Alert Logic® Cloud Insight™ for Amazon Web Services (AWS) continuously scans your environment(s) for vulnerabilities. The following article will help you ensure that you are ready to deploy Cloud Insight and that you are following Alert Logic-recommended best practices when working in Cloud Insight after deployment.
Note: The following information applies only to customers with Alert Logic® Cloud Insight™ entitlements.
Deployment - AWS Requirements
Cloud Insight requires the following to deploy and operate within your AWS environment:
Available /28 Subnet
Cloud Insight utilizes a /28 subnet - 16 IP addresses - for each in-scope VPC in your AWS environment. The subnet is automatically chosen and is the next logically available /28 subnet in each VPC.
IAM Role and IAM Policy in AWS Console
Cloud Insight utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your AWS environment. The user implementing Cloud Insight needs the IAM permission to create IAM Roles and IAM Policies. Alert Logic uses a cross-account access IAM Role. Utilize the Amazon Web Services Tutorial: Delegate Access Across AWS Accounts Using IAM Roles documentation to learn how to use a role to delegate access to resources that are in different AWS accounts that you own.
See the IAM Policy and an overview of the permissions granted to Cloud Insight in the Cloud Insight for Amazon Web Services IAM Policy and Permissions knowledge base article.
Cloud Insight includes the ability to run credentialed host vulnerability scanning. The AWS environment might need to be adjusted to allow the Cloud Insight appliance to reach your EC2 instances.
Configure Security Groups
The Cloud Insight appliance inside of your AWS environment needs to have access to scan your EC2 instances. If you are running non-default AWS security groups, you will need to modify your security groups with the following changes:
- All ports to the appliance in AWS security groups should be opened for the most accurate vulnerability scan results.
- Alert Logic recommends creating a security group for the AL subnet that allows all ports and adding it to all the instances to be scanned.
Add Host Credentials
Cloud Insight achieves the most accurate results when performing credentialed scans of your EC2 instances. This allows the Cloud Insight scan appliance to log into your EC2 instance and check on specific updates and patches that are installed. Once you have modified your Security Groups to allow the Cloud Insight appliance full port access to your EC2 hosts, you need to add the EC2 host credentials into the Alert Logic console.
Cloud Insight supports Windows login credentials, as well as ssh and ssh+key. It uses "cascading credentials" that allow your EC2 hosts to inherit credentials that are applied to a subnet, VPC, or Region level. For the best results, Cloud Insight will run both a credentialed scan and an uncredentialed scan and merge the results.
Navigate Cloud Insight Assets in the Alert Logic Console
You can find your Cloud Insight deployments within the Configuration main menu tab and on the Deployments page. A Cloud Insight deployment is an AWS account and a user selected scope. You should already have a deployment set up. If not, please contact your system administrator or Alert Logic support.
Each deployment will be displayed as a Deployment tile, as seen above with the "Cloud Defender Support Deployment" tile. Once you have determined the deployment you would like to view, clicking on its tile will allow you to view its information.
In the dashboard, you can see high level information including:
- VPCs, subnets, and EC2 hosts that are covered by the Environment scope
- The AWS regions that encompass the Environment
- The percent of the AWS account covered by the Environment scope selection
- The percent of the Environment that has host credentials input
- Any custom filter sets saved from the Remediations page
The Topology page, which can be found within the Overview main menu tab, shows you a graphical representation of your AWS environment. You can quickly see the relationships between the AWS region your environment is in, as well as how the VPCs, subnets, and EC2 hosts are related.
Any asset shown in the map on the Topology page can be selected for additional information via the meta-data window shown to the right of the map. This meta-data window allows you to quickly find asset details such as IP addresses, EC2 instance sizes, specific VPC IDs, and subnet IDs.
The Topology map also has several toggles, shown above the map in green and gray, that allows different environment views. The map above is using the Threat Map toggle. This feature color codes all the environmental assets to show the overall security posture and risk of each asset.
Other toggles include:
- Scan map - Shows currently scanning assets and the last time an asset was scanned
- Security Groups - Shows the relationship between security groups and the assets that use them
- AMI - Shows how AMIs map to specific EC2 instances
The List page under the Remediations main menu tab shows all of the remediations found within the environment - sorted by rank - to show which one, if taken care of first, will have the most positive impact upon your environment's security posture.
The High, Medium, and Low numbers across the top represent the total number of exposures found in your environment.
The left side bar shows the available filters you can use to pivot the Cloud Insight remediations. This can be extremely useful regardless of how an environment is architected.
One common use case is to select a specific AMI that you use for multiple EC2 instances. Once selected from the available filters, only the remediations that apply to the AMI in question will be shown. Instead of touching each AMI independently and making repetitive remediations, open the AMI, make all necessary remediations, then re-bake the AMI and push it out to your instances via the Launch Configuration or Auto Scaling settings. This lets you remediate many EC2 instances at once.
Severity color coding is applied to both the vertical color bars for remediations and filter groups and the round dots for each exposure.
The vertical bars signal the relative severity of the item compared to other similar items. Both filter groups and remediation steps are sorted with highest severity - colored red - on top. Due to the relative nature, the same medium exposure can both be the worst issue in the web-server group and the lowest overall issue.
The round dot color signals the absolute severity of each vulnerability, as specified by the CVSS Base score.
Each user in Cloud Insight has their own personalized remediation plan. The plan allows users to take responsibility for remediations found on the List page by assigning them to their plan. Your plan can be found within the Remediations main menu tab on the Plan page.
The remediations on the Plan page are presented in the same manner as the List page. The sorting features on the left side of the page allow users to sort remediations by their threat level. Users are also able to customize the time frame of the remediations they would like to view.
Learn the best practices for completing your remediation actions with the Completing Remediation Actions in Cloud Insight knowledge base article.
Get the Most Out of Cloud Insight
This section includes best practices to help you and your organization get the most out of Cloud Insight.
Log Into the Cloud Insight Console Daily
Cloud Insight automatically scans your environment every day, which is especially useful in dynamic AWS environments using auto-scaling and launch configurations.
Alert Logic recommends checking the Cloud Insight console daily to deal with high level remediations that may exist in your AWS environment. For low and medium remediations, we recommend weekly maintenance to take care of any outstanding issues. The more often you check your environment's security posture, the better.
All the remediations on the Remediations page of the Cloud Insight console are able to pivot based on various AWS metadata, such as: Regions, AMIs, Load Balancers, Auto Scaling Groups, Security Groups, Subnets, Tags, and VPCs.
Many AWS environments utilize a "golden" AMI that is used to spin up multiple EC2 instances. Save time on remediations by pivoting the list based on AMIs. Make the needed remediations to the "golden" AMI, re-bake the AMI, then push it back out to all your EC2 instances. This allows you to remediate many EC2 instances at once instead of one at a time. This is especially useful for auto-scaling groups and allows you to make sure your scalable infrastructure is securely patched.
Custom Filter Sets
Once you have taken advantage of the custom remediation filters, you need a quick way to get back to that important customized remediation view. Custom Filter Sets help you quickly get the information you need.
Save a custom remediation view by scrolling to the Create a Custom Filter search field in the left-hand panel of the List page. Enter a filter name and click Save filter. These custom filters appear on the Remediations & Continuous Scan page within the Overview main menu tab and under the Dashboards sub-menu tab as a tile in the Customer Filter Sets section in the lower right corner. The custom filter tiles dynamically change color to reflect the security posture of the filtered assets.
Cloud Insight offers customized remediation plans for each user account. Utilizing these plans allows employees of your organization to take ownership of individual remediations.
Add a remediation to your plan by selecting it from the List page under the Remediations main menu tab and clicking the orange Add to My Plan button near the top right corner of the screen.
View your personal remediations by visiting the Plan page under the Remediations main menu tab.
Remediation items you have taken ownership of, then mark them as complete. Cloud Insight will check the next time it scans to verify that you were successful.
Cloud Insight allows you to whitelist hosts that you want to exclude from scanning. The whitelisting feature is accessed from the Topology page of the Cloud Insight console. Whitelist a host by using the AWS Universal "No Scan" tag using the strategy described below:
Enter a key-pair value into the Cloud Insight whitelist, such as "ALScan:NoScan". Tag any EC2 instance you do not wish to scan with this key-value pair inside the AWS console.
You can also add one of your existing tags to the whitelist to align the scanning with existing asset organization.