Configuring Host Vulnerability Assessment (HVA)

Before you can begin assessing hosts in your environment for vulnerabilities, some configuration is required within the relevant CSP associated with your cloud environments as well as within InsightCloudSec.

Current Support

HVA supports AWS EC2, Azure Virtual Machine (VM), and GCP VM instances and is only available to InsightCloudSec SaaS customers.

In addition, Windows hosts are not supported and will fail assessment.

Prerequisites

  • InsightCloudSec Admin permissions (Domain or Org Admin)
  • AWS, Azure, and/or GCP permissions outlined in the following sections

AWS

These permissions are not part of a default Read-Only AWS deployment and must be explicitly configured to enable operation of the HVA feature. As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform HVA configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.

AWS PermissionRequirement Details
ec2:CreateSnapshotRequired to take a snapshot of the EBS volume that can be analyzed by InsightCloudSec.
ec2:CreateTagsRequired to create tags in the source account.
ec2:CopySnapshotRequired to copy snapshots that are encrypted using the default AWS-managed key.
ec2:DeleteSnapshotRequired to clean up the snapshot in the source account after the analysis has been completed.
ec2:ModifySnapshotAttributeRequired to grant permission to the InsightCloudSec backend to download the snapshot.
kms:CreateGrantRequired to create a grant to the KMS key that can be used to decrypt the EBS volume.
kms:DescribeKeyRequired to determine what key is being used to encrypt the volume that is being analyzed.
kms:DecryptRequired to decrypt the generated data key so that it can be used to encrypt the copied snapshot.
kms:EncryptRequired to encrypt the copied snapshot with a Rapid7-managed Key Management Service (KMS) key.
kms:GenerateDataKeyWithoutPlaintextRequired to generate a data key that is encrypted under the symmetric encryption Rapid7 KMS key. The data key is used to encrypt the snapshot.
kms:ReEncryptFromRequired to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
kms:ReEncryptToRequired to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
kms:RetireGrantRequired to delete the Rapid7 KMS key grant after the assessment has completed.

Default Key-Encrypted Snapshots Information

Review this section on assessing host vulnerabilities with default key-encrypted snapshots for more details.

HVA User Policy

The AWS HVA User Policy can be obtained from our public S3 bucket and used to create a custom policy within AWS that contains all the permissions necessary for HVA. Review the AWS IAM documentation for more information.

Role Attachment

This policy will need to be attached to your existing InsightCloudSec Harvesting role.

Azure

The table in this section includes the minimum required permissions for your InsightCloudSec Azure role (this should already exist as part of Azure - Onboarding).

Azure PermissionRequirement Details
Microsoft.Compute/snapshots/writeRequired to create a new snapshot.
Microsoft.Compute/snapshots/readRequired to read the properties of a snapshot.
Microsoft.Compute/disks/readRequired to read the properties of a disk.
Microsoft.Compute/snapshots/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/disks/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
Microsoft.Compute/snapshots/endGetAccess/actionRequired to disable an SAS URL.
Microsoft.Compute/snapshots/deleteRequired to delete a snapshot.

However, there are three limitations you should consider when you use HVA with Azure. HVA does not support:

  • VMWare vSphere VMs or Azure Classic VMs (EOL in September 2023)
  • Disks with data access authentication mode enabled
  • Disks encrypted with customer-provided keys. Review the Azure Blog for more information

HVA User Role

The Azure HVA User Role below can be copied and used to create a custom role within Azure that contains all the permissions necessary for HVA. Ensure you replace the placeholder Subscription ID value.

json
1
{
2
"properties": {
3
"roleName": "Disk Access for Host Vulnerability Assessment",
4
"description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
5
"assignableScopes": [
6
"/subscriptions/<subscription-id>"
7
],
8
"permissions": [
9
{
10
"actions": [
11
"Microsoft.Compute/snapshots/read",
12
"Microsoft.Compute/snapshots/write",
13
"Microsoft.Compute/snapshots/delete",
14
"Microsoft.Compute/snapshots/beginGetAccess/action",
15
"Microsoft.Compute/snapshots/endGetAccess/action",
16
"Microsoft.Compute/disks/read",
17
"Microsoft.Compute/disks/beginGetAccess/action"
18
],
19
"notActions": [],
20
"dataActions": [],
21
"notDataActions": []
22
}
23
]
24
}
25
}
26

GCP

In the table below are most of the minimum required permissions for your InsightCloudSec service account (this should already exist as part of GCP - Onboarding).

GCP PermissionRequirement Details
compute.disks.createSnapshotRequired to create a disk snapshot.
compute.snapshots.createRequired to create a disk snapshot.
compute.snapshots.setLabelsRequired to create a disk snapshot.
storage.buckets.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.buckets.listRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.createRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
cloudbuild.builds.getRequired to create a Cloud Storage bucket, check that it exists, and export snapshots to the bucket.
storage.objects.getRequired to download the snapshot.
storage.objects.listRequired to download the snapshot.

To enable the full scope of the feature, we also require a couple delete permissions:

GCP PermissionRequirement Details
storage.objects.deleteRequired to delete the snapshot.
compute.snapshots.deleteRequired to delete the snapshot.

For customers concerned about giving InsightCloudSec permissions to delete snapshots or cloud storage objects, we highly recommend creating a separate role containing only the delete permissions (see table above) and applying IAM conditions to the role to restrict what objects/snapshots can be deleted:

  • For storage objects, the deletion permission can be restricted to only the export bucket used by InsightCloudSec for storing exported snapshots by using a startsWith condition as follows: resource.name.startsWith(projects/_/buckets/r7-cloudsec-hva-snapshots)
  • For snapshots, since the resource name is composed of different attributes, we need to extract the snapshot name from the resource name before matching on it. GCP allows you to extract parts of a resource name as follows: resource.name.extract("snapshots/{end}").startsWith("rapid7")

Here's a JSON condition block that you can copy/paste for convenience:

json
1
{
2
"expression": "resource.name.startsWith(\"projects/_/buckets/r7-cloudsec-hva-snapshots\") || resource.name.extract(\"snapshots/{end}\").startsWith(\"rapid7\")",
3
"title": "Rapid7 cleanup condition",
4
"description": ""
5
}

Full resource name formats for GCP can be found here.

Cloud Build Service Account

GCP's method of snapshot export uses a Cloud Build job, which runs under a Service Account like most GCP services but requires that the Cloud Build API be enabled. Once the Cloud Build API is enabled, the service account is created automatically and is separate from your normal InsightCloudSec harvesting service account. The Compute Admin (roles/compute.admin) and Service Account User (roles/iam.serviceAccountUser) built-in roles already have these permissions. The related service account must have the following permissions:

Multiple GCP Project Users

If you authenticate with a service account from a separate GCP project, you will need to enable the Cloud Build API for the project with the service account and for any projects you want to scan with HVA.

  • compute.disks.create
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.setLabels
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.instances.create
  • compute.instances.delete
  • compute.instances.get
  • compute.instances.getSerialPortOutput
  • compute.instances.list
  • compute.instances.setLabels
  • compute.instances.setMetadata
  • compute.instances.setServiceAccount
  • compute.machineTypes.list
  • compute.networks.get
  • compute.networks.list
  • compute.projects.get
  • compute.snapshots.list
  • compute.snapshots.useReadOnly
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.zoneOperations.get
  • compute.zones.list
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • resourcemanager.projects.get

GCP HVA Limitations

GCP HVA support is limited by the following:

  • Cannot assess instances with disks encrypted by a Customer Supplied Encryption Key
  • Cannot assess Local SSDs

Configuring HVA

Before hosts can be regularly assessed for vulnerabilities, you must enable the feature and properly scope the hosts that should be assessed. These configuration settings (and others) can be found on the Vulnerability Settings page, which is accessed from the Vulnerabilities page.

Enabling Assessments

Settings are Per InsightCloudSec Organization

The Vulnerability Settings below are unique to the particular InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. In the top right corner, click Settings.
  3. Click the Enable Host Vulnerability Assessment toggle. The Assessment Scope section appears.

Scoping Assessments

After enabling the feature, you must scope your environment to the hosts that should be assessed. Scoping relies on the Advanced Filtering mechanism seen throughout InsightCloudSec.

Scope Required

Assessments will not be queued until at least one filter exists.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Coverage

After the feature has been enabled and a scope has been applied, InsightCloudSec will begin reporting on the assessment coverage for the scoped cloud accounts. Click the Coverage graph to open the Assessment Coverage window, which shows a detailed report, including progress summary and assessment errors for the InsightCloudSec organization grouped by cloud account.

Additional Settings

These additional settings are for GCP only. By default, the GCP snapshot export job will use the default Compute Engine service account and the default VPC network to run the export. If the defaults are not sufficient, you can configure each of these from the Vulnerability Settings page.

To edit GCP Snapshot Export settings:

  1. Log in to InsightCloudSec and navigate to the Vulnerabilities page.
  2. In the top right corner, click Settings.
  3. Next to the relevant GCP cloud account, click Edit.
  4. Update the export_network and export_service_account fields as desired.
  5. Click Apply.

Downloading Assessment History

Click the Download Assessment History button to download all Host-related assessment history.