Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Inspector 2 (EC2 Continuous Scanning)

  • 4 minute(s) read
Prev Next

After setting up permissions and instance sync, configure the AWS connector to pull data from Amazon Inspector 2 (EC2 Continuous Scanning) or Inspector Classic via SecurityHub into your Nucleus project.

Connector configuration

Warning

You will need to add all AWS accounts that have EC2 instances, even if they are only ingesting from the SecurityHub admin account.

  1. Log in to your Nucleus project.
  2. From the navigation bar on the left, under Integration Hub, select Connector Setup.
  3. Select Amazon Web Services.
    aws-connector-icon.png
  4. In the Name field, enter a name for the connector.
  5. In the Description field, enter a description for this connector.
  6. In the Authentication section click the green plus button to add a new AWS role to use when connecting to AWS. Note you can only have one role per AWS account. Alternatively, you can bulk import credentials using a CSV file.
    aws-connector-authentication-section.png
  7. In the Label field, enter a label for the role.
  8. In the Role ARN field, enter the Amazon Resource Name (ARN) for the role.
  9. Click Verify Credentials. If the credentials were entered correctly, a message confirming a successful connection will appear.
  10. Do not check Import all AWS Resource Tags as nested asset groups as this option is now legacy.
  11. Optionally check Synchronise EC2 and ECR Instance states.
    • To automatically deactivate the asset in Nucleus when an EC2 or ECR instance is terminated, select When an EC2 or ECR instance is terminated, deactivate the asset in Nucleus.
    • To automatically remove the asset from Nucleus when an EC2 or ECR instance is terminated, select When an EC2 or ECR instance is terminated, remove the asset from Nucleus.
  12. Optionally decide if you want to upload asset and finding data from your Nucleus project to S3 buckets.
  13. Click Save & Finish.

Bulk import credentials template

If your organization has many AWS accounts, you can bulk import role ARNs by clicking Bulk Import Credentials and uploading a CSV structured in the following way:

label,crossaccountrole 
my label,arn:aws:iam:123456798012:role/myRoleName

Vulnerability scan data ingestion

You can ingest Amazon Inspector 2 and Inspector Classic scan results via the SecurityHub admin account (recommended), in a single account or region, or an aggregated region (per account).

To ingest Amazon Inspector 2 and Inspector Classic scan results via Security Hub into a Nucleus project:

  1. Log in to your Nucleus project.
  2. From the navigation bar on the left, under Integration Hub, select Import via Connector.
  3. Select your AWS connector.
  4. Select Amazon Security Hub (Beta).
  5. Select Amazon Inspector (Classic & 2).
  6. Select the region(s) from which to import results.
  7. Click Next.
  8. Select the accounts to import.
  9. Click Next.
  10. Select a schedule to import scans into the project.
  11. Click Save & Finish.

Next steps

You are now finished setting up the AWS connector. If you use other AWS services, see our other AWS guides.

You can optionally set the AWS connector to upload all asset and finding data from your Nucleus project to S3 buckets.

Limitations

Using Amazon Inspector Classic and Inspector 2 (EC2 Continuous Scanning) together

Amazon Inspector Classic and Inspector 2 are separate continuing products, however Amazon has positioned Inspector 2 as the next generation of vulnerability scanning for EC2 instances. Although the source technologies differ, the Inspector 2 connector was built with continuity between the two products in mind and therefore shares the same scan type. These overlapping scan types are intended to bridge the gap as customers migrate entirely from Inspector Classic to Inspector 2 whilst continuing to have consistent trend data.

As the underlying scanning technologies and quality of vulnerability data differs, the connector ingest methods for these two products should not be used concurrently. If you choose to use Inspector 2, you should cease usage of Inspector Classic connector entirely. Usage of both connectors concurrently ongoing will result in mismatched unique finding definitions and properties, as well as conflicting scan mitigation calculations, which will impact vulnerability trends.

First Ingestion

If a scanned asset has no identified vulnerabilities and has not been ingested into Nucleus before, a new asset will not be created for it. This is because the Inspector 2 connector uses AWS Security Hub to aggregate data from Inspector 2 across multiple AWS accounts and regions, and Inspector 2 will only report discovered findings to Security Hub and not the absense of findings.

It is recommended to use the Amazon EC2 Asset Sync in conjunction with this connector as a work-around.

Scan History

New scans will appear for an asset only when the data in Security Hub has changed. This means that even if Inspector 2 scans an asset every day, if the vulnerability data has not changed for that asset (no new vulnerabilities, and no remediated vulnerabilities), then a new scan will not appear as imported under the Scan History tab for that asset.

This should have no material affect on the asset's vulnerability and trend data as the vulnerabilities will match what has been seen by Inspector 2.