icon-zcspm.svg
ZCSPM

Enabling AWS Inspector Agent for OS Baseline and Vulnerability Configurations

You can enable the AWS Inspector agent for ZCSPM to help protect you from OS Baseline and Vulnerability misconfigurations. ZCSPM offers 170 security policies for Red Hat Enterprise Linux and 351 security policies for Windows 2016. ZCSPM will consolidate the vulnerability misconfigurations provided by AWS Inspector and show your vulnerability posture.

Windows 2016 supports only OS baseline security policies and not vulnerability misconfigurations.

To enable the AWS Inspector Agent for OS Baseline and Vulnerability Configurations:

  • The AWS Systems Manager(SSM) Agent must be installed and configured on your Amazon EC2 instances before you can set up the AWS Inspector.

    To learn how to install the SSM Agent on EC2 instances:

    Close
  • Once the SSM Agent is installed and configured, you need to enable the AWS inspector in all the regions where the instances reside. Then, you must create assessment targets and templates:

      1. Log in to the AWS Portal as an AWS Administrator.
      2. Search for Amazon Inspector and select Inspector.
      3. In the left-pane menu, click Assessment targets.
      4. Click Create.
      5. Enter a Name.
      6. Check the Include all EC2 instances in this AWS account and region. check-box. The agent must have access to all EC2 instances for accurate metadata collection.
      7. Check the Install the Amazon Inspector Agent on all EC2 instances in this assessment target. check-box.
      8. Click Save.

      One AWS EC2 instance must only be mapped to a single AWS Inspector target.

      Close
      1. Expand the created assessment target, then click Preview Target.

      1. You can view a list of all the instances connected to the assessment target.
      2. Verify the Agent Status Column. It must be HEALTHY.

      1. Click OK.
      Close
      1. In the left-pane menu, click Assessment templates.
      2. Click Create.
      3. Enter a Name.
      4. Enter the Target name. The target name must be the same as the one you created earlier.
      5. Select the appropriate rules packages from the drop-down menu based on your needs:
        • CIS Operating System Security Configuration Benchmarks-1.0: If you are setting up the AWS Inspector agent for OS baselining.
        • Common Vulnerabilities and Exposures-1.1: If you are setting up the AWS Inspector agent for vulnerabilities.

      Zscaler recommends that you configure the AWS Inspector for both OS baselining and vulnerabilities by selecting both the rules packages.

      Set the recommended Duration.

      1. (Optional) Select an SNS topic if you would like to receive event notifications.
      2. Set the recommended option for the Assessment Schedule.
      3. Click Create and run.
      4. In the left-pane menu, click Assessment runs and verify the assessment template results.

      Close
    Close
  • ZCSPM will use the latest completed assessment template run in the last 30 days for analysis from AWS Inspector. Security Policy results will be available on ZCSPM after the next successful scan.

    Close
Related Articles
Onboarding an AWS AccountEnabling AWS Config Based Data CollectionGranting Access to KMS Keys on AWSGranting Access to AWS BackupEnabling AWS Inspector Agent for OS Baseline and Vulnerability ConfigurationsConfiguring the ZCSPM Agent for the Amazon Elastic Kubernetes ServiceVerifying the Cloud Account Health Status for AWSOffboarding an AWS Account