Update September 2017: For even more enhanced capabilities, check out the AWS Web Asset Sync Discovery Connection.

Rapid7 is excited to announce that you can now find a Nexpose Scan Engine AMI on the Amazon Web Services Marketplace making it simple to deploy a pre-authorized Nexpose Scan Engine from the AWS Marketplace to scan your AWS assets!

What is an AMI ?

An Amazon Machine Image (AMI) allows you to launch a virtual server in the cloud. This means you can deploy Nexpose Scan Engines via the Amazon marketplace without having to go through the process of configuring and installing it yourself.

What are the benefits ?

The Marketplace includes a specially configured Nexpose Scan Engine that is pre-authorized for scanning AWS assets. This provides Rapid7 customers the ability to scan AWS assets immediately, or on a recurring schedule without having to contact Amazon in advance for permission – a process that can take a number of days.  Using a Nexpose Scan Engine deployed within the AWS network also allows you to scan private IP addresses and collect information which may not be available with public IP addresses (such as internal databases).  Additionally, scanning private IPs eliminates the need to pay for elastic IP's.

How do I deploy a pre-authorized Scan Engine ?

Current Nexpose customers can deploy the pre-authorized Nexpose Scan Engine as a remote scan engine for scanning AWS assets only.  When creating your AWS discovery connection simply check the box denoting that your scan engine is in the AWS network.

You'll need a set of IAM credentials with permission to list assets in your AWS account.  A minimal IAM policy to allow this looks like:

{

  "Version": "2012-10-17",

  "Statement": [{

      "Sid": "NexposeScanEngine",

      "Effect": "Allow",

      "Action": [

        "ec2:DescribeInstances",

        "ec2:DescribeImages",

        "ec2:DescribeAddresses"

      ],

      "Resource": [ "*" ]

  }]

} 

The pre-authorized scan engine must use the "engine-to-console" communication direction.  This means the Scan Engine will initiate communication with the Nexpose Console.  Preparing your Nexpose Console to pair with a pre-authorized Scan Engine is simple:

  1. Ensure the pre-authorized Scan Engine can communicate with your Nexpose Console on port 40815.  You may need to open a firewall port to allow this.
  2. Generate a temporary shared secret on your console.  This is used to authorize the Scan Engine.  A shared secret can be generated from the Administration -> Scan Options -> Engines -> manage screen.  Scroll to the bottom and use the Generate button.  Keep this page open, you'll need the secret when launching your Scan Engine.

Now you are ready to deploy your pre-authorized Nexpose Scan Engine.  Sign into your AWS console and navigate to the Nexpose Scan Engine (Pre-authorized) AWS Marketplace listing.  You must use EC2 user data to tell your engine how to pair with your console.  Follow these steps to launch the engine:

  1. Click Continue on the AWS Marketplace listing.
  2. Accept the terms using the Accept Software Terms button.
  3. It can take up to 10 minutes for Amazon to process your request.  You'll receive an email from Amazon when you can launch the AMI.
  4. After you receive the email, refresh the marketplace page.  You should see several blue "Launch with EC2 Console" buttons.
  5. Click the Launch with EC2 Console button in your desired AWS region.
  6. Proceed with the normal process of launching an EC2 instance.  When you get to the Instance Details screen, expand the Advanced Details section.  Provide the following EC2 user data.  Replace the bracketed sections with information about your Nexpose Console:
NEXPOSE_CONSOLE_HOST=<hostname or ip of your console> 
NEXPOSE_CONSOLE_PORT=40815
NEXPOSE_CONSOLE_SECRET=<shared secret generated earlier>
  1. Finish launching the EC2 instance.
  2. Once the instance boots, it can take 10-15 minutes to pair with the console.
  3. Verify the engine pairs with the console via the engine listing in the console (Administration -> Scan Options -> Engines -> manage).

With this one-time configuration set, you can create a schedule to scan your AWS assets.