Manage vulnerabilities in your infrastructure and perform pentesting

It’s recommended to use vulnerability management services such as Amazon Inspector to identify infrastructure vulnerabilities and deviations from the CIS OS hardening best practices on your instances.

Amazon inspector delivers continuous vulnerability management, leveraging the same AWS Systems Manager Agent.

Scanning your cloud resources with network sweeps as you would on-prem can be challenging on the cloud due to short-lived resources that dissapear quickly and the network segmentation that provides using multi-account, and vpcs, therefore an agent-based scan is preferred.

Inspector also supports agentless scans of the EBS volumes (Hybrid scan) which is useful for virtual appliances, or other instances where you can’t install the SSM Agent, but the agent based scan is preferred as it provides more near real time information.

Amazon Inspector

You can use AWS Systems Manager Patch Manager to patch vulnerable instances, or the patch management software of your choice, and it’s free to patch aws cloud resources.

There are also numerous solutions provided by our partners available on the AWS Marketplace:

Amazon Inspector Mindmap

https://www.xmind.net/m/22EXUr/

Workshops

Risk Mitigation

  • Vulnerabilities on the operating system or middleware can be an entry point for adversaries, especially when they are located on the software serving web applications, as they are tipically exposed.
  • Often organizations have teams dedicated to Application Security Testing but lack basic vulnerability management of the infrastructure that hosts those applications.

Guidance for assessments

  • Do you have a solution implemented to identify vulnerabilities in infrastructure?
  • Do you have internal teams doing pentesting ? or do you hire external penstesters ?
  • Is a team patching the vulnerabilities ? how ? is the number of vulnerabilities shrinking ?

Amazon Inspector Pricing

https://aws.amazon.com/inspector/pricing/