This page describes how to set up and use the Vulnerability Assessment for Amazon Web Services (AWS) service.
To enable Vulnerability Assessment for AWS, you need to create an AWS IAM role on the AWS platform, enable the Vulnerability Assessment for AWS service in Security Command Center, and then deploy a CloudFormation template on AWS.
Before you begin
To enable the Vulnerability Assessment for AWS service, you need certain IAM permissions and Security Command Center must be connected to AWS.
Roles and permissions
To complete the setup of the Vulnerability Assessment for AWS service, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.
Google Cloud roles
Make sure that you have the following role or roles on the organization:
Security Center
Admin Editor (roles/securitycenter.adminEditor
)
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
AWS roles
In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.
To create a Vulnerability Assessment role in AWS, follow these steps:
- Using an AWS administrative user account, go to the IAM Roles page in the AWS Management Console.
- Select
lambda
from theService or Use Case
menu. - Add the following permission policies:
AmazonSSMManagedInstanceCore
AWSLambdaBasicExecutionRole
AWSLambdaVPCAccessExecutionRole
- Click Add Permission > Create Inline policy to create a new
permission policy:
- Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS.
- In the JSON Editor, paste the policy.
- Specify a name for the policy.
- Save the policy.
- Open the Trust Relationships tab.
Paste in the following JSON object, adding it to any existing statement array:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1 or replace with a unique statementId", "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Save the role.
You assign this role later when you install the CloudFormation template on AWS.
Collect information about the AWS resources to be scanned
During the steps to enable Vulnerability Assessment for AWS, you can customize the configuration to scan specific AWS regions, specific tags that identify AWS resources and specific Hard disk drive (HDD) volumes (both SC1 and ST1).
It helps to have this information available before configuring Vulnerability Assessment for AWS.
Confirm Security Command Center is connected to AWS
The Vulnerability Assessment for AWS service requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when Security Command Center is connected to AWS for vulnerability detection.
If a connection is not already established, you are required to set one up when you enable the Vulnerability Assessment for AWS service.
To set up a connection, see Connect to AWS for vulnerability detection and risk assessment.
Enable Vulnerability Assessment for AWS in Security Command Center
Vulnerability Assessment for AWS must be enabled on Google Cloud at the organization level.
Go to the Risk overview page in Security Command Center:
Select the organization you want to enable Vulnerability Assessment for AWS in.
Click Settings.
In the Vulnerability Assessment card, click Manage Settings. The Vulnerability Assessment page opens.
Select the Amazon Web Services tab.
In the Service enablement section, change the Status field to Enable.
In the AWS connector section, verify that the status displays AWS Connector added. If the status displays No AWS connector added, click Add AWS connector. Complete the steps in Connect to AWS for vulnerability detection and risk assessment before you go to the next step.
Configure the Scan settings for AWS compute and storage. To change the default configuration, click Edit scan settings. For information about each option, see Customize scan settings for AWS compute and storage.
In the Scan settings section, click Download CloudFormation template. A JSON template downloads to your workstation. You need to deploy the template in each AWS account that you need to scan for vulnerabilities.
Customize scan settings for AWS compute and storage
This section describes options available to customize the scan of AWS resources. These custom options are under the Scan settings for AWS compute and storage section when editing a Vulnerability Assessment for AWS scan.
You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don't affect the AWS CloudFormation template. You don't need to redeploy the template. If a tag or instance ID value is not correct (for example, the value is misspelled) and the resource specified does not exist, the value is ignored during the scan.Option | Description |
---|---|
Scan interval | Enter the number of hours between each scan. Valid values range from 6 to 24. The default value is 6. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges. |
AWS regions |
Choose a subset of regions to include in vulnerability assessment scanning. Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan. If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS. |
AWS tags | Specify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources. |
Exclude by Instance ID |
Exclude EC2 instances from each scan by specifying the
EC2 instance ID.
You can specify a maximum of 50 instance IDs. If invalid values are specified, they will
be ignored. If you define multiple instance IDs, they are combined using the
|
Scan SC1 instance | Select Scan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances. |
Scan ST1 instance | Select Scan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances. |
Deploy the AWS CloudFormation template
- Go to the AWS CloudFormation Template page in the AWS Management Console.
- Click Stacks > With new resources (standard).
- On the Create stack page, select Choose an existing template and Upload a template file to upload the CloudFormation template.
- After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
- Select Specify stack details. The Configure stack options page opens.
- Under Permissions, select the
IAM Vulnerability Assessment Role
that you created previously. - Click Next.
- Check the box for acknowledgement.
- Click Submit to deploy the template. The stack takes a few minutes to start running.
The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting.
After scans start running, if any vulnerabilities are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console.
Review findings in the console
You can view Vulnerability Assessment for AWS findings in the Google Cloud console.
The minimum IAM role that is required to view findings is
Security Center Findings Viewer (roles/securitycenter.findingsViewer
).
To review Vulnerability Assessment for AWS findings in Google Cloud console, follow these steps:
Google Cloud console
- In the Google Cloud console, go to the Findings page of Security Command Center.
- Select your Google Cloud project or organization.
- In the Quick filters section, in the Source display name subsection, select EC2 Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
Security Operations console
-
In the Security Operations console, go to the Findings page.
https://CUSTOMER_SUBDOMAIN.backstory.chronicle.security/posture/findings
Replace
CUSTOMER_SUBDOMAIN
with your customer-specific identifier. - In the Aggregations section, click to expand the Source Display Name subsection.
- Select EC2 Vulnerability Assessment. The findings query results are updated to show only the findings from this source.
- To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
- On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
- Optional: To view the full JSON definition of the finding, click the JSON tab.
Troubleshooting
If you enabled the Vulnerability Assessment for AWS service, but scans are not running, check the following:
- Check that the AWS connector is properly set up.
- Confirm that the CloudFormation template stack deployed completely. Its
status in the AWS account should be
CREATION_COMPLETE
.