Vulnerability Scans

Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of your applications that run on those instances. After performing an assessment, Amazon Inspector produces a detailed list of security findings that is organized by level of severity. While Inspector is not a replacement for penetration testing, it does provide a thorough summary of any issues impacting your organization's security posture.

Inspector is configured to run weekly every Saturday afternoon. It scans all of the running EC2 instances in your account that have an "OS:Ubuntu 20" tag. Please be aware of Inspector's service limits. As you approach these limits, Healthcare Blocks can set up multiple assessment runs grouped by tags.

Assessment reports can be exported as PDF's and shared with security auditors. See this page for details.

Currently these are the Amazon Inspector rules packages being applied during the assessment runs:

Although EC2 instances are hardened by Healthcare Blocks based on the CIS Benchmark for Ubuntu 20, Amazon has not yet released a CIS rules package for that version as of May 2021.

Interpreting Results
If your assessment run includes any High or Medium CVE's, one of two causes is possible:

(a) new security patches were released since the last patching run and have not yet been applied to your EC2 instance. You can wait until the following morning and re-run Inspector, or create a support ticket to have Healthcare Blocks apply an on-demand patching job and Inspector run;

(b) or it's possible that there isn't a patch available for the CVE in upstream repositories. In this case, Healthcare Blocks may need to resolve the vulnerability manually through configuration changes or compiling software libraries depending on the severity of the issue.