Skip to main content

Inspector

掃描EC2 instance查看有沒有潛在的安全問題

Steps

安裝SystemManager Agent到機器上 (target by tag),會回傳CommandId

aws ssm send-command --targets Key=tag:SecurityScan,Values=true \
--document-name "AmazonInspector-ManageAWSAgent" \
--query Command.CommandId \
--output-s3-bucket-name <BucketName>

查某個Command的狀態

aws ssm list-command-invocations --details \--query "CommandInvocations[*].[InstanceId,DocumentName,Status]" \--command-id <CommandId>

Inspector Create Group

aws inspector create-resource-group --resource-group-tags key=SecurityScan,value=true

Create Assignment Target

aws inspector create-assessment-target \--assessment-target-name GamesDevTargetGroupCLI \--resource-group-arn <ResourceGroupARN>

可以查看要用的rules packages

aws inspector list-rules-packages

使用想用的rule去掃target

aws inspector create-assessment-template \
--assessment-target-arn <targetArn> \
--assessment-template-name CISCommonVulerBestPract-Short \
--duration-in-seconds 900 --rules-package-arns <rule1Arn> <rule2Arn> … <ruleNArn>