To pre-auth, or not to pre-auth, that is the question.
With the recent changes to Amazon Web Services’ (AWS) pen-testing policy, it is easier to get started on your InsightVM scans without requiring the use of our Pre-Authorized Scan Engine AMI. Previously, the recommended method was to launch an EC2 instance with our Pre-Authorized Scan Engine AMI and begin scanning your environment. Because this engine was certified with AWS, there was no need to fill out the pen-testing form, but as we just noted, this form is no longer required, which means both options (manual install and the Pre-Authorized Scan Engine AMI) are just as easy.
By installing the InsightVM Scan Engine on an EC2 instance manually (not using the Pre-Authorized Scan Engine AMI), you’ll be able to access your Scan Engine EC2 instance (via SSH/RDP) and re-pair them if you ever need to add your scan engine to a new InsightVM console. As of right now, this is not possible with the Pre-Authorized Scan Engine AMI. A little extra effort goes a long way here!
Today, we’re going to go over installing the InsightVM Scan Engine in an AWS environment without using the Pre-Authorized Scan Engine AMI. First off, we’ll assume you’re familiar with AWS and how to create an EC2 instance within your environment. If that is not the case, check out this quick-start guide from AWS. After you’ve done that, or if you are an EC2 guru already, go ahead and launch an instance within EC2, keeping the following items in mind:
- AMI: Please be sure to select an OS that is on our supported list here.
- Instance Type: We recommend at least m4.large. Click here for more compute recommendations.
- IAM role: Create an IAM user/role (or use an existing one if you have a user/role configured for AWS Asset Sync Discovery). When creating a new role/user, you can reference this for the policy requirements the AWS Scan Engine will need.
- Storage: When configuring your storage, we recommend that, at a minimum, you allocate 100GB for the storage size.
- Security Group: Configure your Inbound Rules to allow port 22 (SSH for Linux) or port 3389 (RDP for Windows) and port 40814. For security purposes, you likely want to specify IP addresses or ranges that will be allowed to access the machine on these ports (see note below).
Linux Security Group - Inbound Rules
Windows Security Group - Inbound Rules
Security Group Note: Set the Source for Inbound port 22 to be the IP(s) you want to give SSH access directly to the Engine and set the Source for port 40814 to be the Console IP address. For single IP addresses, be sure to set the IP to /32 at the end (ex: 127.0.0.1/32 translates to just the IP 127.0.0.1, but hint, don’t use this specific example IP).
Remember that in order to SSH or RDP into the Scan Engine, you’ll need to use the key-pair selected when launching the EC2 instance. To find out more about this process, you can check here (Windows) and here (Linux).
Which scan engine should you use?
When it comes down to deciding whether you want to use the Pre-Authorized Scan Engine AMI or installing the Rapid7 InsightVM Scan Engine manually on your EC2 instance, it really is about preference. With the AMI, you can have the proper security groups set up for you when you are configuring/launching the instance. When installing manually, you’ll need to make sure those are set correctly by you. If you need it installed in a specific supported OS or need more control over the instance, a manual install might be for you. With this manual version, you will also now be responsible for maintaining the host OS and keeping it up to date. If you’re looking to install the Scan Engine without having to worry about configuring it or making sure it’s supported by InsightVM, the Pre-Authorized Scan Engine AMI might be your weapon of choice. Why not try them both out and see which you prefer?
Now that you have your bright and shiny InsightVM Scan Engine running in AWS, it’s time to set up an AWS Asset Sync discovery connection or to just start scanning your IPs. If you are looking to set up the discovery connection, you can check out this documentation to get it done. If the auto-syncing of AWS assets isn’t your cup of tea, you can get started with scanning in InsightVM. For more information about scanning, see here to create and scan your first site! Happy scanning!