Host Vulnerability Management - Configuration & Workflows

Details about Configuration and Workflows for Host Vulnerability Management

Getting Started with Host Vulnerability Management

Before getting started with Host Vulnerability Management (HVM) you will need to have the following:

  • An InsightCloudSec installation (v. 23.2.28) (SaaS-Only)
  • The AWS, Azure, and/or GCP permissions outlined below

AWS

📘

Permission Requirements

These permissions are not part of a default “Read-Only” AWS deployment and must be explicitly configured to enable operation of the Host Vulnerability Management feature.

As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform HVM configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.

AWS PermissionRequirement Details
kms:DescribeKeyRequired to determine what key is being used to encrypt the volume that is being analyzed.
kms:CreateGrantRequired to create a grant to the KMS key that can be used to decrypt the EBS volume.
ec2:ModifySnapshotAttributeRequired to grant permission to the InsightCloudSec backend to download the snapshot.
ec2:CreateSnapshotRequired to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec.
ec2:DeleteSnapshotRequired to clean up the snapshot in the source account after the analysis has been completed.
ec2:CreateTagsRequired to create tags in the source account.

🚧

Important Note on Permissions

If EBS volumes are encrypted with the default AWS Managed Encryption key, a grant cannot be created to allow for InsightCloudSec to download the snapshot. The Assessment process will fail with an Error message that states that the Volume is encrypted with an AWS Managed Encryption Key.

HVM User Policy

The AWS HVM User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVM configuration and assessment. Review the AWS IAM documentation for more information.

📘

Role Attachment

This policy will need to be attached to your existing InsightCloudSec Harvesting role.

Azure

In the table below are the minimum required permissions for your InsightCloudSec Azure role (this should already exist as part of Azure - Onboarding).

Azure PermissionRequirement Details
Microsoft.Compute/snapshots/writeRequired to create a new snapshot.
Microsoft.Compute/snapshots/readRequired to read the properties of a snapshot.
Microsoft.Compute/disks/readRequired to read the properties of a disk.
Microsoft.Compute/snapshots/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/disks/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/snapshots/endGetAccess/actionRequired to disable an SAS URL.
Microsoft.Compute/snapshots/deleteRequired to delete a snapshot.

HVM User Role

The Azure HVM User Role below can be copied and used to create a custom role within Azure that contains all the permissions necessary for HVM configuration and assessment. Note: Ensure you replace the placeholder Subscription ID value.

{
    "properties": {
        "roleName": "Disk Access for Host Vulnerability Assessment",
        "description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
        "assignableScopes": [
            "/subscriptions/<subscription-id>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/snapshots/read",
                    "Microsoft.Compute/snapshots/write",
                    "Microsoft.Compute/snapshots/delete",
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
                    "Microsoft.Compute/snapshots/endGetAccess/action",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/disks/beginGetAccess/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Limitations

Azure HVM support is limited by the following:

  • The current Implementation doesn’t support VMWare vSphere VMs or Azure Classic VMs
  • Doesn’t support disks with data access authentication mode enabled

GCP

In the table below are most of the minimum required permissions for your InsightCloudSec service account (this should already exist as part of GCP - Onboarding).

GCP PermissionRequirement Details
compute.disks.createSnapshotRequired to create a disk snapshot.
compute.snapshots.createRequired to create a disk snapshot.
compute.snapshots.setLabelsRequired to create a disk snapshot.
storage.buckets.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.buckets.listRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.getRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.objects.getRequired to download the snapshot.
storage.objects.listRequired to download the snapshot.

To enable the full scope of the feature, we also require a couple delete permissions:

GCP PermissionRequirement Details
storage.objects.deleteRequired to delete the snapshot.
compute.snapshots.deleteRequired to delete the snapshot.

For customers concerned about giving InsightCloudSec permissions to delete snapshots or cloud storage objects, we highly recommend creating a separate role containing only the delete permissions (see table above) and applying IAM conditions to the role to restrict what objects/snapshots can be deleted:

  • For storage objects, the deletion permission can be restricted to only the export bucket used by InsightCloudSec for storing exported snapshots by using a startsWith condition as follows: resource.name.startsWith(projects/_/buckets/r7-cloudsec-hva-snapshots)
  • For snapshots, since the resource name is composed of different attributes, we need to extract the snapshot name from the resource name before matching on it. GCP allows you to extract parts of a resource name as follows: resource.name.extract("snapshots/{end}").startsWith("rapid7")

Here's a JSON condition block that you can copy/paste for convenience:

{
    "expression": "resource.name.startsWith(\"projects/_/buckets/r7-cloudsec-hva-snapshots\") || resource.name.extract(\"snapshots/{end}\").startsWith(\"rapid7\")",
    "title": "Rapid7 cleanup condition",
    "description": ""
}

Note: Full resource name formats for GCP can be found here.

Cloud Build Service Account

GCP's method of snapshot export uses a Cloud Build job, which runs under a Service Account like most GCP services. To do this successfully, GCP must have the Cloud Build API enabled and the service account must also have the following permissions. Once the Cloud Build API is enabled, the service account is created automatically and is separate from your normal InsightCloudSec harvesting service account. Note: The Compute Admin (roles/compute.admin) and Service Account User (roles/iam.serviceAccountUser) built-in roles already have these permissions

🚧

Multiple GCP Project Users

If you authenticate with a service account from a separate GCP project, you will need to enable the Cloud Build API for the project with the service account and for any projects you want to scan with HVM.

  • compute.disks.create
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.machineTypes.list
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.snapshots.list
  • compute.snapshots.useReadOnly
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.list
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get

Configuration Options

By default, the GCP snapshot export job will use the default Compute Engine service account and the default VPC network to run the export. If these defaults are not sufficient, you can configure each of these under both the InsightCloudSec Cloud Account and Organization settings. Cloud Account settings will override Organization settings.

In Cloud Account settings:

In Organization settings (only visible when editing, not when creating a new Organization):

You can find the project-prefixed name of your VPC network by clicking the “EQUIVALENT REST” button at the bottom of the “VPC Network Details” page in GCP.

Limitations

GCP HVM support is limited by the following:

  • Cannot assess instances with disks encrypted by a Customer Supplied Encryption Key
  • Cannot assess Local SSDs

Collection & Assessment Workflows

The following workflows gather and store the inventory from the host instances harvested by InsightCloudSec and assess them for vulnerabilities. They also continuously monitor and refresh the inventory and vulnerability data based on changes to the instances and for newly disclosed vulnerabilities.

Collection & Assessment Workflow (New Instance)

As InsightCloudSec harvesting discovers new host instances, HVM triggers the collection step, which creates and downloads a snapshot of the instance from a customer's cloud account to InsightCloudSec. When HVM is initialized, all host instances already harvested are treated as new, triggering the first collection.

Note: If the EBS root volume is >= 100 Gb (AWS default is 8 Gb), InsightCloudSec will not download or assess it due to size limitations.

The snapshot is then assessed for vulnerabilities in InsightCloudSec and its inventory (versions of the operating system and software packages, OSS dependencies, and other select file types) is saved. InsightCloudSec discards the snapshot once the assessment is complete.

Recollection & Reassessment Workflow (Existing Instance)

Host instances are reassessed and potentially recollected based on the following triggers.

  • Automated recollection - a proprietary algorithm determines the need to collect a new snapshot using environmental events indicating the instance changed since the last collection

  • Automated reassessment - when new vulnerabilities are reported, InsightCloudSec reviews the host instance inventory and reassesses those with the imaged packages.

  • Manual recollection and reassessment - you can trigger a recollection and reassessment of a specific host instance using an action in the InsightCloudSec console or an API call

Workflow Diagram (Trigger-Based Collection & Assessment)

3200

Trigger-Based Collection and Assessment Workflow

Triggering a collection starts the snapshot and is immediately followed by an assessment. This process can be tracked on the Host Assessment progress page.

  • The timing to complete the process depends on the size of the image and can take from 5 minutes to 20 minutes.
  • Once the Assessment is complete, results are immediately available.

Disabling HVM for a Cloud Account

Once HVM is configured, all cloud accounts within InsightCloudSec will begin being assessed by default (assuming the required permissions are applied). To disable assessment for certain accounts, there are two ways to do so:

  • At the cloud account level (for a single account)
  • At the InsightCloudSec Organization level (for multiple accounts)

Disabling an Individual Cloud Account for HVM

1. Login to InsightCloudSec and navigate to the Cloud Accounts page.

2. Find the Cloud Account you wish to enable/disable Host VM for and click its name.

3. Click "Settings".

4. Under Vulnerability Management Settings, toggle the "Enable vulnerability assessment for hosts" slider.

1383

HVM Toggle for a Cloud Account

Disabling an InsightCloudSec Organization for HVM

1. Login to InsightCloudSec and navigate to the System Settings page (gear in the top-right corner -> "System Administration").

2. Click "System".

3. Under Vulnerability Management Settings, toggle the "Vulnerability Assessment" slider for each desired account.

  • Note: From here, you can also toggle the "Automatically enabled newly added Cloud Accounts" checkbox as well.
1178

HVM Toggle for an InsightCloudSec Organization