Toolkit: AWS Inspector V2

Amazon Inspector V2 is the Amazon Web Services (AWS) vulnerability management and scanning service for AWS workloads. It captures vulnerabilities and unintended network exposures. It can scan Elastic Compute Cloud (EC2) instances, Amazon Elastic Container Registry images, and Lambda (serverless) functions. For more information about the AWS Inspector V2 release, see the readme.md.

For more information about toolkit connectors, see the Connector Toolkit.

Other AWS Inspectors versions

For information about other AWS Inspector versions, see the following readme.md files on GitHub:

Capabilities of this AWS Inspector V2 Release

In-scope for this release, the AWS Inspector V2 does:

  • Handle the EC2 instance and ECR container image asset types
  • Use the EC2 ID and IP address locators
  • Record the findings ARN as the scanner ID on the vulnerability

Limitations of this AWS Inspector V2 Release

Out-of-scope for this release, the AWS Inspector V2 does not:

  • Handle ECR Repositories and Lambda Functions asset types
  • Handle network reachability findings

Note: Fix/Recommendation data is not included.

Locator Ordering

For locator ordering, the following table states how the AWS Inspector V2 task maps the fields:

AWS Inspector v2 API

Data Importer JSON

findingArn

asset.vulns[].scanner_identifier, vuln_def.scanner_identifier

firstObservedAt

asset.vulns[].created_at

lastObservedAt

asset.vulns[].last_seen_at

inspectorScore

asset.vulns[].scanner_score (rounded to the nearest integer)

severity

asset.vulns[].scanner_score

If no inspectorScore, mapped "INFORMATIONAL" => 0, "LOW" => 3, "MEDIUM" => 6, "HIGH" => 8, "CRITICAL" => 10, "UNTRIAGED" => 1

type

Filter for “PACKAGE_VULNERABILITY” and ignore Network Reachability and Code Vulns (AWS Lambda)

title

asset.vulns[].vuln_def_name, vuln_def.name

description

vuln_def.description

remediation.recommendation.text

vuln_def.solution

status

asset.vulns[].status (“SUPPRESSED” => “open”)

package_vulnerability_details.vulnerability_id

cve_identifiers, cwe_identifiers, or wasc_identifiers if it contains CVE, CWE, or WASC in the string

resources.first.id

asset.ec2

resources.first.details.aws_ec2_instance.ip_v4_addresses, preferring a public IP

asset.ip_address

resources.first.details.aws_ec2_instance.platform

asset.os

resources.first.tags

“Name” tag => asset.hostname or asset.fqdn depending on format; other tags => asset.tags

resources.first.details.aws_ecr_container_image.registry

asset.tags << "registry-<<REGISTRY_NAME>>"

resources.first.details.aws_ecr_container_image.repository

asset.tags << "repository-<<REPOSITORY_NAME>>"

resources.first.details.aws_ecr_container_image.image_hash

asset.image_id

resources.first.type

asset.asset_type = “image” if “AWS_ECR_CONTAINER_IMAGE”

"AWS Inspector V2"

asset.scanner_type, vuln_def.scanner_type

 

Note: If the asset type is a container image, it’s only locator is an image ID, so the run will fail. If it fails, contact Support for help updating the custom locator ordering to utilize image ID as a locator. For more information, see Understanding Locator Order.

 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2023 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.