AWS Inspector

Open the Functions page of the Lambda console.

Choose Create function.

Enter a name for the function and choose the latest version of Python in runtime. Leave the other parameters as they are.

Choose Create function.

In the Code editor, click the lambda_function.py file to open the function editor.

Replace the file with the following code, and then click Deploy.To specify the destination S3 bucket for which the files will be written to, we need to create an environment variable. In the Configuration tab, go to Environment variables and click Edit.

import boto3
import os
from datetime import datetime
from botocore.exceptions import NoCredentialsError


def lambda_handler(event, context):
    s3 = boto3.client('s3')

    try:
        bucket_name = os.environ['BUCKET_NAME']
        now = datetime.now()
        s3.put_object(Body=str(event['detail']), Bucket=bucket_name,Key = f"EventBride-logs/{now.year}/{now.month}/{now.day}/{int(now.timestamp())}.json")
        print("Upload Successful")
    except FileNotFoundError:
        print("The file was not found")
    except NoCredentialsError:
        print("Credentials not available")
    return None

Click Add environment variables, fill as follows with your destination S3 bucket name, and then click Save.

Next, we need to configure the permissions for the lambda. In the Configuration tab, go to Permissions. Under Execution role > Role name you can see the name of the IAM role that was automatically created for the lambda function. Click on the role name to edit its permissions.

In the Permissions policies click Add permissions > Attach policies, and then choose Create policy.

Use the Visual editor and fill in the following:

• Service - S3

• Actions- PutObject

• Resources - Choose Specific and click Add ARN. Write the name of the target bucket name and choose Any in the object name. Click Add.
  
  

Make sure your editor is filled like this:

Click again Create policy and repeat step 11 with the following details:

• Service - KMS

• Actions- GenerateDataKey

• Resources - Choose Specific and click Add ARN. Leave the account id as is and choose Any in the region and key id. Click Add.
  

Make sure your editor is filled like this, and choose Next:

Click Next.

Enter a name and description for the policy and click Create policy.

Go back to your function IAM Role page and choose Attach policies. Choose the policy you have just created and click Add permissions.

Go back to the Lambda page. In the Configuration tab, go to General configuration and click Edit.

Change the Timeout from 3 to 15 seconds and click Save.

We are now ready to test the function. In the Code tab click on Test and then a test configuration window will open. Enter an event name and change the Event Json to the following Inspector event sample JSON and click Save (leave the other settings as is).

{
  "version": "0",
  "id": "66a7a279-5f92-971c-6d3e-c92da0950992",
  "detail-type": "Inspector2 Finding",
  "source": "aws.inspector2",
  "account": "111122223333",
  "time": "2023-01-19T22:46:15Z",
  "region": "us-east-1",
  "resources": [
    "i-0c2a343f1948d5205"
  ],
  "detail": {
    "awsAccountId": "111122223333",
    "description": "\n It was discovered that the sound subsystem in the Linux kernel contained a\n race condition in some situations. A local attacker could use this to cause\n a denial of service (system crash).",
    "exploitAvailable": "YES",
    "exploitabilityDetails": {
      "lastKnownExploitAt": "Oct 24, 2022, 11:08:59 PM"
    },
    "findingArn": "arn:aws:inspector2:us-east-1:111122223333:finding/FINDING_ID",
    "firstObservedAt": "Jan 19, 2023, 10:46:15 PM",
    "fixAvailable": "YES",
    "lastObservedAt": "Jan 19, 2023, 10:46:15 PM",
    "packageVulnerabilityDetails": {
      "cvss": [
        {
          "baseScore": 4.7,
          "scoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "source": "NVD",
          "version": "3.1"
        }
      ],
      "referenceUrls": [
        "https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com/",
        "https://ubuntu.com/security/notices/USN-5792-1",
        "https://ubuntu.com/security/notices/USN-5791-2",
        "https://ubuntu.com/security/notices/USN-5791-1",
        "https://ubuntu.com/security/notices/USN-5793-2",
        "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d",
        "https://ubuntu.com/security/notices/USN-5793-1",
        "https://ubuntu.com/security/notices/USN-5792-2",
        "https://ubuntu.com/security/notices/USN-5791-3",
        "https://ubuntu.com/security/notices/USN-5793-4",
        "https://ubuntu.com/security/notices/USN-5793-3",
        "https://git.kernel.org/linus/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d(6.0-rc5)",
        "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3303"
      ],
      "relatedVulnerabilities": [],
      "source": "UBUNTU_CVE",
      "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3303.html",
      "vendorCreatedAt": "Sep 27, 2022, 11:15:00 PM",
      "vendorSeverity": "medium",
      "vulnerabilityId": "CVE-2022-3303",
      "vulnerablePackages": [
        {
          "arch": "X86_64",
          "epoch": 0,
          "fixedInVersion": "0:5.15.0.1027.31~20.04.16",
          "name": "linux-image-aws",
          "packageManager": "OS",
          "remediation": "apt update && apt install --only-upgrade linux-image-aws",
          "version": "5.15.0.1026.30~20.04.16"
        }
      ]
    },
    "remediation": {
      "recommendation": {
        "text": "None Provided"
      }
    },
    "resources": [
      {
        "details": {
          "awsEc2Instance": {
            "iamInstanceProfileArn": "arn:aws:iam::111122223333:instance-profile/AmazonSSMRoleForInstancesQuickSetup",
            "imageId": "ami-0b7ff1a8d69f1bb35",
            "ipV4Addresses": [
              "172.31.85.212",
              "44.203.45.27"
            ],
            "ipV6Addresses": [],
            "launchedAt": "Jan 19, 2023, 7:53:14 PM",
            "platform": "UBUNTU_20_04",
            "subnetId": "subnet-8213f2a3",
            "type": "t2.micro",
            "vpcId": "vpc-ab6650d1"
          }
        },
        "id": "i-0c2a343f1948d5205",
        "partition": "aws",
        "region": "us-east-1",
        "type": "AWS_EC2_INSTANCE"
      }
    ],
    "severity": "MEDIUM",
    "status": "ACTIVE",
    "title": "CVE-2022-3303 - linux-image-aws",
    "type": "PACKAGE_VULNERABILITY",
    "updatedAt": "Jan 19, 2023, 10:46:15 PM"
  }
}

Click Test to run the function. If the run was successful a new log file should be created in your bucket.

Open the Amazon EventBridge console.

In the navigation pane, choose Rules.

Choose Create rule.

Enter a name and description for the rule. A rule can't have the same name as another rule in the same Region and on the same event bus.

For Event bus, Select AWS default event bus. When an AWS service in your account emits an event, it always goes to your account’s default event bus.

For Rule type, choose Rule with an event pattern.

Choose Next.

For Event source, choose AWS services.

For Sample events, choose AWS events as Sample event type, and Inspector2 Finding as Sample Events.

For Creation method, choose Use pattern form.

For Event pattern, choose Inspector2 in AWS service, and then choose Inspector2 Finding in Event type.

Choose Next.

For Target types, choose AWS service.

For Select a target, choose Lambda function, and then choose the function you created in the previous section.

Choose Next.

(Optional) Enter one or more tags for the rule. For more information, see Amazon EventBridge tags.

Choose Next.

Review the details of the rule and choose Create rule.