This is a part of the Garrison security project. This agent provides mirroring of the AWS Inspector alerts and other basic checks.
| Function Name | Description |
|---|---|
check_findings |
Retrieves all findings from Inspector. |
Docker Hub - https://hub.docker.com/r/forward3d/garrison-agent-aws-inspector/
docker pull forward3d/garrison-agent-aws-inspector
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" forward3d/garrison-agent-aws-inspector check_findings
docker run --rm -e "GARRISON_URL=https://garrison.internal.acme.com" -e "GARRISON_AWS_REGIONS=eu-west-1,us-west-2" forward3d/garrison-agent-aws-inspector check_findings
These are additional specific configuration options for this agent. Global agent configurations still apply.
| Environmental Variable | Default | Expects |
|---|---|---|
GARRISON_AWS_REGIONS |
all [1] |
Comma Separated Strings eg. eu-west-1,us-west-2 |
GARRISON_AWS_INSPECTOR_RULES_PACKAGE_NAMES |
all [2] |
Comma Separated Strings eg. Common Vulnerabilities and Exposures,Security Best Practices |
GARRISON_AWS_INSPECTOR_THRESHOLD |
undefined,informational,low,medium,high |
Comma Separated Strings eg. medium,high |
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_AMAZON_LINUX |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
|
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_AMAZON_LINUX_2 |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
|
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_CENTOS_6 |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
|
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_CENTOS_7 |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
|
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_UBUNTU_TRUSTY |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
|
GARRISON_AWS_INSPECTOR_EXCLUDED_CIS_UBUNTU_XENIAL |
Comma Separated Strings of the Rule IDs you want to exclude eg. 3.6,1.2.1.6 |
- AWS Regions as returned by the AWS SDK at runtime for regions where Inspector service is available.
- All Rules Packages included by the AWS SDK at runtime for the region. If you want to be specific, use the names as described in the AWS Documentation.
As this requires access to the AWS API you will need this IAM policy as a minimum for it to operate correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"inspector:ListRulesPackages",
"inspector:DescribeRulesPackages",
"inspector:ListAssessmentRuns",
"inspector:DescribeAssessmentRuns",
"inspector:ListFindings",
"inspector:DescribeFindings"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
We recommend using EC2/ECS Task roles so that you don't need to send credentials into the container, however if you can't use those or want to send in specific Access Keys and Secret keys, please see the AWS Documentation as to how you do that.