- Deployment - AWS Requirements
- Environment Configuration
- Navigate the Cloud Insight Console
- Get the Most Out of Cloud Insight
Alert Logic® Cloud Insight™ for Amazon Web Services (AWS) continuously scans your environment(s) for vulnerabilities. The following article will help you ensure that you are ready to deploy Cloud Insight and that you are following Alert Logic-recommended best practices when working in Cloud Insight after deployment.
Cloud Insight requires the following to deploy and operate within your AWS environment:
Available /28 Subnet
Cloud Insight utilizes a /28 subnet - 16 IP addresses - for each in-scope VPC in your AWS environment. The subnet is automatically chosen and is the next logically available /28 subnet in each VPC.
IAM Role and IAM Policy in AWS Console
Cloud Insight utilizes an IAM Role and IAM Policy to allow Alert Logic third-party access to your AWS environment. The user implementing Cloud Insight needs the IAM permission to create IAM Roles and IAM Policies. Alert Logic uses a cross-account access IAM Role. Utilize the Amazon Web Services Tutorial: Delegate Access Across AWS Accounts Using IAM Roles documentation to learn how to use a role to delegate access to resources that are in different AWS accounts that you own.
See the IAM Policy and an overview of the permissions granted to Cloud Insight in the Cloud Insight for Amazon Web Services IAM Policy and Permissions | Feature Education knowledge base article.
Cloud Insight includes the ability to run credentialed host vulnerability scanning. The AWS environment might need to be adjusted to allow the Cloud Insight appliance to reach your EC2 instances.
Configure Security Groups
The Cloud Insight appliance inside of your AWS environment needs to have access to scan your EC2 instances. If you are running non-default AWS security groups, you will need to modify your security groups with the following changes:
- All ports to the appliance in AWS security groups should be opened for the most accurate vulnerability scan results.
- Alert Logic recommends creating a security group for the AL subnet that allows all ports and adding it to all the instances to be scanned.
Add Host Credentials
Cloud Insight achieves the most accurate results when performing credentialed scans of your EC2 instances. This allows the Cloud Insight scan appliance to log into your EC2 instance and check on specific updates and patches that are installed. Once you have modified your Security Groups to allow the Cloud Insight appliance full port access to your EC2 hosts, you need to add the EC2 host credentials into the user interface (UI).
Cloud Insight supports Windows login credentials, as well as ssh and ssh+key. It uses "cascading credentials" that allow your EC2 hosts to inherit credentials that are applied to a subnet, VPC, or Region level. For the best results, Cloud Insight will run both a credentialed scan and an credentialed scan and merge the results.
You can reach the Cloud Insight console by visiting this link: https://console.cloudinsight.alertlogic.com/
First Time Login
The first time you log in to the Cloud Insight console or visit using a new computer or web browser, you will be presented with the Cloud Insight tutorial. The tutorial gives you a brief overview of the console, as well as the colors that are utilized through Cloud Insight.
Cloud Insight uses colors to show the severity of the remediations as well as the AWS assets inside of your environment. Any yellow asset or remediation represents a low risk in your environment, orange a medium risk, and red a high risk. Cloud Insight also utilizes the color gray for informational purposes.
Once you have logged into Cloud Insight at least once, you will land on the Environments page. In Cloud Insight, an Environment is an AWS account and a user selected scope. You should already have an Environment set up. If not, please contact your system administrator or Alert Logic support.
Each environment will be displayed as an Environment tile, as seen above with the "SE Demo" environment. Once you have determined the environment you would like to view, clicking on its tile will allow you to view the relative information, as well as find, assign, and mark remediations as complete.
Once you select an environment tile from the Environments page, you will be taken to that environment's dashboard. The dashboard provides a high-level overview of the perspective AWS account and its scope.
In the Dashboard, you can see high level information including:
- VPCs, subnets, and EC2 hosts that are covered by the Environment scope
- The AWS regions that encompass the Environment
- The percent of the AWS account covered by the Environment scope selection
- The percent of the Environment that has host credentials input
- Any custom filter sets saved from the Remediations page
The Topology page in Cloud Insight shows you a graphical representation of your AWS environment. You can quickly see the relationships between the AWS region your environment is in , as well as how the VPCs, subnets, and EC2 hosts are related.
Any asset shown in the map on the Topology page can be selected for additional information via the meta-data window shown to the right of the map. This meta-data window allows you to quickly find asset details such as IP addresses, EC2 instance sizes, specific VPC IDs, and subnet IDs.
The Topology map also has several toggles, shown above the map in green and gray, that allows different environment views. The map above is using the Threat Map toggle. This feature color codes all the environmental assets to show the overall security posture and risk of each asset.
Other toggles include:
- Scan map - Shows currently scanning assets and the last time an asset was scanned
- Security Groups - Shows the relationship between security groups and the assets that use them
- AMI - Shows how AMIs map to specific EC2 instances
The Remediations page shows all of the remediations found within the environment - sorted by rank - to show which one, if taken care of first, will have the most positive impact upon your environment's security posture.
The High, Medium, and Low numbers across the top represent the total number of exposures found in your environment.
The left side bar shows the available filters you can use to pivot the Cloud Insight remediations. This can be extremely useful regardless of how an environment is architected.
One common use case is to select a specific AMI that you use for multiple EC2 instances. Once selected from the available filters, only the remediations that apply to the AMI in question will be shown. Instead of touching each AMI independently and making repetitive remediations, open the AMI, make all necessary remediations, then re-bake the AMI and push it out to your instances via the Launch Configuration or Auto Scaling settings. This lets you remediate many EC2 instances at once.
Severity color coding is applied to both the vertical color bars for remediations and filter groups and the round dots for each exposure.
The vertical bars signal the relative severity of the item compared to other similar items. Both filter groups and remediation steps are sorted with highest severity - colored red - on top. Due to the relative nature, the same medium exposure can both be the worst issue in the web-server group and the lowest overall issue.
The round dot color signals the absolute severity of each vulnerability, as specified by the CVSS Base score.
My Remediation Plan
Each user in Cloud Insight has their own personalized remediation plan. The plan allows users to take responsibility for remediations found on the Remediations page by assigning them to their plan.
The remediations on the My Plan page are presented in the same manner as the Remediations page. The sorting features on the left side of the page allow users to sort remediations by their threat level. Users are also able to customize the time frame of the remediations they would like to view.
Learn the best practices for completing your remediation actions with the Completing Remediation Actions in Cloud Insight | Best Practices knowledge base article.
This section includes best practices to help you and your organization get the most out of Cloud Insight.
Log Into the Cloud Insight Console Daily
Cloud Insight automatically scans your environment every day, which is especially useful in dynamic AWS environments using auto-scaling and launch configurations.
Alert Logic recommends checking the Cloud Insight console daily to deal with high level remediations that may exist in your AWS environment. For low and medium remediations, we recommend weekly maintenance to take care of any outstanding issues. The more often you check your environment's security posture, the better.
All the remediations on the Remediations page of the Cloud Insight console are able to pivot based on various AWS metadata, such as: Regions, AMIs, Load Balancers, Auto Scaling Groups, Security Groups, Subnets, Tags, and VPCs.
Many AWS environments utilize a "golden" AMI that is used to spin up multiple EC2 instances. Save time on remediations by pivoting the list based on AMIs. Make the needed remediations to the "golden" AMI, re-bake the AMI, then push it back out to all your EC2 instances. This allows you to remediate many EC2 instances at once instead of one at a time. This is especially useful for auto scaling groups and allows you to make sure your scalable infrastructure is securely patched.
Custom Filter Sets
Once you have taken advantage of the custom remediation filters, you need a quick way to get back to that important customized remediation view. Custom Filter Sets help you quickly get the information you need.
Save a custom remediation view by scrolling to the bottom of the Remediations page of the Cloud Insight console. Enter a filter name and click Save Filter. These custom filters appear on the Dashboard page of the Cloud Insight console as a tile near the lower right corner. The custom filter tiles dynamically change color to reflect the security posture of the filtered assets.
Cloud Insight offers customized remediation plans for each user account. Utilizing these plans allows employees of your organization to take ownership of individual remediations.
Add a remediation to your plan by selecting it from the Remediations page of the Cloud Insight console and clicking the orange Add to My Plan button near the top right corner of the screen.
View your personal remediations by visiting the My Plan page in the Cloud Insight console.
Remediation items you have taken ownership of, then mark them as complete. Cloud Insight will check the next time it scans to verify that you were successful.
Cloud Insight allows you to whitelist hosts that you want to exclude from scanning. The whitelisting feature is accessed from the Topology page of the Cloud Insight console. Whitelist a host by using the AWS Universal "No Scan" tag using the strategy described below:
Enter a key-pair value into the Cloud Insight whitelist, such as "ALScan:NoScan". Tag any EC2 instance you do not wish to scan with this key-value pair inside the AWS console.
You can also add one of your existing tags to the whitelist to align the scanning with existing asset organization.