Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon configuration

Amazon Inspector does not need to store logs into a bucket, like the other AWS services. The inspector works as a searcher, so it retrieves information using the AWS API and provides an agent that analyzes it.

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following configuration block to enable the integration with Inspector:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>no</run_on_start>
      <skip_on_error>no</skip_on_error>
      <service type="inspector">
        <aws_profile>default</aws_profile>
      </service>
    </wodle>
    

    Users must specify at least a region. Multiple regions can be added separated by commas.

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart Wazuh in order to apply the changes:

    • If you're configuring a Wazuh manager:

      1. For Systemd:

      # systemctl restart wazuh-manager
      
      1. For SysV Init:

      # service wazuh-manager restart
      
    • If you're configuring a Wazuh agent:

      1. For Systemd:

      # systemctl restart wazuh-agent
      
      1. For SysV Init:

      # service wazuh-agent restart