Network Vulnerability Assessment and Risk Management on AWS
Security focused organizations in healthcare, education, non-profit and public sector markets must continuously perform vulnerability and risk assessments. Security standards such as HIPAA, NIST Cybersecurity Framework, FISMA, FedRAMP and PCI-DSS require a formal risk and vulnerability assessment and remediation plan. This blog post covers a new feature released by AWS as part of the Amazon Inspector service to perform a network security assessment.
Amazon Inspector provides rules packages and rules that were initially focused on detecting common vulnerabilities and exposures (CVEs) on EC2 instances. Vulnerability scans using Amazon Inspector help detect unpatched software packages that must be upgraded to avoid compromising the confidentiality, integrity, or availability of data. Recently AWS announced the addition of a new rules packages focused on network security assessment. Vulnerabilities can be introduced by inadvertently allowing for access to AWS resources at the network level from the Internet, Peered VPC’s or Virtual Private Gateways. The rules in the Network Reachability package analyze network configurations to find network related security vulnerabilities. The findings generated by these rules show whether ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.
Configurations Analyzed by Network Reachability Rules
Network Reachability rules analyze the configuration of the following entities for vulnerabilities:
You can learn more about vulnerability assessment and penetration scanning services provided by stackArmor for SOC2, HIPAA, FedRAMP and PCI-DSS compliance by reading the following blogs.