Prepared By: ThreatWatch Inc Dec 4th 2017

ThreatWatch Integration with Amazon Web Services

Overview ThreatWatch provides an ability to ingest software inventory, patch information from single or multiple AWS accounts for an organization. Each of these assets are represented as a single symbolic asset within ThreatWatch along with their associated product and patch information.

To get started there are two things that need to happen,

1) Configuring your AWS environment to enable collection of instance level inventory.2) Configuring ThreatWatch to read that inventory.

Lets look at each of them.

Configuring the AWS environment

1. Identify the instances that you need vulnerability tracking for via the AWS Console or AWS CLI. As shown below in this example we are going to configure this for a Windows and Linux EC2 instance.

2. Ensure each of those instances have the SSM agent installed on them ( By default Windows images come with a SSM installed ). More information can be found here,

• Installing SSM on Linux: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html

• Installation SSM on Windows ( if needed ): https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-win.html

THREATWATCH INC

Prepared By: ThreatWatch Inc Dec 4th 2017

3. Ensure that each of those instances have the Systems Manager role assigned to them. This is necessary for your EC2 instances to talk to Systems Manager using the SSM agents.

4. Setup an association between Systems Manager and State Manager using an AWS document ( AWS-GatherSoftwareInventory ). This association allows you to, a) select instances by ids or regular expression for which this association will apply

b) Select the type of inventory that you would like to collect. For tracking applications and applied patches ensure that you have appropriate categories selected.

c) Lastly, make sure you provide an S3 bucket which will store this inventory information. If you don't provide the S3 bucket then you can only view the inventory data via the AWS console.

THREATWATCH INC

Prepared By: ThreatWatch Inc Dec 4th 2017

When specifying the bucket, please ensure the bucket policy is set as described below. That is needed for setting up the data sync from Systems manager.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SSMBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::Bucket-Name" }, { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": ["arn:aws:s3:::Bucket-Name/Bucket-Prefix/*/accountid=Account-ID/*"], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }

5. Setup a Resource Data Sync configuration with the S3 bucket using the CLI, aws ssm create-resource-data-sync

aws ssm create-resource-data-sync --sync-name a name --s3-destination “BucketName=Bucket Name,Prefix=Prefix, if specified,SyncFormat=JsonSerDe,Region=region”

6. You should see inventory data coming into your S3 bucket ( if you don't want to wait for the schedule to kick-in , you can trigger the application of association by clicking the “Apply Association” button )

THREATWATCH INC

Prepared By: ThreatWatch Inc Dec 4th 2017

Here is how the data will be organized into your S3 buckets once the sync happens,

Prepared By: ThreatWatch Inc Dec 4th 2017

Configuring ThreatWatch environment

1. In the “Plugins” menu , select “Discovery” tab and provide AWS account information.

2. Visit “Assets” and then “Manage Assets” tab and then click on the one-click Amazon button.

3. Your Amazon instances will show up right away.

Prepared By: ThreatWatch Inc Dec 4th 2017

4. Clicking on an asset will show you all the products associated with that AWS instance.

Prepared By: ThreatWatch Inc Dec 4th 2017

5. For instances running Windows OS, ThreatWatch will also identify the applied patches. This helps ThreatWatch make accurate assessment of impact of new vulnerabilities.

You are all set ! ThreatWatch will keep monitoring your assets and software stack for vulnerabilities just like any of your other assets.