Enable possibility to configure inspector ec2 scan mode

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Table of Contents<!-- omit in toc -->
 
 - [Introduction](#introduction)
+- [2024-12-18](#2024-12-18)
 - [2024-09-18](#2024-09-18)
 - [2024-08-22](#2024-08-22)
 - [2024-07-17](#2024-07-17)
@@ -57,6 +58,13 @@
 All notable changes to this project will be documented in this file.
 
 ---
+
+## 2024-12-18
+
+### Added<!-- omit in toc -->
+
+- Updated [Inspector](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/inspector/inspector_org) solution to configure ec2 scan mode
+
 ## 2024-09-18
 
 ### Added<!-- omit in toc -->
@@ -169,7 +177,7 @@ Updated [Firewall Manager](https://github.com/aws-samples/aws-security-reference
 ### Changed<!-- omit in toc -->
 
 - Added GuardDuty EKS, Malware, RDS, and Lambda protections [GuardDuty Organization](aws_sra_examples/solutions/guardduty/guardduty_org)
-- Added fix to support deploying to more than 50 accounts. https://github.com/aws-samples/aws-security-reference-architecture-examples/issues/139. UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number
+- Added fix to support deploying to more than 50 accounts. <https://github.com/aws-samples/aws-security-reference-architecture-examples/issues/139>. UpdateMemberDetectors and CreateMembers parameters accountIds and accountDetails support a max number
   of 50 items
 
 ## 2023-05-12

aws_sra_examples/easy_setup/customizations_for_aws_control_tower/manifest.yaml

@@ -207,6 +207,8 @@ resources:
         parameter_value: "EC2, ECR, LAMBDA, LAMBDA_CODE"
       - parameter_key: pEcrRescanDuration
         parameter_value: "LIFETIME"
+      - parameter_key: pEcrRescanDuration
+        parameter_value: "EC2_SSM_AGENT_BASED"
 
       # Macie Solution
       - parameter_key: pDisableMacie

aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml

@@ -257,6 +257,7 @@ Metadata:
         Parameters:
           - pScanComponents
           - pEcrRescanDuration
+          - pEc2ScanMode
 
       - Label:
           default: Patch Manager Solution
@@ -332,6 +333,8 @@ Metadata:
         default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
       pEcrRescanDuration:
         default: ECR Rescan Duration
+      pEc2ScanMode:
+         default: EC2 Scan Mode
       pDeployInspectorSolution:
         default: Deploy the Inspector Solution
 
@@ -798,6 +801,11 @@ Parameters:
     Default: LIFETIME
     Description: ECR Rescan Duration
     Type: String
+  pEc2ScanMode:
+    AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID]
+    Default: EC2_SSM_AGENT_BASED
+    Description: EC2 Scan Mode
+    Type: String
   pDeployInspectorSolution:
     AllowedValues: ["Yes", "No"]
     Default: "No"
@@ -2941,6 +2949,7 @@ Resources:
           - ","
           - !Ref pScanComponents
         pEcrRescanDuration: !Ref pEcrRescanDuration
+        pEc2ScanMode: !Ref pEc2ScanMode
         pLambdaLogGroupKmsKey: !Ref pLambdaLogGroupKmsKey
         pLambdaLogGroupRetention: !Ref pLambdaLogGroupRetention
         pLambdaLogLevel: !Ref pLambdaLogLevel

aws_sra_examples/solutions/inspector/inspector_org/README.md

@@ -91,7 +91,7 @@ The Inspector Organization solution will automate enabling Amazon Inspector by d
 
 - The python boto3 SDK lambda layer to enable capability for lambda to enable all elements of the inspector service.
 - This is downloaded during the deployment process and packaged into a layer that is used by the lambda function in this solution.
-- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.26.18 (see references below).
+- The inspector API available in the current lambda environment (as of 01/19/2023) is boto3-1.20.32, however, enhanced functionality of the inspector API used in this solution requires at least 1.35.83 (see references below).
 - Note: Future revisions to this solution will remove this layer when boto3 is updated within the lambda environment.
 
 ---

aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/manifest.yaml

@@ -33,6 +33,8 @@ resources:
         parameter_value: EC2, ECR, LAMBDA, LAMBDA_CODE
       - parameter_key: pEcrRescanDuration
         parameter_value: 'LIFETIME'
+      - parameter_key: pEc2ScanMode
+        parameter_value: 'EC2_SSM_AGENT_BASED'
     deploy_method: stack_set
     deployment_targets:
       accounts:

aws_sra_examples/solutions/inspector/inspector_org/customizations_for_aws_control_tower/parameters/sra-inspector-org-main-ssm.json

@@ -42,6 +42,10 @@
   {
     "ParameterKey": "pEcrRescanDuration",
     "ParameterValue": "LIFETIME"
+  },
+  {
+    "ParameterKey": "pEc2ScanMode",
+    "ParameterValue": "EC2_SSM_AGENT_BASED"
   }
 
 ]

aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py

@@ -184,6 +184,7 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
         )
     )
     params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_30|DAYS_180){1}$"))
+    params.update(parameter_pattern_validator("EC2_SCAN_MODE", os.environ.get("EC2_SCAN_MODE"), pattern=r"^(EC2_SSM_AGENT_BASED|EC2_HYBRID){1}$"))
 
     # Optional Parameters
     params.update(
@@ -375,6 +376,7 @@ def setup_inspector_in_region(
     configuration_role_name: str,
     scan_components: list,
     ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"],
+    ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"],
 ) -> None:
     """Regional setup process of the inspector feature.
 
@@ -386,6 +388,7 @@ def setup_inspector_in_region(
         configuration_role_name: name of the configuration role
         scan_components: list of components to scan
         ecr_scan_duration: ecr scan duration
+        ec2_scan_mode: ec2 scan mode
     """
     scan_component_dict: AutoEnableTypeDef = {"ec2": False, "ecr": False, "lambda": False, "lambdaCode": False}
     for scan_component in scan_components:
@@ -412,7 +415,8 @@ def setup_inspector_in_region(
     inspector.set_auto_enable_inspector_in_org(region, configuration_role_name, delegated_admin_account, scan_component_dict)
 
     LOGGER.info(f"setup_inspector_in_region: ECR_SCAN_DURATION - {ecr_scan_duration}")
-    inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration)
+    LOGGER.info(f"setup_inspector_in_region: EC2_SCAN_MODE - {ec2_scan_mode}")
+    inspector.set_inspector2_configuration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration, ec2_scan_mode)
 
     inspector.associate_inspector_member_accounts(configuration_role_name, delegated_admin_account, accounts, region)
 
@@ -540,6 +544,7 @@ def process_event_sns(event: dict) -> None:
                 params["CONFIGURATION_ROLE_NAME"],
                 scan_components,
                 params["ECR_SCAN_DURATION"],
+                params["EC2_SCAN_MODE"],
             )
 
 

aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py

@@ -420,15 +420,20 @@ def enable_inspector2_in_member_accounts(
         enable_inspector2(inspector_delegated_admin_region_client, account["AccountId"], region, scan_components)
 
 
-def set_ecr_scan_duration(
-    region: str, configuration_role_name: str, delegated_admin_account_id: str, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"]
+def set_inspector2_configuration(
+    region: str, 
+    configuration_role_name: str, 
+    delegated_admin_account_id: str, 
+    ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"], 
+    ec2_scan_mode: Literal["EC2_SSM_AGENT_BASED", "EC2_HYBRID"]
 ) -> None:
-    """Set the ECR scan duration in the delegated administrator account.
+    """Set the ECR scan duration and EC2 scan mode in the delegated administrator account.
 
     Args:
         configuration_role_name: configuration role name
         delegated_admin_account_id: delegated admin account id
         ecr_scan_duration: ecr scan duration
+        ec2_scan_mode: ec2 scan mode
         region: AWS region
 
     Returns:
@@ -440,11 +445,13 @@ def set_ecr_scan_duration(
     )
     inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region)
     LOGGER.info(f"Setting ECR scan duration in delegated admin account to {ecr_scan_duration} in {region}")
+    LOGGER.info(f"Setting EC2 scan mode in delegated admin account to {ec2_scan_mode} in {region}")
     LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}")
     LOGGER.info(f"Region: {delegated_admin_session.region_name}")
     sts_client = delegated_admin_session.client("sts", region_name=region)
     LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}")
     configuration_response: dict = inspector_delegated_admin_region_client.update_configuration(
+        ec2Configuration={"scanMode": ec2_scan_mode},
         ecrConfiguration={"rescanDuration": ecr_scan_duration}
     )
     api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response}

aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml

@@ -36,6 +36,7 @@ Metadata:
           - pEnabledRegions
           - pScanComponents
           - pEcrRescanDuration
+          - pEc2ScanMode
 
       - Label:
           default: General Lambda Function Properties
@@ -91,6 +92,8 @@ Metadata:
         default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
       pEcrRescanDuration:
         default: ECR Rescan Duration
+      pEc2ScanMode:
+        default: EC2 Scan Mode
 
 Parameters:
   pComplianceFrequency:
@@ -204,6 +207,11 @@ Parameters:
     Default: LIFETIME
     Description: ECR Rescan Duration
     Type: String
+  pEc2ScanMode:
+    AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID]
+    Default: EC2_SSM_AGENT_BASED
+    Description: EC2 Scan Mode
+    Type: String
 
 Conditions:
   cComplianceFrequencySingleDay: !Equals [!Ref pComplianceFrequency, 1]
@@ -472,6 +480,7 @@ Resources:
           - ','
           - !Ref pScanComponents
           ECR_SCAN_DURATION: !Ref pEcrRescanDuration
+          EC2_SCAN_MODE: !Ref pEc2ScanMode
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName
@@ -482,7 +491,7 @@ Resources:
       Content:
         S3Bucket: !Ref pSRAStagingS3BucketName
         S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip
-      Description: Boto3 version 1.26.24 layer to enable newer API of inspector2
+      Description: Boto3 version 1.35.83 layer to enable newer API of inspector2
       LayerName: !Sub ${pInspectorOrgLambdaFunctionName}-updated-boto3-layer
 
   rInspectorOrgLambdaCustomResource:
@@ -498,6 +507,7 @@ Resources:
       - ','
       - !Ref pScanComponents
       ECR_SCAN_DURATION: !Ref pEcrRescanDuration
+      EC2_SCAN_MODE: !Ref pEc2ScanMode
 
   rInspectorOrgTopic:
     Type: AWS::SNS::Topic

aws_sra_examples/solutions/inspector/inspector_org/templates/sra-inspector-org-main-ssm.yaml

@@ -38,6 +38,7 @@ Metadata:
           - pEnabledRegions
           - pScanComponents
           - pEcrRescanDuration
+          - pEc2ScanMode
 
       - Label:
           default: General Lambda Function Properties
@@ -92,6 +93,8 @@ Metadata:
         default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
       pEcrRescanDuration:
         default: ECR Rescan Duration
+      pEc2ScanMode:
+        default: EC2 Scan Mode
 
 Parameters:
   pStackSetAdminRole:
@@ -211,6 +214,11 @@ Parameters:
     Default: LIFETIME
     Description: ECR Rescan Duration
     Type: String
+  pEc2ScanMode:
+    AllowedValues: [EC2_SSM_AGENT_BASED, EC2_HYBRID]
+    Default: EC2_SSM_AGENT_BASED
+    Description: EC2 Scan Mode
+    Type: String
 
 Conditions:
   cNotGlobalRegionUsEast1: !Not [!Equals [!Ref 'AWS::Region', us-east-1]]
@@ -282,6 +290,7 @@ Resources:
           - ','
           - !Ref pScanComponents
         pEcrRescanDuration: !Ref pEcrRescanDuration
+        pEc2ScanMode: !Ref pEc2ScanMode
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName