Amazon Web Services Feed
How to Deploy a Rapid7 InsightVM Scan Engine for AWS Graviton2-Based EC2 Instances

By Brent Cook, Sr. Manager for Metasploit and InsightVM Security Content at Rapid7

Rapid7-Logo-1
Rapid7-APN-Badge-1
Connect with Rapid7-1

As you may have seen, Amazon Web Services (AWS) recently launched its new EC2 M6g instances.

The new instances powered by AWS Graviton2 Arm-based processors deliver up to 40 percent better price and performance over the x86-based current generation M5 instances.

Here at Rapid7, thousands of customers use InsightVM scan engine to assess their Amazon Elastic Compute Cloud (Amazon EC2) instances for vulnerabilities. To make sure our customers can extend their existing security processes to Graviton2-based instances such as Amazon EC2 M6g, we have updated our scan engine to support this new processor type.

We have also added support for detecting vulnerabilities across supported operating systems (OS), including Red Hat, openSUSE, Debian, Ubuntu, and Amazon Linux 2.

Rapid7 is an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency. Our Insight platform of cybersecurity solutions helps security teams reduce vulnerabilities, detect and shut down attacks, and automate their workflows.

In this post, I will walk you through the steps to deploy our InsightVM scan engine in an AWS Graviton2-based environment.

A Brief History of Rapid7 Support for Arm Processors

Rapid7 support for Arm processors stretches back five years. We first added support for Arm processors in our popular Metasploit framework. It helped customers find risks in things like Internet of Things (IoT) devices, routers, and other low power mobile devices. Next, we started seeing Arm64-based RaspberryPi units run Metasploit.

Over the last few years, we’ve continued to invest in the architecture as we’ve watched both Android and iOS platforms shift over to Arm64. It’s gratifying to see Arm64 architecture power the next generation of powerful and cost-effective cloud compute instances.

We’ve taken all our familiarity with Arm64 architecture and used it to inform our new InsightVM capabilities. We’ve been impressed with how easy it is to deploy Graviton2 instances, and we’ve endeavored to make our scanning experience just as effortless.

In fact, InsightVM customers will find there’s absolutely no difference between scanning an x86 instance and an Arm64 instance, whether performing an authenticated or unauthenticated scan.

How to Deploy the InsightVM Scan Engine in an AWS Environment

In May 2020, we released a scan engine update that added support for detecting AWS Graviton and Graviton2 processors, as well as for assessing vulnerabilities with Amazon Linux 2 (for Arm- and x86-based instance types).

If you are a current Rapid7 customer, you should be able to scan Graviton2 instances right away, since our scan engines receive automatic updates.

If you don’t yet have a Scan Engine in your AWS environment, you can deploy one using our Scan Engine listing on AWS Marketplace. Here’s how:

  1. If you are not already a Rapid7 InsightVM customer, you can start a free trial and follow these instructions to get up and running with the product.
    .
  2. To add a scan engine to your AWS environment, go to the Rapid7 AWS Scan Engine listing in AWS Marketplace.
    .
  3. Select Continue to Subscribe in the upper right corner of the page, accept the terms, and then select Continue to Configuration.
    .
  4. Under Fulfillment Option, choose CloudFormation Template. Select the newest version of the Scan Engine and specify the region where your scan engine should run. Select Continue to Launch.
    .4. Under Fulfillment Option, choose CloudFormation Template. Select the newest version of the Scan Engine and specify the region where your scan engine should run. Click Continue to Launch..
  5. Under the Choose Action dropdown, select Launch CloudFormation, then select Launch. The Scan Engine template opens in AWS CloudFormation.
    .
  6. No configuration is required on the page that you first get taken to, so select Next.

How to Configure your InsightVM Stack

  1. Specify stack details.
    .
    The first few settings in the AWS CloudFormation template should be self-explanatory, but we’ll provide some guidance.
    .
    In the screen shot below, you can see the scan engines responsible for discovering assets during a scan, checking them for vulnerabilities, and assessing their level of policy compliance currently run on x86-based platforms. That is why the default m5.large instance type is selected in the stack details above.

The scan engines responsible for discovering assets during a scan, checking them for vulnerabilities, and assessing their level of policy compliance currently run on x86-based platforms. That is why the default m5.large instance type is selected in the stack details..

    • Under Assign a Public IP Address to Your Scan Engine, select Yes if the Scan Engine needs a public IP address to connect with your Rapid7 Security Console. If your Scan Engine is located on the same virtual private cloud (VPC) as your Security Console, this should not be necessary.
      .
    • Under Create New Security Groups, select Yes. You can leave the subsequent field (Existing Scan Engine Security Group ID) blank.
      .
    • If you are running Rapid7 Security Console on AWS, set Add Ingress to Console Security Group? to Yes. Then, enter the ID of the Amazon EC2 Security Group for your Rapid7 Console into the Console Security Group to Update field. Otherwise, leave Add Ingress to Console Security Group? set to No, and leave the Console Security Group to Update field blank.
      .
    • Under Security Console Host, if your Rapid7 Console is hosted on AWS, navigate to Amazon EC2. Find the EC2 instance where the console is running, and copy over the instance’s Private DNS or Private IP address. If your Rapid7 Console is not hosted on AWS, enter the IP address of your Security Console.
      .
    • Leave the Security Console Port set to 40815.
      .
    • Generate a shared secret from your Rapid7 Security Console and paste it into Security Console Secret.
      .
    • Select Next.
      .
  1. Apply optional items like tags to your stack according to your organization’s best practices for AWS, and then select Next.
    .
  2. Review your stack details and select Create Stack at the bottom of the page.
    .
    The CREATE_COMPLETE status indicates your stack has been created successfully. Once deployed, it can take up to 15 minutes for the scan engine to pair with the Rapid7 Security Console.
    .
    Verify this pairing by checking your listed scan engines in InsightVM by going to Administration > Scan Options > Engines > Manage.
    .
  3. Add the EC2 instances you want to scan to the newly created NexposeScanTargetsSG security group.
    .
  4. In your InsightVM Security Console, expand the Create dropdown in the upper left corner, and select Site.
    .
    5. In your InsightVM Security Console, expand the Create dropdown in the upper left corner and click Site..
  5. Give your new site a name and complete the site configuration.
    .
    Specify scan credentials, a scan template, and a schedule that suits your needs, but do not configure anything on the Assets tab.
    .
    Save the site, but do not scan it yet.
    .
  6. Create a new AWS Asset Sync discovery connection.
    .
    In the Consumption Settings section of the connection configuration page, select the site you just created.
    .
  7. Complete the rest of your discovery connection configuration, and select Save.

You’re done! Be sure to schedule regular scans of your Amazon EC2 instances to detect vulnerabilities.

Conclusion

By following these instructions, you can add a Rapid7 scan engine to your AWS environment. You can also connect InsightVM to the AWS API (that’s what the “discovery connection” is all about). This means that InsightVM will always have an up-to-date view of which Amazon EC2 instances are active.

The scan engine uses the API data to ensure that vulnerability scans only assess active assets and doesn’t try to look for an EC2 instance that no longer exists.

Another benefit of connecting InsightVM to the AWS API is that InsightVM will pull in all your EC2 tags. This allows you to organize assets in InsightVM the same way you organize them on AWS.

If you’re not yet a Rapid7 customer and are interested in learning more about what InsightVM or any of our other solutions can do for you, start a free trial or contact us. To learn more about AWS Graviton2-based Amazon EC2 instances, visit the AWS Graviton page or get started by logging in to the AWS Management Console.

The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.

.
Rapid7-APN-Blog-CTA-1
.


Rapid7 – APN Partner Spotlight

Rapid7 is an AWS Security Competency Partner. They provide security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security.

Contact Rapid7 | Solution Overview | AWS Marketplace

*Already worked with Rapid7? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.