting with Amazon Web Services. In this post I’ll describe the Observable service’s integration with Amazon Inspector, a security tool for EC2 instances.
Inspector produces “assessments” about the security state of EC2 instances. From the Observable web portal you can launch new assessments, schedule recurring assessments, get notified about high-severity findings, and use findings in conjunction with network flow data to help resolve alerts.
(This post was updated on 2016-09-12 to include information about using VPC Flow Logs with Observable and Inspector)
To use Inspector you’ll need to install the software agent on your EC2 instances. Once that’s done you can use the Observable web portal to run assessments on-demand, or to schedule recurring assessments.
With a recurring assessment you can continually check for changes in your instances’ security state. For example, a weekly check against the Common Vulnerabilities and Exposures rule set will tell you when a new security issue affects your instances.
The Observable web portal will show the results of the latest assessments for your EC2 instances, and their severity. For high-severity findings the system will also generate an alert notification.
The Observable service produces alerts for suspicious changes in network behavior. Integrating Inspector findings into these alerts can help administrators when investigating those alerts.
For example, consider an IDS-style alert for failed remote access attempts to an EC2 instance.
The alert shows break-in attempts by the “Connected IP.” You can click to see the associated network traffic from the VPC Flow Logs.
The flag icon next to the “Source” in the alert indicates there are Inspector findings for the given instance:
From there you can check those alerts to see what Inspector had to say about the instance. Notice that it includes a recommendation for how to resolve each issue:
Armed with the information from the network traffic alert and the Inspector finding, the administrator should review security group rules for remote access and also update their OS-provided packages to get the latest packages.
Do note that there’s a fee for Inspector assessments, but you can test it out without charge (250 assessments over 90 days as of this writing).
If you’re a prospective Observable user that’s already using Inspector, do let us know when you sign up. Inspector activities are integrated automatically; there's no additional setup needed.
Detect Threats Faster – Start Your Free, No-Risk Trial