Skip to content

jonhadfield/aws-inspector-reporter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS Inspector Reporter (AIR)

circleci Go Report Card

about

AIR is a tool to retrieve the latest AWS Inspector findings (latest run of each template) from your AWS accounts and presents them in an auto-filtered Excel spreadsheet. It can run from the command-line or using AWS Lambda.
By specifying filters it enables you to adjust severity of specific findings, or ignore them and state the justification.
Generated reports can be automatically emailed using AWS SES (Simple Email Service).

installation

Download the latest release for your OS from here: https://github.com/jonhadfield/aws-inspector-reporter/releases
For running on AWS Lambda see here.

macOS and Linux

Install:
$ install <downloaded binary> /usr/local/bin/air

running

Type air and press enter.

configuration

authentication

AIR retrieves Inspector findings using the AWS API that requires a set of API credentials. See here for instructions on how to set credentials.

permissions

basic

In order for AIR to access the AWS Inspector findings the user or role that it runs under will need the following policy:
arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess

For AIR to be able to use the AWS Account alias (name) instead of just the AWS Account ID number, it additionally requires this permission:
iam:ListAccountAliases

sending emails with AWS SES (Simple Email Service)

AIR will additionally require the following permission for the identity resource sending the email:
ses:SendRawEmail

filtering

By default, AIR will report the severity stated by AWS Inspector. To override these, create a directory called config with a file called 'filters.yml' in with a list of filters to apply:

- title-match: <finding title to match, supporting regexp>  
  severity: <high|medium|low|informational|ignore>  
  comment: <comment to add to spreadsheet>

See here for examples.

email

AIR supports sending generated reports via email using AWS SES. Note: this requires the provided AWS credentials have the necessary permissions.
To configure: create a directory called config with a file called 'report.yml' with the email settings:

email:
  provider: ses
  region: <AWS region for SES>
  source: "<email address of sender>"
  recipients:
    - "<email recipient>"
    - "<email recipient>"
  subject: "<email subject>"

See here for an example.

running against multiple-accounts

By default, AIR will retrieve findings from the AWS account that corresponds to the credentials specified.
To run against multiple accounts you need to:

  • provide sts:AssumeRole permissions to the user AIR is run with
  • create an IAM role in each target account with:
    • the policy 'AmazonInspectorReadOnlyAccess' attached
    • a trust relationship allowing the provided AWS permissions to be used to assume the role (see here for examples)

directory called 'config' with a file called 'targets.yml' that specifies a list of target account roles:

  • id: the numeric account id
  • alias: the account alias
  • roleName: name of the role to assume
  • roleExternalId (optional): to match the external id specifed on trust relationship on the target role

See here for example.