Amazon has released an automated security assessment service that you can use to improve the security and compliance of applications deployed on AWS. It is currently in preview and by invitation only.

Amazon Inspector is a new service that will assess applications for vulnerabilities or deviations from best practices. Once the assessment has been completed, you get a detailed report with prioritized steps telling you what to do to make the app more compliant. Vulnerabilities can be assessed before deployment or on apps running in a production environment. The way it works is that you deploy an agent onto the virtual servers you want to assess, select the tests you want to run, and execute the assessment.

The service is based on a knowledge base of hundreds of rules mapped to common security compliance standards and vulnerability definitions. Some of the built-in rules given as examples include checking for remote root login being enabled, or vulnerable software versions installed. The rules will be regularly updated by AWS security researchers. Rules include checks on how the app stacks up against best practices for authentication, network configuration, virtual machine settings, application settings, as well as OS configurations and patches. Inspector also checks against common security compliance standards (e.g. PCI), and vulnerabilities. The checks also include detailed recommended steps to remediate security issues.

Amazon Inspector also comes with APIs that you can use to carry out security testing while you’re developing and designing apps. You can select specific reports, run them and see the results. Amazon says Inspector can integrate with partner solutions like configuration management tools. The service includes SDKs consisting of libraries and sample code for various programming languages and platforms including Java, Python, Ruby, .NET, iOS and Android. The SDKs can be used to access to the Amazon Inspector service programmatically. There’s also an Amazon Inspector HTTPS API that lets you issue HTTPS requests directly to the service.

The service is fully integrated with AWS CloudTrail, so you can log of the security testing so that company compliance auditors can see what tests were performed and when, and what the results of those tests were. In addition to the built-in rules, you can create your own specifying the company standards and best practices for applications, and validate that applications are adhering to these standards.  

If you have an AWS account number you can sign up for an invitation for access to the Amazon Inspector Preview.  

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info