SEC06-BP01: Perform vulnerability management

Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Use automation to reduce the time between vulnerability discovery and patching. Regularly assess your applications and infrastructure for vulnerabilities and implement a process to quickly address any issues found.

Implementation guidance

Vulnerability management is a continuous process that involves identifying, evaluating, treating, and reporting on security vulnerabilities in systems and software. A comprehensive vulnerability management program helps protect your compute resources from known security weaknesses and reduces the attack surface available to potential threats.

Key steps for implementing this best practice:

1. Establish vulnerability scanning processes:
   • Implement automated vulnerability scanning for all compute resources
   • Configure regular scanning schedules for different resource types
   • Use multiple scanning tools for comprehensive coverage
   • Integrate vulnerability scanning into CI/CD pipelines
   • Establish baseline security configurations and scan for deviations
2. Implement comprehensive patch management:
   • Create automated patch deployment processes
   • Establish patch testing procedures in non-production environments
   • Define maintenance windows for critical security patches
   • Implement rollback procedures for problematic patches
   • Track patch compliance across all systems
3. Manage software dependencies and libraries:
   • Maintain inventory of all software dependencies
   • Implement automated dependency vulnerability scanning
   • Establish processes for updating vulnerable dependencies
   • Use software composition analysis (SCA) tools
   • Monitor for newly disclosed vulnerabilities in dependencies
4. Configure infrastructure vulnerability assessment:
   • Scan infrastructure configurations for security misconfigurations
   • Implement Infrastructure as Code (IaC) security scanning
   • Assess container images for vulnerabilities
   • Monitor cloud service configurations for security issues
   • Perform regular penetration testing and security assessments
5. Establish vulnerability prioritization and remediation:
   • Implement risk-based vulnerability prioritization
   • Define Service Level Agreements (SLAs) for vulnerability remediation
   • Create escalation procedures for critical vulnerabilities
   • Track vulnerability metrics and remediation progress
   • Implement compensating controls for vulnerabilities that cannot be immediately patched
6. Integrate with threat intelligence:
   • Subscribe to vulnerability intelligence feeds
   • Monitor for exploitation of vulnerabilities in the wild
   • Prioritize vulnerabilities based on active threat campaigns
   • Implement automated threat intelligence correlation
   • Maintain awareness of emerging threats and attack techniques

Implementation examples

Example 1: Automated vulnerability scanning with Amazon Inspector

Code snippet hidden for website display

Example 2: Automated patch management with Systems Manager

Code snippet hidden for website display

bash

Enable ECR image scanning for vulnerability detection

aws ecr put-image-scanning-configuration
–repository-name my-application
–image-scanning-configuration scanOnPush=true

Create lifecycle policy to manage vulnerable images

aws ecr put-lifecycle-policy
–repository-name my-application
–lifecycle-policy-text ‘{ “rules”: [ { “rulePriority”: 1, “description”: “Delete images with HIGH or CRITICAL vulnerabilities older than 7 days”, “selection”: { “tagStatus”: “any”, “countType”: “sinceImagePushed”, “countUnit”: “days”, “countNumber”: 7 }, “action”: { “type”: “expire” } } ] }’

Scan existing images for vulnerabilities

aws ecr start-image-scan
–repository-name my-application
–image-id imageTag=latest

Get scan results

aws ecr describe-image-scan-findings
–repository-name my-application
–image-id imageTag=latest
–query ‘imageScanFindings.findings[?severity==HIGH || severity==CRITICAL]’

Create script for automated vulnerability reporting

cat > vulnerability-report.sh « ‘EOF’ #!/bin/bash

REPOSITORY_NAME=$1 IMAGE_TAG=${2:-latest}

echo “Scanning image: $REPOSITORY_NAME:$IMAGE_TAG”

Start scan

aws ecr start-image-scan
–repository-name $REPOSITORY_NAME
–image-id imageTag=$IMAGE_TAG

Wait for scan completion

while true; do SCAN_STATUS=$(aws ecr describe-image-scan-findings
–repository-name $REPOSITORY_NAME
–image-id imageTag=$IMAGE_TAG
–query ‘imageScanStatus.status’
–output text)

if [ “$SCAN_STATUS” = “COMPLETE” ]; then break elif [ “$SCAN_STATUS” = “FAILED” ]; then echo “Scan failed” exit 1 fi

echo “Scan in progress…” sleep 10 done

Get vulnerability counts

CRITICAL_COUNT=$(aws ecr describe-image-scan-findings
–repository-name $REPOSITORY_NAME
–image-id imageTag=$IMAGE_TAG
–query ‘length(imageScanFindings.findings[?severity==CRITICAL])’
–output text)

HIGH_COUNT=$(aws ecr describe-image-scan-findings
–repository-name $REPOSITORY_NAME
–image-id imageTag=$IMAGE_TAG
–query ‘length(imageScanFindings.findings[?severity==HIGH])’
–output text)

echo “Vulnerability Summary:” echo “Critical: $CRITICAL_COUNT” echo “High: $HIGH_COUNT”

Fail build if critical vulnerabilities found

if [ “$CRITICAL_COUNT” -gt 0 ]; then echo “Build failed: Critical vulnerabilities found” exit 1 fi

echo “Vulnerability scan passed” EOF

chmod +x vulnerability-report.sh <!– CODE SNIPPET HIDDEN - Original content below:

### Example 4: Dependency vulnerability scanning in CI/CD

CODE SNIPPET WILL BE PROVIDED SOON –>

Code snippet hidden for website display

yaml

GitHub Actions workflow for dependency vulnerability scanning

name: Vulnerability Scanning

on: push: branches: [ main, develop ] pull_request: branches: [ main ] schedule: - cron: ‘0 2 * * *’ # Daily at 2 AM

jobs: dependency-scan: runs-on: ubuntu-latest

steps:
- name: Checkout code
  uses: actions/checkout@v3

- name: Set up Node.js
  uses: actions/setup-node@v3
  with:
    node-version: '18'
    cache: 'npm'

- name: Install dependencies
  run: npm ci

- name: Run npm audit
  run: |
    npm audit --audit-level=high --production
    npm audit fix --dry-run --json > audit-results.json

- name: Run Snyk security scan
  uses: snyk/actions/node@master
  env:
    SNYK_TOKEN: $
  with:
    args: --severity-threshold=high --fail-on=all

- name: Run OWASP Dependency Check
  uses: dependency-check/Dependency-Check_Action@main
  with:
    project: 'my-application'
    path: '.'
    format: 'JSON'
    args: >
      --enableRetired
      --enableExperimental
      --failOnCVSS 7

- name: Upload dependency check results
  uses: actions/upload-artifact@v3
  if: always()
  with:
    name: dependency-check-report
    path: reports/

- name: Send vulnerability alert
  if: failure()
  uses: 8398a7/action-slack@v3
  with:
    status: failure
    channel: '#security-alerts'
    text: 'Vulnerability scan failed for $'
  env:
    SLACK_WEBHOOK_URL: $

infrastructure-scan: runs-on: ubuntu-latest

steps:
- name: Checkout code
  uses: actions/checkout@v3

- name: Run Checkov IaC scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: ./infrastructure
    framework: cloudformation,terraform
    output_format: json
    output_file_path: checkov-report.json
    quiet: true
    soft_fail: false

- name: Run Terrascan
  uses: accurics/terrascan-action@main
  with:
    iac_type: 'terraform'
    iac_version: 'v14'
    policy_type: 'aws'
    only_warn: false
    sarif_upload: true

- name: Upload Terrascan results to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  if: always()
  with:
    sarif_file: terrascan.sarif

container-scan: runs-on: ubuntu-latest

steps:
- name: Checkout code
  uses: actions/checkout@v3

- name: Build Docker image
  run: |
    docker build -t my-app:$ .

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'my-app:$'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

- name: Upload Trivy scan results to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  if: always()
  with:
    sarif_file: 'trivy-results.sarif'

- name: Run Grype vulnerability scanner
  uses: anchore/scan-action@v3
  with:
    image: 'my-app:$'
    fail-build: true
    severity-cutoff: high

- name: Upload Grype results
  uses: actions/upload-artifact@v3
  if: always()
  with:
    name: grype-report
    path: anchore-reports/ <!-- CODE SNIPPET HIDDEN - Original content below: ```

AWS services to consider

Amazon Inspector

Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. Provides continuous vulnerability assessment for EC2 instances, container images, and Lambda functions.

AWS Systems Manager Patch Manager

Automates the process of patching managed instances with both security related and other types of updates. Provides centralized patch management across your infrastructure.

Amazon ECR Image Scanning

Provides vulnerability scanning for container images stored in Amazon Elastic Container Registry. Identifies software vulnerabilities in container images.

AWS Security Hub

Provides a comprehensive view of your security state in AWS. Centralizes vulnerability findings from multiple security services for unified management.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps identify configuration vulnerabilities and compliance issues.

Amazon CodeGuru

Provides intelligent recommendations for improving code quality and identifying the most expensive lines of code. Includes security-focused code reviews and vulnerability detection.

Benefits of performing vulnerability management

• Reduced attack surface: Systematic identification and remediation of vulnerabilities reduces potential entry points for attackers
• Improved security posture: Regular vulnerability assessments help maintain a strong security baseline
• Compliance support: Helps meet regulatory requirements for vulnerability management and security controls
• Risk reduction: Proactive vulnerability management reduces the likelihood and impact of security incidents
• Cost efficiency: Early detection and remediation of vulnerabilities is more cost-effective than incident response
• Enhanced visibility: Comprehensive vulnerability scanning provides better understanding of security risks
• Automated protection: Automated scanning and patching reduce manual effort and human error

Related resources

Related Resources

• AWS Well-Architected Framework - Perform vulnerability management
• Amazon Inspector User Guide
• AWS Systems Manager Patch Manager
• Amazon ECR Image Scanning
• How to set up continuous compliance with AWS Config and AWS Systems Manager
• How to remediate Amazon Inspector security findings automatically

Example 3: Container image vulnerability scanning

CODE SNIPPET WILL BE PROVIDED SOON -->

<div class="code-snippet-hidden" style="display: none;">
<p><em>Code snippet hidden for website display</em></p>
</div>bash
# Enable ECR image scanning for vulnerability detection
aws ecr put-image-scanning-configuration \
  --repository-name my-application \
  --image-scanning-configuration scanOnPush=true

# Create lifecycle policy to manage vulnerable images
aws ecr put-lifecycle-policy \
  --repository-name my-application \
  --lifecycle-policy-text '{
    "rules": [
      {
        "rulePriority": 1,
        "description": "Delete images with HIGH or CRITICAL vulnerabilities older than 7 days",
        "selection": {
          "tagStatus": "any",
          "countType": "sinceImagePushed",
          "countUnit": "days",
          "countNumber": 7
        },
        "action": {
          "type": "expire"
        }
      }
    ]
  }'

# Scan existing images for vulnerabilities
aws ecr start-image-scan \
  --repository-name my-application \
  --image-id imageTag=latest

# Get scan results
aws ecr describe-image-scan-findings \
  --repository-name my-application \
  --image-id imageTag=latest \
  --query 'imageScanFindings.findings[?severity==`HIGH` || severity==`CRITICAL`]'

# Create script for automated vulnerability reporting
cat > vulnerability-report.sh << 'EOF'
#!/bin/bash

REPOSITORY_NAME=$1
IMAGE_TAG=${2:-latest}

echo "Scanning image: $REPOSITORY_NAME:$IMAGE_TAG"

# Start scan
aws ecr start-image-scan \
  --repository-name $REPOSITORY_NAME \
  --image-id imageTag=$IMAGE_TAG

# Wait for scan completion
while true; do
  SCAN_STATUS=$(aws ecr describe-image-scan-findings \
    --repository-name $REPOSITORY_NAME \
    --image-id imageTag=$IMAGE_TAG \
    --query 'imageScanStatus.status' \
    --output text)
  
  if [ "$SCAN_STATUS" = "COMPLETE" ]; then
    break
  elif [ "$SCAN_STATUS" = "FAILED" ]; then
    echo "Scan failed"
    exit 1
  fi
  
  echo "Scan in progress..."
  sleep 10
done

# Get vulnerability counts
CRITICAL_COUNT=$(aws ecr describe-image-scan-findings \
  --repository-name $REPOSITORY_NAME \
  --image-id imageTag=$IMAGE_TAG \
  --query 'length(imageScanFindings.findings[?severity==`CRITICAL`])' \
  --output text)

HIGH_COUNT=$(aws ecr describe-image-scan-findings \
  --repository-name $REPOSITORY_NAME \
  --image-id imageTag=$IMAGE_TAG \
  --query 'length(imageScanFindings.findings[?severity==`HIGH`])' \
  --output text)

echo "Vulnerability Summary:"
echo "Critical: $CRITICAL_COUNT"
echo "High: $HIGH_COUNT"

# Fail build if critical vulnerabilities found
if [ "$CRITICAL_COUNT" -gt 0 ]; then
  echo "Build failed: Critical vulnerabilities found"
  exit 1
fi

echo "Vulnerability scan passed"
EOF

chmod +x vulnerability-report.sh
<!-- CODE SNIPPET HIDDEN - Original content below:

Example 4: Dependency vulnerability scanning in CI/CD

CODE SNIPPET WILL BE PROVIDED SOON -->

<div class="code-snippet-hidden" style="display: none;">
<p><em>Code snippet hidden for website display</em></p>
</div>yaml
# GitHub Actions workflow for dependency vulnerability scanning
name: Vulnerability Scanning

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * *'  # Daily at 2 AM

jobs:
  dependency-scan:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    
    - name: Set up Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'
        cache: 'npm'
    
    - name: Install dependencies
      run: npm ci
    
    - name: Run npm audit
      run: |
        npm audit --audit-level=high --production
        npm audit fix --dry-run --json > audit-results.json
    
    - name: Run Snyk security scan
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: $
      with:
        args: --severity-threshold=high --fail-on=all
    
    - name: Run OWASP Dependency Check
      uses: dependency-check/Dependency-Check_Action@main
      with:
        project: 'my-application'
        path: '.'
        format: 'JSON'
        args: >
          --enableRetired
          --enableExperimental
          --failOnCVSS 7
    
    - name: Upload dependency check results
      uses: actions/upload-artifact@v3
      if: always()
      with:
        name: dependency-check-report
        path: reports/
    
    - name: Send vulnerability alert
      if: failure()
      uses: 8398a7/action-slack@v3
      with:
        status: failure
        channel: '#security-alerts'
        text: 'Vulnerability scan failed for $'
      env:
        SLACK_WEBHOOK_URL: $

  infrastructure-scan:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    
    - name: Run Checkov IaC scan
      uses: bridgecrewio/checkov-action@master
      with:
        directory: ./infrastructure
        framework: cloudformation,terraform
        output_format: json
        output_file_path: checkov-report.json
        quiet: true
        soft_fail: false
    
    - name: Run Terrascan
      uses: accurics/terrascan-action@main
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'aws'
        only_warn: false
        sarif_upload: true
    
    - name: Upload Terrascan results to GitHub Security
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: terrascan.sarif

  container-scan:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    
    - name: Build Docker image
      run: |
        docker build -t my-app:$ .
    
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'my-app:$'
        format: 'sarif'
        output: 'trivy-results.sarif'
        severity: 'CRITICAL,HIGH'
        exit-code: '1'
    
    - name: Upload Trivy scan results to GitHub Security
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
    
    - name: Run Grype vulnerability scanner
      uses: anchore/scan-action@v3
      with:
        image: 'my-app:$'
        fail-build: true
        severity-cutoff: high
    
    - name: Upload Grype results
      uses: actions/upload-artifact@v3
      if: always()
      with:
        name: grype-report
        path: anchore-reports/
<!-- CODE SNIPPET HIDDEN - Original content below:

AWS services to consider

Amazon Inspector

Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. Provides continuous vulnerability assessment for EC2 instances, container images, and Lambda functions.

AWS Systems Manager Patch Manager

Automates the process of patching managed instances with both security related and other types of updates. Provides centralized patch management across your infrastructure.

Amazon ECR Image Scanning

Provides vulnerability scanning for container images stored in Amazon Elastic Container Registry. Identifies software vulnerabilities in container images.

AWS Security Hub

Provides a comprehensive view of your security state in AWS. Centralizes vulnerability findings from multiple security services for unified management.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Helps identify configuration vulnerabilities and compliance issues.

Amazon CodeGuru

Provides intelligent recommendations for improving code quality and identifying the most expensive lines of code. Includes security-focused code reviews and vulnerability detection.

Benefits of performing vulnerability management

• Reduced attack surface: Systematic identification and remediation of vulnerabilities reduces potential entry points for attackers
• Improved security posture: Regular vulnerability assessments help maintain a strong security baseline
• Compliance support: Helps meet regulatory requirements for vulnerability management and security controls
• Risk reduction: Proactive vulnerability management reduces the likelihood and impact of security incidents
• Cost efficiency: Early detection and remediation of vulnerabilities is more cost-effective than incident response
• Enhanced visibility: Comprehensive vulnerability scanning provides better understanding of security risks
• Automated protection: Automated scanning and patching reduce manual effort and human error

Related resources

Related Resources

• AWS Well-Architected Framework - Perform vulnerability management
• Amazon Inspector User Guide
• AWS Systems Manager Patch Manager
• Amazon ECR Image Scanning
• How to set up continuous compliance with AWS Config and AWS Systems Manager
• How to remediate Amazon Inspector security findings automatically

``` CODE SNIPPET WILL BE PROVIDED SOON –>

Code snippet hidden for website display