The Vulnerability Assessment for Amazon Web Services (AWS) service detects vulnerabilities in the following AWS resources:
- Software packages installed on Amazon EC2 instances
- Software packages and operating system misconfigurations in Elastic Container Registry (ECR) images
The Vulnerability Assessment for AWS service scans snapshots of the running EC2 instances, so production workloads are unaffected. This scan method is called agentless disk scanning, because no agents are installed on the target EC2 machines.
The Vulnerability Assessment for AWS service runs on the AWS Lambda service and deploys EC2 instances that host scanners, create snapshots of the target EC2 instances, and scan the snapshots.
You can set the scan interval from 6 to 24 hours.
For each detected vulnerability, Vulnerability Assessment for AWS generates a finding in Security Command Center. A finding is a record of the vulnerability that contains details about the affected AWS resource and the vulnerability, including information from the associated Common Vulnerability and Exposures (CVEs) record.
For more information about the findings that are produced by Vulnerability Assessment for AWS, see Vulnerability Assessment for AWS findings.
Findings issued by Vulnerability Assessment for AWS
When the Vulnerability Assessment for AWS service detects a software vulnerability on an AWS EC2 machine or in an Elastic Container Registry image, the service issues a finding in Security Command Center on Google Cloud.
The individual findings and their corresponding detection modules are not listed in the Security Command Center documentation.
Each finding contains the following information that is unique to the detected software vulnerability:
- The full resource name of the affected instance or image
- A description of the vulnerability, including the following information:
- The software package that contains the vulnerability
- Information from the associated CVE record
- An assessment from Mandiant of the impact and exploitability of the vulnerability
- An assessment from Security Command Center of the severity of the vulnerability
- An attack exposure score to help you prioritize remediation
- A visual representation of the path an attacker might take to the high-value resources that are exposed by the vulnerability
- If available, steps that you can take to fix the issue, including the patch or version upgrade that you can use to address the vulnerability
All Vulnerability Assessment for AWS findings share the following property values:
- Category
Software vulnerability
- Class
Vulnerability
- Cloud service provider
Amazon Web Services
- Source
EC2 Vulnerability Assessment
For information about viewing findings in the Google Cloud console, see Review findings in the Google Cloud console.
Resources used during scans
During scanning, Vulnerability Assessment for AWS uses resources on both Google Cloud and on AWS.
Google Cloud resource usage
The resources that Vulnerability Assessment for AWS uses on Google Cloud are included in the cost of Security Command Center.
These resources include tenant projects, Cloud Storage buckets, and Workload Identity Federation. These resources are managed by Google Cloud and are used only during active scans.
Vulnerability Assessment for AWS also uses the Cloud Asset API to retrieve information about AWS accounts and resources.
AWS resource usage
On AWS, Vulnerability Assessment for AWS uses the AWS Lambda and Amazon Virtual Private Cloud (Amazon VPC) services. After scanning is complete, the Vulnerability Assessment for AWS service stops using these AWS services.
AWS bills your AWS account for the use of these services and does not identify the usage as being associated with Security Command Center or the Vulnerability Assessment for AWS service.
Service identity and permissions
For the actions that it performs on Google Cloud, the Vulnerability Assessment for AWS service uses the following Security Command Center service agent at the organization level for identity and for permission to access Google Cloud resources:
service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com
This service agent contains the cloudasset.assets.listResource
permission,
which Vulnerability Assessment for AWS service uses to retrieve information about the
target AWS accounts from Cloud Asset Inventory.
For the actions that Vulnerability Assessment for AWS performs on AWS, you create an AWS IAM role and assign the role to the Vulnerability Assessment for AWS service when you configure the required AWS CloudFormation template. For instructions, see Roles and permissions.