Host Vulnerability Management - Configuration & Workflows

Details about Configuration and Workflows for Host Vulnerability Management

Getting Started with Host Vulnerability Management

Before getting started with Host Vulnerability Management (HVM) you will need to have the following:

  • An InsightCloudSec installation (v. 23.2.28) (SaaS-Only)
  • The AWS permissions outlined below


Permission Requirements

These permissions are not part of a default “Read-Only” AWS deployment and must be explicitly configured to enable operation of the Host Vulnerability Management feature.

AWS PermissionRequirement Details
kms:DescribeKeyThis permission is required to determine what key is being used to encrypt the volume that is being analyzed.
kms:CreateGrantThis permission is required to create a grant to the KMS key that can be used to decrypt the EBS volume.
ec2:ModifySnapshotAttributeThis permission is required to grant permission to the InsightCloudSec backend to download the snapshot.
ec2:CreateSnapshotThis permission is required to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec.
ec2:DeleteSnapshotThis permission is required to clean up the snapshot in the source account after the analysis has been completed.
ec2:CreateTagsThis permission is required to create tags in the source account.


Important Note on Permissions

If EBS volumes are encrypted with the default AWS Managed Encryption key, a grant cannot be created to allow for InsightCloudSec to download the snapshot. The Assessment process will fail with an Error message that states that the Volume is encrypted with an AWS Managed Encryption Key.

HVM User Policy

The HVM User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVM configuration and assessment. Review the AWS IAM documentation for more information.


Role Attachment

This policy will need to be attached to your existing InsightCloudSec Harvesting role.

Collection & Assessment Workflows

The following workflows gather and store the inventory from the host instances harvested by InsightCloudSec and assess them for vulnerabilities. They also continuously monitor and refresh the inventory and vulnerability data based on changes to the instances and for newly disclosed vulnerabilities.

Collection & Assessment Workflow (New Instance)

As InsightCloudSec harvesting discovers new host instances, HVM triggers the collection step, which creates and downloads a snapshot of the instance from a customer's cloud account to InsightCloudSec. When HVM is initialized, all host instances already harvested are treated as new, triggering the first collection.

Note: If the EBS root volume is >= 100 Gb (AWS default is 8 Gb), InsightCloudSec will not download or assess it due to size limitations.

The snapshot is then assessed for vulnerabilities in InsightCloudSec and its inventory (versions of the operating system and software packages, OSS dependencies, and other select file types) is saved. InsightCloudSec discards the snapshot once the assessment is complete.

Recollection & Reassessment Workflow (Existing Instance)

Host instances are reassessed and potentially recollected based on the following triggers.

  • Automated recollection - a proprietary algorithm determines the need to collect a new snapshot using environmental events indicating the instance changed since the last collection

  • Automated reassessment - when new vulnerabilities are reported, InsightCloudSec reviews the host instance inventory and reassesses those with the imaged packages.

  • Manual recollection and reassessment - you can trigger a recollection and reassessment of a specific host instance using an action in the InsightCloudSec console or an API call

Workflow Diagram (Trigger-Based Collection & Assessment)


Trigger-Based Collection and Assessment Workflow

Triggering a collection starts the snapshot and is immediately followed by an assessment. This process can be tracked on the Host Assessment progress page.

  • The timing to complete the process depends on the size of the image and can take from 5 minutes to 20 minutes.
  • Once the Assessment is complete, results are immediately available.

Disabling HVM for a Cloud Account

Once HVM is configured, all cloud accounts within InsightCloudSec will begin being assessed by default (assuming the required permissions are applied). To disable assessment for certain accounts, there are two ways to do so:

  • At the cloud account level (for a single account)
  • At the InsightCloudSec Organization level (for multiple accounts)

Disabling an Individual Cloud Account for HVM

1. Login to InsightCloudSec and navigate to the Cloud Accounts page.

2. Find the Cloud Account you wish to enable/disable Host VM for and click its name.

3. Click "Settings".

4. Under Vulnerability Management Settings, toggle the "Enable vulnerability assessment for hosts" slider.


HVM Toggle for a Cloud Account

Disabling an InsightCloudSec Organization for HVM

1. Login to InsightCloudSec and navigate to the System Settings page (gear in the top-right corner -> "System Administration").

2. Click "System".

3. Under Vulnerability Management Settings, toggle the "Vulnerability Assessment" slider for each desired account.

  • Note: From here, you can also toggle the "Automatically enabled newly added Cloud Accounts" checkbox as well.

HVM Toggle for an InsightCloudSec Organization