Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon configuration

Amazon Inspector does not need to store logs into a bucket. It uses API calls to retrieve the information.

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following configuration block to enable the integration with Inspector:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>no</run_on_start>
  <skip_on_error>no</skip_on_error>
  <service type="inspector">
    <aws_profile>default</aws_profile>
  </service>
</wodle>

You must specify at least a region. Multiple regions can be added separated by commas.

Note

Check the AWS S3 module reference manual to learn more about each setting.

  1. Restart Wazuh in order to apply the changes:

  • If you're configuring a Wazuh manager:

    1. For Systemd:

    # systemctl restart wazuh-manager
    
    1. For SysV Init:

    # service wazuh-manager restart
    
  • If you're configuring a Wazuh agent:

    1. For Systemd:

    # systemctl restart wazuh-agent
    
    1. For SysV Init:

    # service wazuh-agent restart