aws inspector cli

aws-inspector.sh

# SETUP RESOURCE GROUP
#reference https://docs.aws.amazon.com/cli/latest/reference/inspector/index.html
aws inspector create-resource-group --resource-group-tags key=SecurityScan,value=true

#from previous step get resgroupARN
aws inspector create-assessment-target \
--assessment-target-name GamesDevTargetGroup \
--resource-group-arn <ResourceGroupARN>

#see available rules packages
aws inspector list-rules-packages
#you get something like 
{
    "rulesPackageArns": [
        "arn:aws:inspector:us-west-2:xxxxxxxxx:rulespackage/0-9hgA516p",
        "arn:aws:inspector:us-west-2:xxxxxxxxx:rulespackage/0-H5hpSawc",
        "arn:aws:inspector:us-west-2:xxxxxxxxx:rulespackage/0-JJOtZiqQ",
        "arn:aws:inspector:us-west-2:xxxxxxxxx:rulespackage/0-rD1z6dpl"
    ]
}
#################end of set of rules

#run each of the rulepackagearns details individually for each
aws inspector describe-rules-packages --query rulesPackages[*].[name,description] --output text --rules-package-arns <RulesPackageArns>
aws inspector describe-rules-packages --query rulesPackages[*].[name,description] --output text --rules-package-arns <RulesPackageArns>
aws inspector describe-rules-packages --query rulesPackages[*].[name,description] --output text --rules-package-arns <RulesPackageArns>
aws inspector describe-rules-packages --query rulesPackages[*].[name,description] --output text --rules-package-arns <RulesPackageArns>
#take note of the one with network reachability and exclude that for the next command

# CREATE ASSESSMENT TEMPLATE WITH CIS COMMON VULNERABILITY BEST PRACTICE with Rules
#shorten default duration from 900 to 100 and add rulespackagearn without network reachibility
aws inspector create-assessment-template \
--assessment-target-arn <AssessmentTargetArn> \
--assessment-template-name CISCommonVulerBestPract-Short \
--duration-in-seconds 100 --rules-package-arns <RulesPackageArns> <RulesPackageArns> <RulesPackageArns>
#copy assessmentemplate ARN value for next command

# START ASSESSMENT SCAN

# check which hosts will run the scan
#use target-ARN values from previous command
aws inspector preview-agents --preview-agents-arn <assessmentTargetArn> 
#observe JSON for reporting agents

# start the assessment based on TemplateARN from 2 steps/commands back
aws inspector start-assessment-run \
--assessment-run-name FirstAssessment \
--assessment-template-arn <assessmentTemplateArn>
#copy assessmentRunARN value for next commands

#check status of assessment by pasting value from prev step 
aws inspector describe-assessment-runs --assessment-run-arn <assessmentRunArn>
# first time should see COLLECTING DATA

#view agents sending data
aws inspector list-assessment-run-agents --assessment-run-arn <assessmentRunArn>
# info for agentHealthCode, agentHealth, telemetryData should be shown

# review results on console at https://ap-southeast-2.console.aws.amazon.com/inspector/home?region=ap-southeast-2#/finding
# or use CLI to view if needed
aws inspector list-findings
# you will get a ton of findings arns to use in next command

aws inspector describe-findings --finding-arns <findingsARN>

other useful gists and terraforms.

if fixing with SSM:

aws ssm describe-document --name "AWS-PatchInstanceWithRollback" --query "Document.[Name,Description,PlatformTypes]"

# get instance ID for EC2 to apply patch
aws ssm describe-instance-information  --query "InstanceInformationList[*]" --filters "Key=tag:SecurityScan,Values=true"
# copy instanceID to be applied later

# start automation document for patching
aws ssm start-automation-execution \
  --document-name "AWS-PatchInstanceWithRollback" \
  --parameters "InstanceId=<InstanceId>,ReportS3Bucket=<LogBucket>,AutomationAssumeRole=<SSMRole>"

#review in web console AWS Console -> Systems Manager -> Automation

#review patch installation results in s3 bucket <logbucket> as json  earlier