Overview of Vulnerability Assessment for AWS

The Vulnerability Assessment for Amazon Web Services (AWS) service detects vulnerabilities in the following AWS resources:

  • Software packages installed on Amazon EC2 instances
  • Software packages and operating system misconfigurations in Elastic Container Registry (ECR) images

The Vulnerability Assessment for AWS service scans snapshots of the running EC2 instances, so production workloads are unaffected. This scan method is called agentless disk scanning, because no agents are installed on the target EC2 machines.

The Vulnerability Assessment for AWS service runs on the AWS Lambda service and deploys EC2 instances that host scanners, create snapshots of the target EC2 instances, and scan the snapshots.

You can set the scan interval from 6 to 24 hours.

For each detected vulnerability, Vulnerability Assessment for AWS generates a finding in Security Command Center. A finding is a record of the vulnerability that contains details about the affected AWS resource and the vulnerability, including information from the associated Common Vulnerability and Exposures (CVEs) record.

For more information about the findings that are produced by Vulnerability Assessment for AWS, see Vulnerability Assessment for AWS findings.

Findings issued by Vulnerability Assessment for AWS

When the Vulnerability Assessment for AWS service detects a software vulnerability on an AWS EC2 machine or in an Elastic Container Registry image, the service issues a finding in Security Command Center on Google Cloud.

The individual findings and their corresponding detection modules are not listed in the Security Command Center documentation.

Each finding contains the following information that is unique to the detected software vulnerability:

  • The full resource name of the affected instance or image
  • A description of the vulnerability, including the following information:
    • The software package that contains the vulnerability
    • Information from the associated CVE record
    • An assessment from Mandiant of the impact and exploitability of the vulnerability
    • An assessment from Security Command Center of the severity of the vulnerability
  • An attack exposure score to help you prioritize remediation
  • A visual representation of the path an attacker might take to the high-value resources that are exposed by the vulnerability
  • If available, steps that you can take to fix the issue, including the patch or version upgrade that you can use to address the vulnerability

All Vulnerability Assessment for AWS findings share the following property values:

Category
Software vulnerability
Class
Vulnerability
Cloud service provider
Amazon Web Services
Source
EC2 Vulnerability Assessment

For information about viewing findings in the Google Cloud console, see Review findings in the Google Cloud console.

Resources used during scans

During scanning, Vulnerability Assessment for AWS uses resources on both Google Cloud and on AWS.

Google Cloud resource usage

The resources that Vulnerability Assessment for AWS uses on Google Cloud are included in the cost of Security Command Center.

These resources include tenant projects, Cloud Storage buckets, and Workload Identity Federation. These resources are managed by Google Cloud and are used only during active scans.

Vulnerability Assessment for AWS also uses the Cloud Asset API to retrieve information about AWS accounts and resources.

AWS resource usage

On AWS, Vulnerability Assessment for AWS uses the AWS Lambda and Amazon Virtual Private Cloud (Amazon VPC) services. After scanning is complete, the Vulnerability Assessment for AWS service stops using these AWS services.

AWS bills your AWS account for the use of these services and does not identify the usage as being associated with Security Command Center or the Vulnerability Assessment for AWS service.

Service identity and permissions

For the actions that it performs on Google Cloud, the Vulnerability Assessment for AWS service uses the following Security Command Center service agent at the organization level for identity and for permission to access Google Cloud resources:

service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com

This service agent contains the cloudasset.assets.listResource permission, which Vulnerability Assessment for AWS service uses to retrieve information about the target AWS accounts from Cloud Asset Inventory.

For the actions that Vulnerability Assessment for AWS performs on AWS, you create an AWS IAM role and assign the role to the Vulnerability Assessment for AWS service when you configure the required AWS CloudFormation template. For instructions, see Roles and permissions.