Enable and use Vulnerability Assessment for AWS

This page describes how to set up and use the Vulnerability Assessment for Amazon Web Services (AWS) service.

Before you begin

To enable the Vulnerability Assessment for AWS service, you need certain IAM permissions and Security Command Center must be connected to AWS.

Roles and permissions

To complete the setup of the Vulnerability Assessment for AWS service, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.

Google Cloud roles

Make sure that you have the following role or roles on the organization: Security Center Admin Editor (roles/securitycenter.adminEditor)

Check for the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the organization.

3. In the Principal column, find the row that has your email address.

   If your email address isn't in that column, then you do not have any roles.

4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.

Grant the roles

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the organization.
3. Click person_add Grant access.
4. In the New principals field, enter your email address.
5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save.

AWS roles

In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.

To create a Vulnerability Assessment role in AWS, follow these steps:

1. Using an AWS administrative user account, go to the IAM Roles page in the AWS Management Console.
2. Select lambda from the Service or Use Case menu.

3. Add the following permission policies:

   • AmazonSSMManagedInstanceCore
   • AWSLambdaBasicExecutionRole
   • AWSLambdaVPCAccessExecutionRole

4. Click Add Permission > Create Inline policy to create a new permission policy:

   1. Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS.
   2. In the JSON Editor, paste the policy.
   3. Specify a name for the policy.
   4. Save the policy.

5. Open the Trust Relationships tab.

6. Paste in the following JSON object, adding it to any existing statement array:

   {
     "Version": "2012-10-17",
     "Statement": [
        {
              "Sid": "Statement1 or replace with a unique statementId",
              "Effect": "Allow",
              "Principal": {
                 "Service": "cloudformation.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
        }
     ]
   }
   

7. Save the role.

You assign this role later when you install the CloudFormation template on AWS.

Confirm Security Command Center is connected to AWS

The Vulnerability Assessment for AWS service requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when Security Command Center is connected to AWS for vulnerability detection.

If a connection is not already established, you are required to set one up when you enable the Vulnerability Assessment for AWS service.

To set up a connection, see Connect to AWS for vulnerability detection and risk assessment.

Enable Vulnerability Assessment for AWS

To enable Vulnerability Assessment for AWS, you need to create an AWS IAM role on the AWS platform, enable the Vulnerability Assessment for AWS service in Security Command Center, and then deploy a CloudFormation template on AWS.

Enable Vulnerability Assessment for AWS in Security Command Center

Vulnerability Assessment for AWS must be enabled on Google Cloud at the organization level.

1. Go to the Settings page in Security Command Center:

   Go to Settings

2. Select the organization in which you need to enable Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

3. In the Vulnerability Assessment service card, click Manage Settings. The Vulnerability Assessment page opens.

4. Select the AWS tab.

5. In the Status field under Service enablement, select Enable.

6. Under AWS connector, check the Connection status.

   • If the connection status is Configured, proceed to the next step.
   • If the connection status is Not configured, before you proceed to the next step, configure the connector by clicking Add AWS connector. For instructions, see Connect to AWS for vulnerability detection and risk assessment.

7. Under Scan settings, click Download CloudFormation template. A JSON template downloads to your workstation. You need to deploy the template in each AWS account that you need to scan for vulnerabilities.

Deploy the AWS CloudFormation template

1. Go to the AWS CloudFormation Template page in the AWS Management Console.
2. Click Stacks > With new resources (standard).
3. On the Create stack page, select Choose an existing template and Upload a template file to upload the CloudFormation template.
4. After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
5. Select Specify stack details. The Configure stack options page opens.
6. Under Permissions, select the IAM Vulnerability Assessment Role that you created previously.
7. Click Next.
8. Check the box for acknowledgement.
9. Click Submit to deploy the template. The stack takes a few minutes to start running.

The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting.

After scans start running, if any vulnerabilities are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console.

Review findings in the Google Cloud console

You can view Vulnerability Assessment for AWS findings in the Google Cloud console. The minimum IAM role that is required to view findings is Security Center Findings Viewer (roles/securitycenter.findingsViewer).

To review Vulnerability Assessment for AWS findings in Google Cloud console, follow these steps:

1. Go to the Security Command Center Findings page:

   Go to Findings

2. If necessary, select your Google Cloud project or organization.

   

3. In the Quick filters section, in the Source display name subsection, select EC2 Vulnerability Assessment.

   The Findings query results panel is updated to show only Vulnerability Assessment for AWS findings.

4. To view details of a specific finding, click the finding name under Category. The finding details panel expands to display a summary of the finding details.

Disable Vulnerability Assessment for AWS

To disable the Vulnerability Assessment for AWS service, you need to disable it in Security Command Center and then delete the stack that contains the CloudFormation template in AWS. If the stack isn't deleted, it will continue to incur costs in AWS.

Complete the following steps to disable Vulnerability Assessment for AWS:

1. Go to the Settings page in Security Command Center:

   Go to Settings

2. Select the organization in which you need to enable Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

3. In the Vulnerability Assessment service card, click Manage Settings.

4. In the Status field under Service enablement, select Disable.

5. Go to the AWS CloudFormation Template page in the AWS Management Console.

6. Delete the stack that contains the CloudFormation template for Vulnerability Assessment for AWS.

   If not deleted, you might incur unnecessary costs.

Troubleshooting

If you enabled the Vulnerability Assessment for AWS service, but scans are not running, check the following:

• Check that the AWS connector is properly set up.
• Confirm that the CloudFormation template stack deployed completely. Its status in the AWS account should be CREATION_COMPLETE.