Cyber Asset Management scanning operations can leverage the AWS Systems Manager (SSM agent - Amazon software that runs on AWS EC2 instances to manage these resources) to discover Amazon EC2 (Linux) instances. In circumstances where SSM is not available or is not preferred for use then the SSH protocol can also be utilized (requires additional configuration).
Scan Linux instances at AWS using SSM:
Sample SSM-Based Environment – Scanning and Metrics Collection across Regions
AWS Management Console Steps:
- Get AWS credentials for Account onboarding at the CAM portal.
- Get AWS credentials for SSM-based scanning. For the required privileges refer to Create AWS SSM Service Account for Scanning Linux Endpoints.
Select if you wish to scan all instances or only some EC2 instances
Some EC2 instances for a specific AWS account: Specify a list of EC2 instances by performing an initial scan and then tag the discovered EC2 instance(s) at the AWS Portal with (“CLOUDSPHERE-MANAGED: true”).
All EC2 instances for a specific AWS account: you do not need to tag the individual resources, instead you can use the Enabling “SCANALLINSTANCES’ option while creating the scan job.
CAM Portal Steps:
Configure Cloud Account
In order to utilize SSM on AWS cloud, the customer needs set up an AWS cloud account in the CAM portal. Navigate to Settings>General>Clouds> Add Cloud Provider. Configure the AWS Cloud Account settings by setting the Name (a description to allow later identification), and set Cloud Type to “AWS EC2”, and set the Access Key and Secret Key for the subscription.
Next, create an AWS SSM Key-Chain and add credentials to it.
To create an AWS SSM key-chain, navigate to Discovery>Keychains>Create new +.
Now, add AWS SSM credentials to your key chain.
To add credentials to your key-chain, click the newly created key-chain and ‘Add Credential’
Set the credential Type as ‘AWS-SSM’ and provide Access Id and Secret Key. Next, create a scan scope for this account.
Create a Scan Scope
To create a new scan scope, navigate to Discovery>Scopes> Create a new scan scope+. Set the Name, Description, and Scope Type to Amazon EC2.
The next step is to create a scan job for the scan scope you have just created.
Create a Scan Job
To create a new scan job, navigate to Discovery>Scan Jobs>Create a new scan job +. Create a new scan job by setting a Scan job name and description. Click on the Create new scan job.
Configure your scan job by clicking the newly created scan job. On the Scan Types tab, select Sequential scan type.
On the Scan Details tab, set the appropriate Appliance, Locations, and Enablings values.
Note: In case, you want to scan all the EC2 assets for a specific AWS account tagging the EC2 instances is not necessary, instead you can use the Enabling “SCANALLINSTANCES’ while creating the scan job. If you do not select it(Enabling “SCANALLINSTANCES’ ), only the instances that are tagged at AWS (CLOUDSPHERE-MANAGED: true) will be considered as the scan candidates.
On the Scan Scope tab, select the scope that you created
On the Keychains tab, select the AWS-SSM type keychain that you have created.
Click on the Update button and complete the scan job creation and start the scan.
Scan Job results
A Successful scan job should discover AWS EC2 instances along with the desired details.