Console
    Contact Us Start free

    Enable and use Vulnerability Assessment for AWS

    This page describes how to set up and use the Vulnerability Assessment for Amazon Web Services (AWS) service.

    To enable Vulnerability Assessment for AWS, you need to create an AWS IAM role on the AWS platform, enable the Vulnerability Assessment for AWS service in Security Command Center, and then deploy a CloudFormation template on AWS.

    Before you begin

    To enable the Vulnerability Assessment for AWS service, you need certain IAM permissions and Security Command Center must be connected to AWS.

    Roles and permissions

    To complete the setup of the Vulnerability Assessment for AWS service, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.

    Google Cloud roles

    Make sure that you have the following role or roles on the organization: Security Center Admin Editor( roles/securitycenter.adminEditor )

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the organization.
    3. Click Grant access .

    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save .

    AWS roles

    In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.

    To create a role for Vulnerability Assessment in AWS, follow these steps:

    1. Using an AWS administrative user account, go to the IAM Rolespage in the AWS Management Console.
    2. From the Service or Use Casemenu, select lambda.
    3. Add the following permission policies:
      • AmazonSSMManagedInstanceCore
      • AWSLambdaBasicExecutionRole
      • AWSLambdaVPCAccessExecutionRole
    4. Click Add Permission > Create Inline policyto create a new permission policy:
      1. Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS and VM Threat Detection .
      2. In the JSON Editor, paste the policy.
      3. Specify a name for the policy.
      4. Save the policy.
    5. Open the Trust Relationshipstab.

    6. Paste in the following JSON object, adding it to any existing statement array:

        { 
  
 "Version" 
 : 
  
 "2012-10-17" 
 , 
  
 "Statement" 
 : 
  
 [ 
  
 { 
  
 "Sid" 
 : 
  
 "Statement1 or replace with a unique statementId" 
 , 
  
 "Effect" 
 : 
  
 "Allow" 
 , 
  
 "Principal" 
 : 
  
 { 
  
 "Service" 
 : 
  
 "cloudformation.amazonaws.com" 
  
 }, 
  
 "Action" 
 : 
  
 "sts:AssumeRole" 
  
 } 
  
 ] 
 }

    7. Save the role.

    You assign this role later when you install the CloudFormation template on AWS.

    Collect information about the AWS resources to be scanned

    During the steps to enable Vulnerability Assessment for AWS, you can customize the configuration to scan specific AWS regions, specific tags that identify AWS resources and specific Hard disk drive (HDD) volumes (both SC1 and ST1).

    It helps to have this information available before configuring Vulnerability Assessment for AWS.

    Confirm Security Command Center is connected to AWS

    The Vulnerability Assessment for AWS service requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when Security Command Center is connected to AWS .

    If a connection is not already established, you are required to set one up when you enable the Vulnerability Assessment for AWS service.

    To set up a connection, see Connect to AWS for configuration and resource data collection .

    Enable Vulnerability Assessment for AWS in Security Command Center

    Vulnerability Assessment for AWS must be enabled on Google Cloud at the organization level.

    1. Go to the Risk overviewpage in Security Command Center:

      Go to Risk overview

    2. Select the organization you want to enable Vulnerability Assessment for AWS in.

    3. Click Settings.

    4. In the Vulnerability Assessmentcard, click Manage Settings. The Vulnerability Assessmentpage opens.

    5. Select the Amazon Web Servicestab.

    6. In the Service enablementsection, change the Statusfield to Enable.

    7. In the AWS connectorsection, verify that the status displays AWS Connector added. If the status displays No AWS connector added, click Add AWS connector. Complete the steps in Connect to AWS for configuration and resource data collection before you go to the next step.

    8. Configure the Scan settings for AWS compute and storage. To change the default configuration, click Edit scan settings. For information about each option, see Customize scan settings for AWS compute and storage .

    9. If you have already enabled VM Threat Detection for AWS and have deployed the CloudFormation template as part of that feature, then skip this step. In the Scan settingssection, click Download CloudFormation template. A JSON template downloads to your workstation. You need to deploy the template in each AWS account that you need to scan for vulnerabilities.

    Customize scan settings for AWS compute and storage

    This section describes options available to customize the scan of AWS resources. These custom options are under the Scan settings for AWS compute and storagesection when editing a Vulnerability Assessment for AWS scan.

    You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don't affect the AWS CloudFormation template. You don't need to redeploy the template. If a tag or instance ID value is not correct (for example, the value is misspelled) and the resource specified does not exist, the value is ignored during the scan.
    Option
    Description
    Scan interval
    Enter the number of hours between each scan. Valid values range from 6 to 24. The default value is 6. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges.
    AWS regions

    Choose a subset of regions to include in vulnerability assessment scanning.

    Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan.

    If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS .

    AWS tags
    Specify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources .
    Exclude by Instance ID

    Exclude EC2 instances from each scan by specifying the EC2 instance ID . You can specify a maximum of 50 instance IDs. If invalid values are specified, they will be ignored. If you define multiple instance IDs, they are combined using the AND operator.

    • If you select Exclude instance by ID , enter each instance ID manually by clicking Add AWS EC2 instance , and then typing the value.

    • If you select Copy and paste a list of instance IDs to exclude in JSON format , do one of the following:

      • Enter an array of instance IDs. For example:

        [ "instance-id-1", "instance-id-2" ]

      • Upload a file with the list of instance IDs. The content of the file should be an array of instance IDs, for example:

        [ "instance-id-1", "instance-id-2" ]
    Scan SC1 instance
    Select Scan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances .
    Scan ST1 instance
    Select Scan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances .
    Scan Elastic Container Registry (ECR)
    Select Scan Elastic Container Registry instance to scan container images stored in ECR and their installed packages. Learn more about Elastic Container Registry .

    Deploy the AWS CloudFormation template

    Perform these steps at least six hours after creating an AWS connector .

    For detailed information about how to deploy a CloudFormation template, see Create a stack from the CloudFormation console in the AWS documentation.

    1. Go to the AWS CloudFormation Template page in the AWS Management Console.
    2. Click Stacks > With new resources (standard).
    3. On the Create stackpage, select Choose an existing templateand Upload a template fileto upload the CloudFormation template.
    4. After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
    5. Select Specify stack details. The Configure stack optionspage opens.
    6. Under Permissions, select the AWS role that you created previously .
    7. If prompted, check the box for acknowledgement.
    8. Click Submitto deploy the template. The stack takes a few minutes to start running.

    The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting .

    After scans start running, if any vulnerabilities are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console.

    Review findings in the console

    You can view Vulnerability Assessment for AWS findings in the Google Cloud console. The minimum IAM role that is required to view findings is Security Center Findings Viewer( roles/securitycenter.findingsViewer ).

    To review Vulnerability Assessment for AWS findings in the Google Cloud console, follow these steps:

    1. In the Google Cloud console, go to the Findings page of Security Command Center.

      Go to Findings

    2. Select your Google Cloud project or organization.
    3. In the Quick filters section, in the Source display name subsection, select EC2 Vulnerability Assessment . The findings query results are updated to show only the findings from this source.
    4. To view the details of a specific finding, click the finding name in the Category column. The details panel for the finding opens and displays the Summary tab.
    5. On the Summary tab, review the details of the finding, including information about what was detected, the affected resource, and—if available—steps that you can take to remediate the finding.
    6. Optional: To view the full JSON definition of the finding, click the JSON tab.

    Troubleshooting

    If you enabled the Vulnerability Assessment service, but scans are not running, check the following:

    • Check that the AWS connector is properly set up.
    • Confirm that the CloudFormation template stack deployed completely. Its status in the AWS account should be CREATION_COMPLETE .
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: