AWS Inspector2

Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and AWS Lambda environments.

Leen normalizes the AWS Inspector2 vulnerability data within your Amazon EC2 into Vulnerability Management Systems (VMS) model, while the vulnerability data for Amazon ECR and AWS Lambda is normalized to Application Security (AppSec) model.

Authentication Methods

Leen supports a couple of different ways to authenticate with AWS Inspector2. Here is a quick overview of the three different ways:

  1. AWS Direct Access: This is the simplest way to authenticate with AWS Inspector2. It requires the AWS Access Key ID and AWS Secret Access Key.

  2. Leen Role Creation: Your end-user will have to create a new IAM role that Leen can assume. This role will only require the minimum permissions to read from Inspector2.

  3. Role Chaining: This method involves creating a new IAM role in your account which has permissions to assume roles in your end-user’s account. Leen will then setup a role and trust relationship to use this role with permissions to the end-user’s Inspector2.

AWS Direct Access

For Leen to authenticate with AWS Inspector2 using AWS Direct Access, we require the following:

  1. AWS Access Key ID: A unique identifier used to authenticate requests to AWS services.
  2. AWS Secret Access Key: A confidential string used in conjunction with the Access Key ID to securely sign API requests to AWS services.
  3. AWS Region (Optional): The AWS region to pull Inspector2 data from.

If you don’t already have an Access Key and Secret Access Key which you can use for this integration, you can follow these steps to create a new user with the minimum required permissions:

1

Create a new IAM User

In the AWS console, navigate to the IAM page and click on Users. From there, select the Create User button.

We recommend that you do not check the “AWS Management Console access” option.

2

Attach Policy to User

The next step is to attach the AmazonInspector2ReadOnlyAccess and AmazonEC2ReadOnlyAccess policy to the user. This policy allows the user to read from Inspector2.

3

Create Access Key

Once you have created the user, as an admin user, you can create a new access key for the user and use these credentials to create a new Inspector2 connection in Leen.

Leen Role Creation

For Leen to authenticate with AWS Inspector2 using Leen Role Creation, we require the following:

  1. AWS Role ARN: The Amazon Resource Name (ARN) of the IAM role that grants Leen access to your AWS Inspector2 resources.
  2. External ID (Optional): A unique identifier set when creating the Leen Role.
  3. AWS Region (Optional): The AWS region to pull Inspector2 data from.
1

Create a new IAM Role

In the AWS console, navigate to the IAM page and click on “Roles.”From there, select the “Create Role” button.

For the Trusted entity type, choose the AWS Account option. Next, select Another AWS Account and enter the Leen AWS Account ID.

You can optionally enable “Require External ID” and provide a unique identifier, which serves as an additional security measure to ensure that only Leen can assume the role.

Please reach out to the Leen team to get the Leen AWS Account ID.

2

Add Permissions to the Role

To create the role with the minimum required permissions, we need to attach only the AmazonInspector2ReadOnlyAccess and AmazonEC2ReadOnlyAccess permissions to the role.

3

Review and create the role

Now, give the role a name and description and review the permissions and the trust policy being created for the role.

This trust policy allows the Leen AWS account to assume the role with the given access. To create the role with the minimum required permissions, we need to attach only the AmazonInspector2ReadOnlyAccess and AmazonEC2ReadOnlyAccess permissions.

4

Get the Role ARN and External ID

Once you have created the role, you can copy the Role ARN and External ID from the role details page.

Use these credentials to create a new Inspector2 connection in Leen.

Role Chaining

Role Chaining is a method that allows one AWS role to assume another role, across different AWS accounts. In this setup, Leen will assume a role in your AWS account, which in turn has permissions to assume roles in your end-users’ accounts. This creates a chain of trust, granting Leen secure access to your end-user’s Inspector2.

This method will require you to create a common role in your account with permissions to assume roles in your end-user’s account. If you already have a similar existing role setup in your AWS account that allows you to assume roles in your end-user’s account, you can update the trust relationship to allow Leen to assume that role.

Leen Role Chaining requires a one time Account level setup. This is to allow Leen to setup a role and trust relationship in your account. Please reach out to the Leen team to help you setup this role.

After Role chaining is setup at the Account level, different organizations within your account can create connections by providing the following:

  1. AWS Role ARN: The Amazon Resource Name (ARN) of the IAM role of the end-user which grants access to the common role in your account.
  2. External ID (Optional): Unique identifier between the end-user and the common role in your account.
  3. AWS Region (Optional): The AWS region to pull Inspector2 data from.
Credentials: Microsoft Defender VMAppSec Integrations