Host Vulnerability Management - Configuration & Workflows
Details about Configuration and Workflows for Host Vulnerability Management
Getting Started with Host Vulnerability Management
Before getting started with Host Vulnerability Management (HVM) you will need to have the following:
- An InsightCloudSec installation (v. 23.2.28) (SaaS-Only)
- The AWS, Azure, and/or GCP permissions outlined below
AWS
Permission Requirements
These permissions are not part of a default “Read-Only” AWS deployment and must be explicitly configured to enable operation of the Host Vulnerability Management feature.
As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform HVM configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.
| AWS Permission | Requirement Details |
|---|---|
kms:DescribeKey | Required to determine what key is being used to encrypt the volume that is being analyzed. |
kms:CreateGrant | Required to create a grant to the KMS key that can be used to decrypt the EBS volume. |
ec2:ModifySnapshotAttribute | Required to grant permission to the InsightCloudSec backend to download the snapshot. |
ec2:CreateSnapshot | Required to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec. |
ec2:DeleteSnapshot | Required to clean up the snapshot in the source account after the analysis has been completed. |
ec2:CreateTags | Required to create tags in the source account. |
Important Note on Permissions
If EBS volumes are encrypted with the default AWS Managed Encryption key, a grant cannot be created to allow for InsightCloudSec to download the snapshot. The Assessment process will fail with an Error message that states that the Volume is encrypted with an AWS Managed Encryption Key.
HVM User Policy
The AWS HVM User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVM configuration and assessment. Review the AWS IAM documentation for more information.
Role Attachment
This policy will need to be attached to your existing InsightCloudSec Harvesting role.
Azure
In the table below are the minimum required permissions for your InsightCloudSec Azure role (this should already exist as part of Azure - Onboarding).
| Azure Permission | Requirement Details |
|---|---|
Microsoft.Compute/snapshots/write | Required to create a new snapshot. |
Microsoft.Compute/snapshots/read | Required to read the properties of a snapshot. |
Microsoft.Compute/disks/read | Required to read the properties of a disk. |
Microsoft.Compute/snapshots/beginGetAccess/action | Required to generate an SAS URL for access to the disk snapshot. |
Microsoft.Compute/disks/beginGetAccess/action | Required to generate an SAS URL for access to the disk snapshot. |
Microsoft.Compute/snapshots/endGetAccess/action | Required to disable an SAS URL. |
Microsoft.Compute/snapshots/delete | Required to delete a snapshot. |
HVM User Role
The Azure HVM User Role below can be copied and used to create a custom role within Azure that contains all the permissions necessary for HVM configuration and assessment. Note: Ensure you replace the placeholder Subscription ID value.
{
"properties": {
"roleName": "Disk Access for Host Vulnerability Assessment",
"description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Limitations
Azure HVM support is limited by the following:
- The current Implementation doesn’t support VMWare vSphere VMs or Azure Classic VMs
- Note: Azure Classic VMs are EOL in September 2023
- Doesn’t support disks with data access authentication mode enabled
GCP
In the table below are most of the minimum required permissions for your InsightCloudSec service account (this should already exist as part of GCP - Onboarding).
| GCP Permission | Requirement Details |
|---|---|
compute.disks.createSnapshot | Required to create a disk snapshot. |
compute.snapshots.create | Required to create a disk snapshot. |
compute.snapshots.setLabels | Required to create a disk snapshot. |
storage.buckets.create | Required to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket. |
storage.buckets.list | Required to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket. |
cloudbuild.builds.create | Required to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket. |
cloudbuild.builds.get | Required to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket. |
storage.objects.get | Required to download the snapshot. |
storage.objects.list | Required to download the snapshot. |
To enable the full scope of the feature, we also require a couple delete permissions:
| GCP Permission | Requirement Details |
|---|---|
storage.objects.delete | Required to delete the snapshot. |
compute.snapshots.delete | Required to delete the snapshot. |
For customers concerned about giving InsightCloudSec permissions to delete snapshots or cloud storage objects, we highly recommend creating a separate role containing only the delete permissions (see table above) and applying IAM conditions to the role to restrict what objects/snapshots can be deleted:
- For storage objects, the deletion permission can be restricted to only the export bucket used by InsightCloudSec for storing exported snapshots by using a
startsWithcondition as follows:resource.name.startsWith(projects/_/buckets/r7-cloudsec-hva-snapshots) - For snapshots, since the resource name is composed of different attributes, we need to extract the snapshot name from the resource name before matching on it. GCP allows you to extract parts of a resource name as follows:
resource.name.extract("snapshots/{end}").startsWith("rapid7")
Here's a JSON condition block that you can copy/paste for convenience:
{
"expression": "resource.name.startsWith(\"projects/_/buckets/r7-cloudsec-hva-snapshots\") || resource.name.extract(\"snapshots/{end}\").startsWith(\"rapid7\")",
"title": "Rapid7 cleanup condition",
"description": ""
}
Note: Full resource name formats for GCP can be found here.
Cloud Build Service Account
GCP's method of snapshot export uses a Cloud Build job, which runs under a Service Account like most GCP services. To do this successfully, GCP must have the Cloud Build API enabled and the service account must also have the following permissions. Once the Cloud Build API is enabled, the service account is created automatically and is separate from your normal InsightCloudSec harvesting service account. Note: The Compute Admin (roles/compute.admin) and Service Account User (roles/iam.serviceAccountUser) built-in roles already have these permissions
Multiple GCP Project Users
If you authenticate with a service account from a separate GCP project, you will need to enable the Cloud Build API for the project with the service account and for any projects you want to scan with HVM.
- compute.disks.create
- compute.disks.delete
- compute.disks.get
- compute.disks.list
- compute.disks.setLabels
- compute.disks.use
- compute.disks.useReadOnly
- compute.instances.create
- compute.instances.delete
- compute.instances.get
- compute.instances.getSerialPortOutput
- compute.instances.list
- compute.instances.setLabels
- compute.instances.setMetadata
- compute.instances.setServiceAccount
- compute.machineTypes.list
- compute.networks.get
- compute.networks.list
- compute.projects.get
- compute.snapshots.list
- compute.snapshots.useReadOnly
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zoneOperations.get
- compute.zones.list
- iam.serviceAccounts.actAs
- iam.serviceAccounts.get
- iam.serviceAccounts.list
- resourcemanager.projects.get
Configuration Options
By default, the GCP snapshot export job will use the default Compute Engine service account and the default VPC network to run the export. If these defaults are not sufficient, you can configure each of these under both the InsightCloudSec Cloud Account and Organization settings. Cloud Account settings will override Organization settings.
In Cloud Account settings:
In Organization settings (only visible when editing, not when creating a new Organization):
You can find the project-prefixed name of your VPC network by clicking the “EQUIVALENT REST” button at the bottom of the “VPC Network Details” page in GCP.
Limitations
GCP HVM support is limited by the following:
- Cannot assess instances with disks encrypted by a Customer Supplied Encryption Key
- Cannot assess Local SSDs
Collection & Assessment Workflows
The following workflows gather and store the inventory from the host instances harvested by InsightCloudSec and assess them for vulnerabilities. They also continuously monitor and refresh the inventory and vulnerability data based on changes to the instances and for newly disclosed vulnerabilities.
Collection & Assessment Workflow (New Instance)
As InsightCloudSec harvesting discovers new host instances, HVM triggers the collection step, which creates and downloads a snapshot of the instance from a customer's cloud account to InsightCloudSec. When HVM is initialized, all host instances already harvested are treated as new, triggering the first collection.
Note: If the EBS root volume is >= 100 Gb (AWS default is 8 Gb), InsightCloudSec will not download or assess it due to size limitations.
The snapshot is then assessed for vulnerabilities in InsightCloudSec and its inventory (versions of the operating system and software packages, OSS dependencies, and other select file types) is saved. InsightCloudSec discards the snapshot once the assessment is complete.
Recollection & Reassessment Workflow (Existing Instance)
Host instances are reassessed and potentially recollected based on the following triggers.
-
Automated recollection - a proprietary algorithm determines the need to collect a new snapshot using environmental events indicating the instance changed since the last collection
-
Automated reassessment - when new vulnerabilities are reported, InsightCloudSec reviews the host instance inventory and reassesses those with the imaged packages.
-
Manual recollection and reassessment - you can trigger a recollection and reassessment of a specific host instance using an action in the InsightCloudSec console or an API call
Workflow Diagram (Trigger-Based Collection & Assessment)
Trigger-Based Collection and Assessment Workflow
Triggering a collection starts the snapshot and is immediately followed by an assessment. This process can be tracked on the Host Assessment progress page.
- The timing to complete the process depends on the size of the image and can take from 5 minutes to 20 minutes.
- Once the Assessment is complete, results are immediately available.
Disabling HVM for a Cloud Account
Once HVM is configured, all cloud accounts within InsightCloudSec will begin being assessed by default (assuming the required permissions are applied). To disable assessment for certain accounts, there are two ways to do so:
- At the cloud account level (for a single account)
- At the InsightCloudSec Organization level (for multiple accounts)
Disabling an Individual Cloud Account for HVM
1. Login to InsightCloudSec and navigate to the Cloud Accounts page.
2. Find the Cloud Account you wish to enable/disable Host VM for and click its name.
3. Click "Settings".
4. Under Vulnerability Management Settings, toggle the "Enable vulnerability assessment for hosts" slider.
HVM Toggle for a Cloud Account
Disabling an InsightCloudSec Organization for HVM
1. Login to InsightCloudSec and navigate to the System Settings page (gear in the top-right corner -> "System Administration").
2. Click "System".
3. Under Vulnerability Management Settings, toggle the "Vulnerability Assessment" slider for each desired account.
- Note: From here, you can also toggle the "Automatically enabled newly added Cloud Accounts" checkbox as well.
HVM Toggle for an InsightCloudSec Organization
Updated 3 months ago