Cloud Insight Essential | Authenticated scans
AnsweredRegarding access controls, your documentation [1] mentions the following:
[1]=For authenticated scans to work properly in your deployment, you must set your AWS security groups to allow full communication inside the group. Doing so allows a Cloud Insight appliance to communicate with client hosts, and the authenticated scan to run without errors.
How do you recommend configuring the security groups so that I can allow only Cloud Insight appliances access the servers but expose communication from other instances in the VPC? What does "full communication inside the group" mean? Allow all traffic from hosts in my EC2 instances to other hosts in the same SG without restricting any access to any ports? That wouldn't sound like very good idea in a cloud environment.
Is there an option to tell Cloud Insight which additional SG to use when creating the appliances? This way I can set up the SG for each VPC and not expose any unwanted traffic inside the VPC between the hosts that are being monitored.
[1] https://docs.alertlogic.com/gsg/amazon-web-services-cloud-insight-get-started.htm
-
Official comment
Hi Mehran,
Apologies for the late turn around on your question. To clarify, I believe your first question is: “How do you recommend configuring the security groups so that I can allow only Cloud Insight appliances access to servers but NOT expose communication from other instances in the VPC?” Please let me know if I misunderstood your question.
To answer your question, we recommend that you create a new security group for the instances you plan to scan with an outbound rule of “All traffic” and a destination of the security group we create for the Cloud Insight scanning instance. This security group is called “…Alert Logic Security Group..”
This way, your instances can send any type of traffic to the Cloud Insight scanning instance (or rather the Cloud Insight security group), but your instances are not allowed to send any type of traffic to other instances or out to the internet.
Full communication is this example means to select the traffic type of “All traffic” when you create the security group. We’ll update our docs so it’s a bit clearer on the requirement.
The reason we need “All traffic” is this allows Cloud Insight to discover the full suite of OS, applications, and protocols that we can identify in your AWS environment. For more details on what Cloud Insight scans, you can refer to What does Cloud Insight do when it scans my infrastructure in AWS?However, we completely understand that you (and other customers) like to take a hardening host approach and don’t allow open ports or routes to instances, even if they’re internally hosted. For that reason, we support integration with Amazon Inspector. With this integration, instead of using our scanning instance, you can deploy Inspector via the AWS Systems Manager Agent (SSM Agent) on your instances and send the results (called Inspector findings) via a Lambda function to Cloud Insight. For more information on this integration, check out our GitHub repository.
Hope this answers your questions, but if not please let us know.
Thanks agian. -
Hi Mehran! We're working on getting you a quality answer to your question and will get back to you very soon.
0
Please sign in to leave a comment.
Comments
2 comments