You can enable the AWS Inspector agent for ZCSPM to help protect you from OS Baseline and Vulnerability misconfigurations. ZCSPM offers 170 security policies for Red Hat Enterprise Linux and 351 security policies for Windows 2016. ZCSPM will consolidate the vulnerability misconfigurations provided by AWS Inspector and show your vulnerability posture.

Windows 2016 supports only OS baseline security policies and not vulnerability misconfigurations.

To enable the AWS Inspector Agent for OS Baseline and Vulnerability Configurations:

• 1. Install AWS Systems Manager Agent

  The AWS Systems Manager(SSM) Agent must be installed and configured on your Amazon EC2 instances before you can set up the AWS Inspector.

  To learn how to install the SSM Agent on EC2 instances:

  • For Linux, see AWS documentation.
  • For Windows server, see AWS documentation.

  Close
• 2. Create Inspector Assessment Target and Template

  Once the SSM Agent is installed and configured, you need to enable the AWS inspector in all the regions where the instances reside. Then, you must create assessment targets and templates:

  • Create Assessment Target
    1. Log in to the AWS Portal as an AWS Administrator.
    2. Search for Amazon Inspector and select Inspector.
    3. In the left-pane menu, click Assessment targets.
    4. Click Create.
    5. Enter a Name.
    6. Check the Include all EC2 instances in this AWS account and region. check-box. The agent must have access to all EC2 instances for accurate metadata collection.
    7. Check the Install the Amazon Inspector Agent on all EC2 instances in this assessment target. check-box.
    8. Click Save.

    See image.

    

    Close

    One AWS EC2 instance must only be mapped to a single AWS Inspector target.

    Close
  • Verify Assessment Target
    1. Expand the created assessment target, then click Preview Target.

    See image.

    

    Close

    2. You can view a list of all the instances connected to the assessment target.
    3. Verify the Agent Status Column. It must be HEALTHY.

    See image.

    

    Close

    4. Click OK.

    Close
  • Create and Run Assessment Template
    1. In the left-pane menu, click Assessment templates.
    2. Click Create.
    3. Enter a Name.
    4. Enter the Target name. The target name must be the same as the one you created earlier.
    5. Select the appropriate rules packages from the drop-down menu based on your needs:
       • CIS Operating System Security Configuration Benchmarks-1.0: If you are setting up the AWS Inspector agent for OS baselining.
       • Common Vulnerabilities and Exposures-1.1: If you are setting up the AWS Inspector agent for vulnerabilities.

    Zscaler recommends that you configure the AWS Inspector for both OS baselining and vulnerabilities by selecting both the rules packages.

    Set the recommended Duration.

    6. (Optional) Select an SNS topic if you would like to receive event notifications.
    7. Set the recommended option for the Assessment Schedule.
    8. Click Create and run.
    9. In the left-pane menu, click Assessment runs and verify the assessment template results.

    See image

    

    Close

    Close

  Close
• 3. Verify security policy results on ZCSPM

  ZCSPM will use the latest completed assessment template run in the last 30 days for analysis from AWS Inspector. Security Policy results will be available on ZCSPM after the next successful scan.

  Close