Task 1: Install Inspector Agent

In this section, you will SSH into the CommandHost instance and install the
Inspector agent on your fleet of EC2 instances using the Systems Manager Run
command. The two EC2 instances that form your fleet are tagged as SecurityScan to
be able to identify them easily. This will enable the EC2 instances to run security
assessment scans in a subsequent section.

1.1. Using the CommandHost IP address found at the left side of the page you are
currently reading, establish an SSH connection to the CommandHost EC2 instance.

For detailed instructions to establish an SSH connection, click here to jump to the
Appendix section at the end of this guide.

1.2. Run the command below to see the instances that have the Systems Manager agent
running.

aws ssm describe-instance-information --query "InstanceInformationList[*]"

From the output, you should see that there are two instances that have the Systems
Manager agent running on them. Observe the agent version, platform name, platform
type etc. for the Systems Manager agent.

1.3. Now you will review the Systems Manager document with the commands below. In
the commands below, you are redirecting the output of the command, aws ssm get-document,
to a flat text file then you are using the cat command to view the contents of the document.

aws ssm get-document --name "AmazonInspector-ManageAWSAgent" --output text > AmazonInspector-ManageAWSAgent.doc
  cat AmazonInspector-ManageAWSAgent.doc | less

You should see the JSON format of the Systems Manager document. The document
is a set of instructions telling the Systems Manager agent what operations to perform.
In this case, you are telling the Systems Manager agent to install the Inspector agent
on the fleet of instances using the Systems Manager Run command feature.

1.4. Pressing the SPACE to advance quickly over the document, q to exit back to your
shell prompt.

1.5. In the left side section of the page you are currently reading, copy the LogBucket value.

LogBucket:

1.6. To execute the Systems Manager Run command to install the Inspector agent on the
EC2 instances tagged as SecurityScan, run the command bellow.

aws ssm send-command --targets Key=tag:SecurityScan,Values=true --document-name "AmazonInspector-ManageAWSAgent" --query Command.CommandId --output-s3-bucket-name

1.7. Make a note of the CommandId from the output of the previous step:

CommandId:

1.8. To see the status of the send-command issued in the previous step, run the
command below.

aws ssm list-command-invocations --details --query "CommandInvocations[*].[InstanceId,DocumentName,Status]" --command-id

Observe that the Inspector agent has been successfully installed on both the EC2
instances.

Task 2: Set up Amazon Inspector

In this section, you will set up Amazon Inspector with the target assessment group to
run the security assessment scans. The target group are the two EC2 instances that
for your fleet tagged as SecurityScan, to make it easy to identify them.

2.9. To create a resource group to identify the EC2 instances that need to be scanned, run
the command below. In the command below, you are creating a resource group for
EC2 instance that have the SecurityScan tag.

aws inspector create-resource-group --resource-group-tags key=SecurityScan,value=true

2.10. Copy the value of the ResourceGroupARN from the output of the previous command:

ResourceGroupARN:

2.11. Next, you will create an assessment target.
Assessment target is going to identify who is included in a scan.

aws inspector create-assessment-target --assessment-target-name GamesDevTargetGroup --resource-group-arn

2.12. Copy the value of the assessmentTargetArn from the output of the previous command:

assessmentTargetArn:

2.13. Amazon Inspector has different rules packages that can be run. These rule packages
are maintained by AWS, let take a close look.

aws inspector list-rules-packages

2.14. Copy below the list of ARNs:
rulesPackageArns:

2.15. To view the description of the rules package and to understand what each package
scans for, run the commands below:

Important When you run the command above for each rule, make a note of the rule
package ARNs for:

Security Best Practices Arn:

Common Vulnerabilities and Exposures Arn:

CIS Operating System Security Configuration Benchmarks:

You will run an assessment scan based on these three rules only and not the fourth
rule Network Reachability, and fifth rule Runtime Behavior Analysis.
An asessment template identifies what scan should be run, the length of time to
collect telemetry data, as well as the hosts to include in the scan. To create this you
can use the create-assessement-template.

2.16. Run the command below:

aws inspector create-assessment-template --assessment-target-arn  --assessment-template-name CISCommonVulerBestPract-Short --duration-in-seconds 900 --rules-package-arns

2.17. Make a note of the assessmentTemplateArn

assessmentTemplateArn:

Task 3: Start Security Assessment Scan

In this section, you will start the security assessment scan that was created in the
prior task. The assessment scan runs for about 20 minutes and will provide you with a
report of findings.

3.18. When we created the assessment target you defined it via tags. Lets take a look to
what host this might resolve to currently in this account.

aws inspector preview-agents --preview-agents-arn

In the JSON output, observe that two agents are reporting the telemetry data for the
assessment scan.

3.19. To start the assessment, run the command below.
The assessment will run for about 20 minutes.

aws inspector start-assessment-run --assessment-run-name FirstAssessment --assessment-template-arn

3.20. Make a note of the assessmentRunArn from the output of the previous command:

assesmentRunArn:

3.21. To check the status of the assessment, run the command below.

aws inspector describe-assessment-runs --assessment-run-arn

You should see the status of the assessment as COLLECTING DATA.

3.22. To view the agents that are sending telemetry data, run the command below.

aws inspector list-assessment-run-agents --assessment-run-arn

You should see the agentHealthCode, agentHealth, telemetryMetadata etc. for each
running agent in the JSON output.

3.23. - 3.30. - Back to Qwiklabs instructions.

Task 4: Create and Apply a Patch Baseline

Some of the issues that may have been found in the inspector scan could be solved
by patching the guest OS. A patch baseline can be defined and appy it to the fleet of
EC2 instances ensuring that software is kept up to date. You will use the Systems
Manager Automation feature to complete this action on each of these instances.

4.31. To create a run document, run the command below.

aws ssm describe-document --name "AWS-PatchInstanceWithRollback" --query "Document.[Name,Description,PlatformTypes]"

Observe the description of the document. The document brings the EC2 Instance
into compliance with a baseline and rolls back to root volume on failure.

4.32. To get the instance ids of the EC2 instance to which you will apply the patch, run the
command below.

aws ssm describe-instance-information --query "InstanceInformationList[*]"

4.33. Make a note of the instance ids from the output of the command above. The
instance id is similar to i-017aaae189d442967.

instanceId #1:
instanceId #2:

4.34. To start the automation document on the first instance, run the command below.

aws ssm start-automation-execution --document-name "AWS-PatchInstanceWithRollback" --parameters "InstanceId=,ReportS3Bucket="

4.35. To start the automation document on the second instance, run the command below.

aws ssm start-automation-execution --document-name "AWS-PatchInstanceWithRollback" --parameters "InstanceId=,ReportS3Bucket="

The patching of the EC2 instances will take about 10 minutes for each instance. You
can view the status of the automation execution in the Systems Manager dashboard
in the console.

4.36. - 4.38. - Back to Qwiklabs instructions.