Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Configuring Host Vulnerability Assessment (HVA)

Before you can begin assessing hosts in your environment for vulnerabilities, some configuration is required within the relevant CSP associated with your cloud environments as well as within InsightCloudSec.

Support

InsightCloudSec supports assessing the following host types with a size of 100GB or less:

AWS EC2 - Windows or Linux
Azure Virtual Machine (VM) - Windows or Linux
Google Compute Engine - Windows or Linux

Prerequisites

InsightCloudSec Admin permissions (Domain or Org Admin)
Appropriate permissions in AWS, Azure, and/or GCP:
- For you to create roles or policies
- For InsightCloudSec to execute host assessments (outlined in the following sections)

AWS

The permissions included in this section are required to enable host assessments within AWS environments. Also included in this section is the standard HVA policy that is used with the universal AWS onboarding experience. You have two options for enabling HVA for AWS:

Navigate to the IAM policy associated with InsightCloudSec and manually add the AWS HVA Permissions to it
Attach the AWS HVA Policy to the role associated with InsightCloudSec

Default Permissions

If you used the universal AWS onboarding experience, the AWS HVA policy is included by default. This means it is easiest to perform HVA configuration while onboarding an account/organization. If you onboarded AWS accounts prior to the release of the universal onboarding experience (< InsightCloudSec v. 23.4.11) or did not enable HVA within the onboarding experience, you will most likely need to add the permissions or attach the policy manually.

AWS HVA Permissions

The following table contains the minimum required permissions to enable HVA for the policies associated with InsightCloudSec:

Permission	Description
`ec2:CreateSnapshot`	Required to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec.
`ec2:CreateTags`	Required to create tags in the source account.
`ec2:CopySnapshot`	Required to copy snapshots that are encrypted using the default AWS-managed key.
`ec2:DeleteSnapshot`	Required to clean up the snapshot in the source account after the analysis has been completed.
`ec2:ModifySnapshotAttribute`	Required to grant permission to the InsightCloudSec backend to download the snapshot.
`kms:CreateGrant`	Required to create a grant to the KMS key that can be used to decrypt the EBS volume.
`kms:DescribeKey`	Required to determine what key is being used to encrypt the volume that is being analyzed.
`kms:Decrypt`	Required to decrypt the generated data key so that it can be used to encrypt the copied snapshot.
`kms:Encrypt`	Required to encrypt the copied snapshot with a Rapid7-managed Key Management Service (KMS) key.
`kms:GenerateDataKeyWithoutPlaintext`	Required to generate a data key that is encrypted under the symmetric encryption Rapid7 KMS key. The data key is used to encrypt the snapshot.
`kms:ReEncryptFrom`	Required to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
`kms:ReEncryptTo`	Required to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
`kms:RetireGrant`	Required to delete the Rapid7 KMS key grant after the assessment has completed.

Default Key-Encrypted Snapshots Information

Review this section on assessing host vulnerabilities with default key-encrypted snapshots for more details.

AWS HVA Policy

The AWS HVA User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVA. Review the AWS IAM documentation for more information.

Role Attachment

This policy should be attached to your existing InsightCloudSec harvesting role (created during AWS Onboarding).

Azure

The permissions included in this section are required to enable host assessments within Azure environments. Also included in this section is a standard HVA policy that can be used during the universal Azure onboarding experience. You have two options for enabling HVA for Azure:

Navigate to the role associated with InsightCloudSec and manually add the Azure HVA Permissions to it
Attach the Azure HVA Role to the role associated with InsightCloudSec

Default Permissions

If you used the universal Azure onboarding experience, the Azure HVA permissions are not included with the Custom Reader and Reader Plus roles. This means you most likely will need to manually update the permissions for or attach the Azure HVA role to the role associated with InsightCloudSec.

Azure HVA Permissions

The following table contains the minimum required permissions to enable HVA for the roles associated with InsightCloudSec:

Permission	Description
`Microsoft.Compute/snapshots/write`	Required to create a new snapshot.
`Microsoft.Compute/snapshots/read`	Required to read the properties of a snapshot.
`Microsoft.Compute/disks/read`	Required to read the properties of a disk.
`Microsoft.Compute/snapshots/beginGetAccess/action`	Required to generate an SAS URL for access to the disk snapshot.
`Microsoft.Compute/disks/beginGetAccess/action`	Required to generate an SAS URL for access to the disk snapshot.
`Microsoft.Compute/snapshots/endGetAccess/action`	Required to disable an SAS URL.
`Microsoft.Compute/snapshots/delete`	Required to delete a snapshot.

Azure HVA Role

The Azure HVA User Role below can be copied and used to create a custom role within Azure that contains all the permissions necessary for HVA.

Role Attachment

This policy should be attached to your existing InsightCloudSec harvesting role (created during Azure Onboarding).


json
1
{
2
    "properties": {
3
        "roleName": "Disk Access for Host Vulnerability Assessment",
4
        "description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
5
        "assignableScopes": [
6
            "/subscriptions/<subscription-id>"
7
        ],
8
        "permissions": [
9
            {
10
                "actions": [
11
                    "Microsoft.Compute/snapshots/read",
12
                    "Microsoft.Compute/snapshots/write",
13
                    "Microsoft.Compute/snapshots/delete",
14
                    "Microsoft.Compute/snapshots/beginGetAccess/action",
15
                    "Microsoft.Compute/snapshots/endGetAccess/action",
16
                    "Microsoft.Compute/disks/read",
17
                    "Microsoft.Compute/disks/beginGetAccess/action"
18
                ],
19
                "notActions": [],
20
                "dataActions": [],
21
                "notDataActions": []
22
            }
23
        ]
24
    }
25
}

Azure HVA Limitations

HVA for Azure does not support:

VMWare vSphere VMs or Azure Classic VMs (EOL in September 2023)
Disks with data access authentication mode enabled
Disks encrypted with customer-provided keys. Review the Azure Blog for more information

GCP

For GCP HVA, InsightCloudSec supports in-cloud assessment, which means all disk snapshots and scans occur in your GCP environment. InsightCloudSec creates disk snapshots and copies them directly to an InsightCloudSec-owned GCP project where the assessment and any other necessary operations are performed, minimizing cost to you.

To accomplish in-cloud assessment, GCP HVA uses a separate in-cloud service account that is owned by InsightCloudsec and created for each user instead of using the service account associated with normal InsightCloudSec harvesting. This special service account can be created from InsightCloudSec. To enable HVA for GCP:

Log in to the GCP Console and navigate to the relevant project.
Create a custom role that contains the GCP HVA Permissions. Review the GCP documentation for more information on creating a role.
- If you use CMEK-encrypted disks, you'll also need to grant specific permissions to the InsightCloudSec Compute Engine Service Agent. Review the GCP HVA Permissions section for more information.
Login to InsightCloudSec and navigate to Vulnerabilities > Vulnerability Settings.
Click Generate Service Account.
Click Copy and Open GCP Console.
Grant the created service account the custom HVA role you just created. Review the GCP documentation for more information on granting a role.

Default Permissions

If you used the universal GCP onboarding experience, the GCP HVA permissions are not included with the default onboarding permissions. This means you most likely will need to manually update the permissions for the service account associated with InsightCloudSec.

GCP HVA Permissions

The following table contains the minimum required permissions to enable HVA for the service accounts associated with InsightCloudSec:

Permission	Description
`compute.disks.createSnapshot`	Required to create a disk snapshot.

Additional Permissions for CMEK-encrypted Disks (Optional):

If any disks use Customer Managed Encryption Keys (CMEK), the projects containing those disks will have to grant the following permissions to the InsightCloudSec HVA Compute Engine Service Agent to use those CMEKs. You can read more the CMEK requirement in the GCP documentation.

GCP Permission	Requirement Details
`cloudkms.cryptoKeyVersions.useToDecrypt`	Required to access CMEK-encrypted disks.
`cloudkms.cryptoKeyVersions.useToEncrypt`	Required to access CMEK-encrypted disks.

To grant InsightCloudSec access to CMEK-encrypted disks:

Log in to the GCP Console and navigate to the relevant project.
Create a custom role that contains the CMEK permissions. Review the GCP documentation for more information on creating a role.
Grant the InsightCloudSec HVA Compute Engine Service Agent (service-491641900622@compute-system.iam.gserviceaccount.com) the custom CMEK role you just created. Review the GCP documentation for more information on granting a role.

GCP HVA Limitations

GCP HVA support is limited by the following:

Cannot assess instances with disks encrypted by a Customer Supplied Encryption Key
Cannot assess Local SSDs

Configuring HVA

Before hosts can be regularly assessed for vulnerabilities, you must enable the feature and properly scope the hosts that should be assessed. These configuration settings (and others) can be found on the Vulnerability Settings page, which is accessed from the Vulnerabilities page.

Enabling Assessments

Settings are Per InsightCloudSec Organization

The Vulnerability Settings below are unique to the particular InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

Login to InsightCloudSec and navigate to the Vulnerabilities page.
Click Settings.
Navigate to the Host Assessment tab.
Click the Enable Host Vulnerability Assessment toggle. The Assessment Scope section appears.

Scoping Assessments

After enabling the feature, you must scope your environment to the hosts that should be assessed. Scoping relies on the Advanced Filtering mechanism seen throughout InsightCloudSec.

Scope Required

Assessments will not be queued until at least one filter exists.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

Each selected filter updates dynamically with options appropriate for the property selected.
After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
If filtering on a Resource Tag:
- Searching for a tag is case insensitive.
- New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

Click the Add Filters button to open the side panel.
Select and configure a property to get started.
After configuring your desired filters, click Apply to update the scope for the feature.

Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
Click the ellipsis (...) button, then click Save Filter.
Provide a name for the filter and an optional description.
Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
Select the checkbox for Make this a Public Filter to allow other users to see the filter.
Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

After the feature has been enabled and a scope has been applied, InsightCloudSec will begin reporting on the assessment coverage for the scoped cloud accounts. Click the Coverage graph to open the Assessment Coverage window, which shows a detailed report, including progress summary and assessment errors for the InsightCloudSec organization grouped by cloud account.

In-region Assessment Mapping

In this section, you can find the region that InsightCloudSec runs assessments in based on which region the host is located for each supported Cloud Service Provider (CSP) -- AWS, GCP, and Azure.

To change the region assessment mapping:

Login to InsightCloudSec and navigate to the Vulnerabilities page.
Click Settings.
Navigate to the Host Assessment tab.
Navigate to the CSP you wish to update the mapping for.
Update the Run Assessment In drop-down menu for the desired new region.

Downloading Assessment History

Click the Download Assessment History button to download all Host-related assessment history.

Troubleshooting

If you're experiencing issues harvesting and assessing hosts, review the Cloud VM HVA FAQ or contact support.

Using Cloud VM

Cloud VM is available from the main navigation in InsightCloudSec under Security > Vulnerabilities. Review the Vulnerability Management User Guide for more information.

Did this page help you?

Vulnerability Management

Learn About Vulnerabilities

Vulnerability Management

Configuring Container Vulnerability Assessment (CVA)