AWS CVE Scanning - Details
Overview
When deployed in Advanced Mode, Panoptica supports scanning EC2 instances and ECR images for CVEs and malware. The scan does not require installation of an agent. Just make sure Workload Scanning is enabled when you onboard your AWS account.
In order to minimize impact to your environment, the scanning uses an orchestration layer that takes snapshots of the instances and scans them offline. There are two methods available to perform the scan:
- External scan scans the snapshots using an external Panoptica account. This calls for less internal resources, but requires sharing (not copying) the snapshots.
- Internal Scan scans the snapshots using a dedicated account in your environment. This improves performance, and keeps your data within your environment.
If you select Internal Scan, you will need to provide the Account ID of the account where the scanning will take place.
Any CVEs found are then prioritized based on several parameters and sent to the graph database to enrich the risk insights. For more on Panoptica's CVE Management capabilities, see Vulnerability Management.
Supported OS Versions
Panoptica's CVE scanning supports the following operating systems and versions in AWS:
OS | Version |
---|---|
Alpine | 3.3 and later |
Ubuntu | 14, 16, 18, 20, 21, 22 |
Debian | 8, 9, 10, 11 |
RHEL | 5, 6, 7, 8, 9 |
Fedora | 32, 33, 34, 35 |
Oracle Linux | 5, 6, 7 |
CentOS | 6, 7, 8, stream8, stream9 |
AlmaLinux | 8, 9 |
Rocky Linux | 8 |
Amazon Linux | All |
FreeBSD | 10, 11 |
openSUSE | tumbleweed |
openSUSE Leap | 15.2, 15.3 |
SUSE Enterprise | 11, 12, 15 |
Raspbian | Jessie, Stretch, Buster |
Scanning Process
Whether implementing Internal or External scanning, the process is similar:
- Panoptica creates a snapshot of the scanned machine's operating system volume.
- The snapshot is shared with the scanning account
- The scanning account launches a spot fleet based on Panoptica's CVE & Malware scanning image.
- One of the spot instances receives the scan request and performs these steps:
- Create a volume from the shared snapshot
- Delete the snapshot in the scanned account
- Attach the newly created volume and scan it for Malwares and CVEs
- After the scanner machine finishes the scan, it deletes the scanned volume, and is available to handle a new scan.
- After an idle time threshold defined by the platform, the scanner spot instance will delete itself
Assets Created
The following assets are created in your environment when you enable Panoptica's scanning functionality. These assets are created in each AWS Region supported by the platform.
Internal scanning:
These assets are created in the scanning account you define at onboarding to support the internal scanning process. No assets are created in any of your other accounts.
Resource availability
Before specifying the scanning account, verify that the account has not reached its quota limits for any of these resources, particularly the VPC.
- Role
- Instance profile
- VPC - There must be 1 spare Virtual Private Cloud available to support this.
- Subnet
- Internet gateway
- Route table
- Route
- Route table association
- Security groups
- KMS key and alias
- Launch template
External scanning:
- Role
Permissions
In order to create snapshots, share them, scan the volumes, etc., Panoptica requires some basic permissions in your AWS environment. These permissions are configured by policies in the CloudFormation Stack you run at onboarding.
You can view the required permissions, according to the scanning method selected, in the cloudformation script.
- For Internal scanning, see
"PolicyName": "panoptica-internal-ec2-scan"
- For External scanning, see
"PolicyName": "panoptica-external-ec2-scan-policy"
Roles and Permission
For further details regarding the roles and policies you create when onboarding your accounts, see AWS Onboarding - Roles, Policies, and Permissions.
Updated about 1 month ago