Global outage event

If you're experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.

How do I set up an Amazon Inspector CIS scan for a private network?

4 minute read

I want to run an Amazon Inspector Center for Internet Security (CIS) scan in a private network, but I don't know how to do that. Or, when I try to run a CIS scan, I receive a "Timeout" or "Cancelled" error.

Short description

If you get the Timeout error, then check your configuration for the following common issues:

Missing Amazon Inspector endpoint
Endpoints are in a different subnet than the Amazon Elastic Compute Cloud (Amazon EC2) instance
Endpoints, Amazon EC2 security groups, or network access control lists (network ACL) block inbound and outbound HTTPS traffic on port 443

If you get the Cancelled error, then check your configuration for the following common issues:

Missing Amazon Simple Storage Service (Amazon S3) bucket endpoint
Restricted Amazon S3 gateway endpoint access policy
No network path to the Amazon S3 endpoint from the EC2 instance
Unsupported operating system (OS)

Also, make sure that the EC2 instance has the AmazonInspector2ManagedCisPolicy managed policy.

Resolution

Prerequisites: To perform or schedule a CIS scan, your host must have a secure internet connection. To run a CIS scan on a private instance, you must use an Amazon Virtual Private Cloud (Amazon VPC) endpoint.

To set up CIS, complete the following steps.

Create an interface endpoint

You must create an Amazon S3 gateway endpoint and an interface endpoint for the following endpoints: inspector2, ec2messages, ssmmessages, and SSM. Create an Amazon VPC endpoint, and configure the following settings:

For Service name, select an Amazon Inspector service. For example, amazonaws.com.region.inspector2
Note: Replace region with your AWS Region.
For Security group, use the default security group. If you use a restricted security group, then make sure that the group allows inbound HTTPS traffic on port 443.
For Policy, select Full access.

For more information about the types of interface and gateway endpoints that you must create, see Creating VPC endpoints for AWS Systems Manager.

Use a full Amazon S3 access policy. If you use a custom access policy for Amazon S3, then you must include the following permissions for Systems Manager and Amazon Inspector:

inspector2-oval-prod-region
aws-ssm-region
Note: Replace region with your Region.

CIS scans use Amazon Inspector owned S3 buckets to run. For more information about required permissions for your Region, see Amazon Inspector owned Amazon S3 buckets used for Amazon Inspector CIS scans.

Configure the EC2 instance

Make sure that you use a supported OS. Also, you must use Systems Manager to manage your instance and the instance must have the following AWS Identity and Access Management (IAM) permissions: AmazonSSMManagedInstanceCore and AmazonInspector2ManagedCisPolicy.

To verify your instance permissions, complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, choose Instances.
Select your instance, and then choose IAM Role. If the IAM Role doesn't have the required permissions, then update the IAM role to include the required permissions.

To verify that you're using Systems Manager to manage your instance, complete the following steps:

Open the Systems Manager console.
In the navigation pane, choose Fleet Manager. Find your instance listed under Managed Nodes. If the instance isn't listed, then configure the instance permissions required for Systems Manager.

Note: For a restricted security group configuration, allow outbound HTTPS traffic on port 443.

Configure Systems Manager

To verify that your Systems Manager association is configured correctly, complete the following steps:

Open the Systems Manager console.
In the navigation pane, choose Fleet Manager.
Choose Managed Instance, and then verify that the Association status is Success.
If the Association status isn't Success, then under Associations, identify the failed associations in the list.
To rerun the association, in the Systems Manager console, choose Run Command. Then, under Command History, select the failed command. Finally, choose Run.
-or-
You can instead reapply the association package. In the Systems Manager console, choose State Manager and then select the failed association. Finally, choose Apply association.

Perform the CIS scan

To verify your resolution, run the Amazon Inspector CIS scan.

Related information

Center for Internet Security (CIS) scans for Amazon EC2 instance operating systems

Why is Amazon Inspector not scanning my Amazon EC2 instances?

Topics: Security, Identity, & Compliance
Tags: Amazon Inspector
Language: English

AWS OFFICIALUpdated 2 years ago

No comments

Relevant content

Can't start Inspector on-demand CIS scan from DA account
Sonic
asked 10 months ago
Inspector2 CIS scans are failing (timing out)
Accepted Answer
Fabrizio DeAgostini
asked 2 years ago
Can we exclude a particular folder from being CIS-scanned by Inspector ?
kdylan
asked 3 months ago
AWS Inspector V2 is not detecting nodes for CIS scans.
ShawnRegard
asked a year ago
AWS Inspector - Scan on-premise VMs - CIS Benchmarks
Accepted Answer
Maan
asked 4 years ago
How do I troubleshoot EC2 agent-based and CIS scan issues in Amazon Inspector?
AWS OFFICIALUpdated 2 months ago
How do I exclude specific AWS resources from Amazon Inspector scans?
AWS OFFICIALUpdated 2 years ago
Why doesn't Amazon Inspector scan my Amazon EC2 instances?
AWS OFFICIALUpdated 3 months ago
How do I set up Amazon Inspector Classic to run security assessments on my Amazon EC2 instances?
AWS OFFICIALUpdated 4 years ago
Generate CIS Compliance Reports from Amazon ECS Managed Instances
EXPERT
Olawale Olaleye
published 7 months ago