AWS re/Start Lab · Seguridad

Using Amazon Inspector for vulnerability assessment and remediation

This lab utilizes Amazon Inspector to scan AWS resources, specifically AWS Lambda functions. Discover how to activate Amazon Inspector, interpret vulnerability reports, and successfully remediate findings.

Lab Summary

Activated Amazon Inspector to assess the security posture of an AWS environment. Identified a critical outdated package vulnerability inside an AWS Lambda function, remediated the issue by modifying the package version dependencies, and confirmed that the vulnerability was successfully closed.

Vulnerability Analysis

Utilized the Amazon Inspector dashboard to review scanned resources and identified the specific root cause of a medium-severity vulnerability within the Lambda function.

Automated Remediation Tracking

Updated the required function dependencies, which automatically triggered a new scan by Inspector to close the vulnerability finding without manual intervention.

Step-by-Step Walkthrough

Detailed documentation of the assessment and remediation process using Amazon Inspector.

01

Activate Amazon Inspector

  • Navigated to the Amazon Inspector service in the AWS Management Console and activated it for the account.
Inspector coverage dashboard showing scan underway
Amazon Inspector: Dashboard showing that the first scan is underway
  • Monitored the dashboard until the Environment coverage for Lambda functions completed.
02

Review inspected resources

  • Selected All findings to review the vulnerabilities detected by the automated scan.
  • Identified a Medium severity finding titled CVE-2023-32681 - requests affecting the get-request Lambda function.
  • Discovered that the requests Python package was outdated and recommended for an upgrade.
03

Remediate the vulnerability

  • Navigated to the AWS Lambda service and opened the get-request function.
  • Modified the requirements.txt file by removing the specific version constraint (==2.20.0) from the requests package to enforce the use of the latest version.
  • Deployed the updated Lambda function.
Lambda function deployed
AWS Lambda: Successfully deployed the updated get-request function
  • Returned to Amazon Inspector and verified that the finding for CVE-2023-32681 - requests was moved to the Closed status.
Vulnerabilities closed
Amazon Inspector: Vulnerability finding marked as closed
  • Verified that the Lambda functions coverage displayed an updated timestamp for the most recently scanned function.
Lambda timestamp updated
Amazon Inspector: Successfully updated timestamp after the post-deployment scan

Key Learnings

What Was Actually Learned

How to activate Amazon Inspector to continuously monitor AWS resources.
How to navigate and interpret the All findings vulnerability dashboard.
How to remediate dependency vulnerabilities within an AWS Lambda package using requirements.txt.
That deploying a Lambda function automatically triggers a new scan in Amazon Inspector to validate remediation.

Technical Conclusion

This lab demonstrated the effectiveness of automated vulnerability scanning natively integrated within AWS through Amazon Inspector. By automatically assessing the environment, the service swiftly flags deeply nested dependency issues like outdated packages in Lambda functions without manual intervention.

The remediation process was equally streamlined. By updating the package constraints and simply redeploying the function, a subsequent automated scan validated the fix and closed the finding, ensuring a continuous and secure development lifecycle.