Install and Set Up AWS AMI Scanning

Set up Amazon Web Services VPC Scanning

In addition to scanning both external and internal networks, Fortra VM is also capable of scanning Amazon Web Services Virtual Private Cloud (VPC) infrastructures through our RNA Amazon Machine Image (AMI) scanning appliance.

To configure your AWS VPC for scanning, do the following:

  1. Obtain a Fortra Scanning Appliance Activation Key.
  2. Subscribe and configure your scanning appliance.
  3. Attach the FortraVMScanner IAM Role to your scanning appliance.
NOTE:
  • Target IP ranges can be entered as normal, but hosts are always discovered through use of ec2-describe-instances API within the entered ranges, once the scan has started.
  • Hosts outside of the VPC hosting the scanner will not be scanned and no traffic will be sent to them.
  • After the scanner is provisioned, an IAM role must be attached to allow for use of the ec2-describe-instances API call, as this is required for host discovery.
  • If the IAM instance profile is not assigned, the scanner will fall back to network-based discovery

Obtain a Fortra Scanning Appliance Activation Key

  1. Log in to Fortra VM (TryFrontline.Cloud for demo users).
  2. From the left navigation menu, select Scan Settings > Scanners.
  3. Select the Appliance Tokens tab.
  4. Select New Token to generate a new activation token. This generates a 10-character, alphanumeric key you can use to associate your AWS AMI scanning appliance to your account.

Subscribe and Configure your Scanning Appliance

There are a couple of different ways to subscribe and configure the Scanning Appliance.

Select the AMI image link beneath the Virtual Scanner Download pane on the Appliance Tokens page.

Alternatively, visit AWS Marketplace to subscribe and configure the Fortra's Vulnerability Manager Virtual Scanning Appliance.

  1. Select Continue to Subscribe, found on the top right of the page. A EULA agreement will display and must be accepted to continue.

  2. Once the EULA is processed (take note of "pending" status), select Continue to Configuration.

  3. Under Configure this software, select the appropriate Region for your FVM account, and then select Continue to Launch.
  4. In Choose Action, select Launch through EC2. Select Launch to go to EC2.

  5. The form page allows you to select the Key pair. The virtual server type will preselect t3.medium which can be changed here, if necessary. Security groups can be configured here, but this guidance offers instruction on how add that information later.

    1. Ensure the RNA has at least 20 GB of storage allocated to it.

    2. Under the Advanced Details drop-down menu, enter the following string for User Data:

      FRONTLINEKEY=<Your 10 Alphanumeric Activation Key>
    3. Under Advanced details for the IAM instance profile, select the FortraVMScanner IAM role.
      If the FortraVMScanner IAM role does not exist, perform the following actions:

      1. Select Create new IAM profile (located next to IAM instance profile).

      2. From the left navigation menu, select Policies.

      3. Select Create policy.

      4. Select the JSON tab.

      5. Paste the following JSON code into the policy editor:

        NOTE: Ensure there are no tabs or spaces before the opening "{" character after the pasting the JSON code into the AWS Console.
        Copy
            {
                "Version" : "2012-10-17",
                "Statement": [
                    {
                        "Sid": "AllowRNAToViewVPCInfrastructure",
                        "Effect": "Allow",
                        "Action": [
                            "ec2:DescribeInstances"
                        ],
                        "Resource": "*"
                    }
                ]
            }        
      6. Name the policy FortraVMScanner.

      7. Select Create policy.

      8. From the left navigation menu, select Roles.

      9. Select Create role.

      10. Under Trusted entity type, select AWS Service.

      11. Under Use case, select EC2.

      12. Select Next.

      13. On the Add permissions page, filter to the recently created FortraVMScanner policy and then select the checkbox next to it.

      14. Select Next.

      15. On the Name, review, and create page, add FortraVMScanner to the role name field.

      16. Select Create role.

      17. Back on the Launch Instance page, select the newly created FortraVMScanner role for the IAM instance profile field.

  6. Select Launch instance.

Your Fortra VM AMI scanner will provision itself using the provided key and come online within 5-10 minutes. It should show up as Online under Scan Settings > Scanner Management from the Fortra VM interface.

Do not clone the AWS AMI vRNA before, or after, activating it. Cloning the vRNA may prevent successful communication between the vRNA and the Fortra VM platform.

NOTE: Take note of the AWS Security Group created for your RNA (for example, Fortra Virtual Scanning Appliance -1-0-0-AutogenByAWSMP). This will facilitate finding it when assigning the Security Group ID later.

Configure your AWS VPC security groups to allow scanning.

Two types of security groups need to be provisioned. One is for the RNA to allow touch-backs from the targets scanned and the other ensures targets to be scanned allow the RNA scanning access.

Assign security group to RNA

The security group the AMI RNA uses must allow the following ranges for the RNA ports:

  • All traffic to ports 1025-65535

  • Custom UDP Rule for ports 69, 135, and 53

  • Custom TCP Rule for port 445

  • Internet outbound on port 443

  • NOTE: To scan on port 25 on other internet facing hosts, submit a ticket with AWS. This is not a requirement if you are only scanning internal network hosts.
    IMPORTANT: The RNA doesn't listen on these ports. The RNA makes a request during a scan that will attempt to force the scanned host to connect back to the RNA on a specified port, if it is susceptible to the vulnerability that is being tested. The RNA then looks for these connection attempts to closed ports and will include the vulnerability in the scan results if they are discovered. Failure to include these ports in the Security Group may lead to incomplete scan results.

Assign security group to targets

AWS VPCs often employ security groups as a means of restricting traffic. To scan EC2 instances within your AWS VPC, the Fortra AMI Scanner must be allowed to send network traffic to target instances.

This can be accomplished either by modifying a default security group that the instances currently share, or by creating a new security group and assigning it to all instances you wish to scan.

To create a new security group, perform the following steps:

  1. In the EC2 console, navigate to Network & Security > Security Groups.
  2. Select Create Security Group. Give the group a descriptive Security group name, such as "Allow Fortra Scanner." For Description, use something like, "Allow Fortra scanner to scan assets."
  3. Under Inbound Rules, select Add Rule.
  4. Under Type, select All Traffic.
  5. Specify the source. For example, using the Security Group ID from step 1 in the previous section, enter AWSMP to find your Security Group ID easily.

    NOTE: The source can either be the IP address of the scanner or the Security Group ID of the scanner. The preferred source is the Security Group ID as the IP address of the appliance may change if not configured to be static.
  6. Select Create Security Group > Create.
  7. Now, assign this new security group to EC2 instances you wish to scan by navigating to Instances > Actions > Security > Change Security Groups.

  8. In the search field, search for your newly created Security Group and then select Add Security Group.

  9. Select Save.

You should now be able to scan your AWS VPS assets.

NOTE: Should you need any further assistance, contact Fortra Technical Support.