Install and Set Up AWS AMI Scanning

Set up Amazon Web Services VPC Scanning.

In addition to scanning both external and internal networks, Fortra VM is also capable of scanning Amazon Web Services Virtual Private Cloud (VPC) infrastructures through our RNA Amazon Machine Image (AMI) scanning appliance.

In order to configure your AWS VPC for scanning, please perform the following steps (see below for detailed instructions):

  1. Obtain a Fortra Scanning Appliance Activation Key.
  2. Subscribe and configure your scanning appliance.
  3. Attach the DigitalDefenseScanner IAM Role to your scanning appliance.
NOTE:
  • Target IP ranges can be entered as normal, but hosts are always discovered through use of ec2-describe-instances API within the entered ranges, once the scan has started.
  • Hosts outside of the VPC hosting the scanner will not be scanned and no traffic will be sent to them.
  • After the scanner is provisioned, an IAM role must be attached to allow for use of the ec2-describe-instances API call, as this is required for host discovery.
  • If the IAM instance profile is not assigned, the scanner will fall back to network-based discovery

Obtain a Fortra Scanning Appliance Activation Key.

  1. Log into Fortra VM(TryFrontline.Cloud for demo users).
  2. From the navigation menu, select System > Scanner Management.
  3. Select the Appliance Tokens tab.
  1. Click New Token to generate a new activation token. This generates a 10 character, alphanumeric key you can use to associate your AWS AMI scanning appliance to your account.

Subscribe and Configure your Scanning Appliance.

There are a couple of different ways to subscribe and configure the Scanning Appliance.

Click on the AMI image link beneath the Virtual Scanner Download pane on the Appliance Tokens page.

Alternatively, visit AWS Marketplace to subscribe and configure the Digital Defense Virtual Scanning Appliance.

  1. Click on the Continue to Subscribe button, found on the top right of the page. A EULA agreement will display and must be accepted to continue.
  2. Once the EULA is processed (take note of "pending" status) select Continue to Configuration.
  3. Under Configure this software, select the appropriate Region for your FVM account. Select Continue to Launch.
  4. In Choose Action, select Launch through EC2. Click Launch to be taken to EC2.
  5. The form page allows you to select the Key pair. The virtual server type will preselect t3.medium which can be changed here, if necessary. Security groups can be configured here, but this guidance offers instruction on how add that information later. Select Launch Instance to continue.
  6. From the Launch an instance screen, in the IAM role select DigitalDefenseScanner.

    If the DigitalDefenseScanner IAM role does not exist:

    If the DigitalDefenseScanner IAM role does not exist, perform the following actions:

    1. Select Create New IAM Role (This will open a new tab). Select Create Role.

    2. Select AWS Service > EC2 > Next: Permissions. Select Create Policy.

    3. Move to the JSON tab. Delete the displayed text and paste the following JSON in:

    	{
    		"Version" : "2012-10-17",
    		"Statement": [
    			{
    				"Sid": "AllowRNAToViewVPCInfrastructure",
    				"Effect": "Allow",
    				"Action": [
    					"ec2:DescribeInstances"
    				],
    				"Resource": "*"
    			}
    		]
    	}
    					
    1. Select Next: Tags and add an optional tag, then click Review Policy.

    2. Name the policy, “DigitalDefenseScanner” and optionally create a description.

    3. Select Create Policy.

    4. Select Roles on the right-hand side.

    5. Select Create Role.

    6. Select AWS Service> EC2 > Next:Permissions.

    7. Type "DigitalDefenseScanner", check the box, and select Next: Tags, enter optional tags and then Next: Review.

    8. Type "DigitalDefenseScanner", check the box, and select Create Role.

    9. Return to the Launch Instance tab or window and select the role you just created.

    10. This will enable you to scan AWS EC2 assets in a similar fashion to other systems in the Fortra interface.

      In the Launch Instance Advanced Details drop-down, enter the following string for User Data:

      FRONTLINEKEY=<Your 10 Alphanumeric Activation Key>
    11. Select Next: Add Storage. Ensure the RNA has at least 20 GB of storage allocated to it.
    12. Select, Review and Launch and click Launch. On the pop-up window, select Choose an existing pair. Choose the SSH key pair in order to access the device. Click the check-box to acknowledge that you have access to the selected private key file. Select Launch Instances. On the Launch Status page click on the instance link next to, The following instance launches have been initiated.

Your Fortra VM AMI scanner will provision itself using the provided key and come online within 5-10 minutes. It should show up as Online under System > Scanner Management from the Fortra VM VM interface.

Do not clone the AWS AMI vRNA before, or after, activating it. Cloning the vRNA may prevent successful communication between the vRNA and the Fortra VM platform.

NOTE: Take note of the AWS Security Group created for your RNA, e.g., Fortra Virtual Scanning Appliance -1-0-0-AutogenByAWSMP. This will facilitate finding it when assigning the Security Group ID later.

Configure your AWS VPC security groups to allow scanning.

Two types of security groups need to be provisioned. One is for the RNA to allow touch-backs from the targets scanned and the other ensures targets to be scanned allow the RNA scanning access.

Assign security group to RNA

The security group the AMI RNA uses must allow the following ranges for the RNA ports:

  • All traffic to ports 1025-65535

  • Custom UDP Rule for ports 69, 135, and 53

  • Custom TCP Rule for port 445

  • Internet outbound on port 443

  • NOTE: The RNA doesn't listen on these ports. The RNA makes a request during a scan that will attempt to force the scanned host to connect back to the RNA on a specified port, if it is susceptible to the vulnerability that is being tested. The RNA then looks for these connection attempts to closed ports and will include the vulnerability in the scan results if they are discovered. Failure to include these ports in the Security Group may lead to incomplete scan results.

Assign security group to targets

AWS VPCs often employ security groups as a means of restricting traffic. In order to scan EC2 instances within your AWS VPC, the Fortra AMI Scanner must be allowed to send network traffic to target instances.

This can be accomplished either by modifying a default security group that the instances currently share, or by creating a new security group and assigning it to all instances you wish to scan.

In order to create a new security group, perform the following steps:

  1. In the EC2console, navigate to Network and Security > Security Groups.
  2. Select Create Security Group. Give it a descriptive Security group name, such as “Allow Fortra Scanner”. For Description, use something like, “Allow Fortra scanner to scan assets”.
  3. Under Inbound Rules select Add Rule.
  4. Under Type, select All Traffic.
  5. Specify the source. For example, using the Security Group ID from step 1 in the previous section, type “AWSMP” to find your Security Group ID easily.
NOTE: The source can either be the IP address of the scanner or the Security Group ID of the scanner. The preferred source is the Security Group ID as the IP address of the appliance may change if not configured to be static.
  1. Select Create Security Group Create.
  2. Now, assign this new security group to EC2 instances you wish to scan by navigating to Instances > Actions > Security > Change Security Groups.

  3. In the search field, search for your newly created Security Group and click "Add Security Group"

  4. Select Save.

You should now be able to scan your AWS VPS assets.

NOTE: Should you need any further assistance, please contact Technical Support.