Configuring Host Vulnerability Assessment (HVA)

Before you can begin assessing hosts in your environment for vulnerabilities, some configuration is required within the relevant cloud service provider (CSP) associated with your cloud environments as well as within InsightCloudSec.

Prerequisites

  • InsightCloudSec Admin permissions (Domain or Org Admin)
  • Administrator-level permissions in Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) (depending on which CSP you want to turn on assessments for)

CSP configuration

To successfully assess hosts within supported CSPs, you need to provide certain HVA-specific permissions to the user role or policy associated with your InsightCloudSec instance. InsightCloudSec supports assessing the following host types:

  • AWS EC2 - Windows or Linux (1TB or less)

    AWS image support limits

    Some marketplace images require organizations to agree to terms and conditions prior to use. Support for these images is limited to those that Rapid7 has vetted and approved. Any image not vetted and approved by Rapid7 is limited to 200GB volume support by default. If you have marketplace images that exceed 200GB and require the ability to assess them, please contact support with a link to the marketplace image you want to be supported.

  • Azure Virtual Machine (VM) - Windows or Linux (512GB or less)

  • Google Compute Engine - Windows or Linux (512GB or less)

AWS

InsightCloudSec supports in-cloud assessment for AWS, which means we create disk snapshots and copy them directly to an InsightCloudSec-owned AWS account where the assessment and any other necessary operations are performed, minimizing cost to you. To perform AWS in-cloud assessment, InsightCloudSec requires permissions that are specific to HVA. If you've already used our universal AWS onboarding experience, the policy that includes the necessary permissions is included by default. If you didn't include the policy or you're not sure, you have two options to turn on HVA for AWS:

  • Navigate to the policy associated with InsightCloudSec and manually add the following required permissions to it:

    AWS HVA permissions
    PermissionDescription
    ec2:CreateSnapshotRequired to take a snapshot of the Elastic Block Store (EBS) volume that can be analyzed by InsightCloudSec.
    ec2:CreateTagsRequired to create tags in the source account.
    ec2:CopySnapshotRequired to copy snapshots that are encrypted using the default AWS-managed key.
    ec2:DeleteSnapshotRequired to clean up the snapshot in the source account after the analysis has been completed.
    ec2:ModifySnapshotAttributeRequired to grant permission to the InsightCloudSec backend to download the snapshot.
    kms:CreateGrantRequired to create a grant to the Key Management Service (KMS) key that can be used to decrypt the EBS volume.
    kms:DescribeKeyRequired to determine what key is being used to encrypt the volume that is being analyzed.
    kms:DecryptRequired to decrypt the generated data key so that it can be used to encrypt the copied snapshot.
    kms:EncryptRequired to encrypt the copied snapshot with a Rapid7-managed KMS key.
    kms:GenerateDataKeyWithoutPlaintextRequired to generate a data key that is encrypted under the symmetric encryption Rapid7 KMS key. The data key is used to encrypt the snapshot.
    kms:ReEncryptFromRequired to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
    kms:ReEncryptToRequired to modify encrypted snapshots to allow InsightCloudSec to share them to the Host Assessment Service for a Vulnerability Assessment. Review the AWS documentation for more information.
    kms:RetireGrantRequired to delete the Rapid7 KMS key grant after the assessment has completed.

    Default Key-Encrypted Snapshots Information

    Review the vulnerability management FAQ on assessing host vulnerabilities with default key-encrypted snapshots for more details.

  • Attach the AWS HVA Policy to the role associated with InsightCloudSec.

Visit the third-party vendor's documentation

For the most accurate information on updating or attaching policies, we recommend that you visit AWS' Identity and Access Management (IAM) documentation.

Microsoft Azure

InsightCloudSec supports in-cloud assessment for Microsoft Azure, which means we create disk snapshots and copy them directly to an InsightCloudSec-owned Azure account where the assessment and any other necessary operations are performed, minimizing cost to you. To perform Azure in-cloud assessment, InsightCloudSec requires permissions that are specific to HVA. If you've already used our universal Azure onboarding experience and applied the Power User role, you are ready to use HVA. If you didn't apply the Power User role or you're not sure, you have two options to turn on HVA for Azure:

  • Navigate to the role associated with InsightCloudSec and manually add the following required permissions to it:

    Azure HVA permissions
    PermissionDescription
    Microsoft.Compute/disks/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
    Microsoft.Compute/disks/readRequired to read the properties of a disk.
    Microsoft.Compute/snapshots/beginGetAccess/actionRequired to generate an SAS URL for access to the disk snapshot.
    Microsoft.Compute/snapshots/deleteRequired to delete a snapshot.
    Microsoft.Compute/snapshots/endGetAccess/actionRequired to disable an SAS URL.
    Microsoft.Compute/snapshots/readRequired to read the properties of a snapshot.
    Microsoft.Compute/snapshots/writeRequired to create a new snapshot.
  • Attach the following role to the role associated with InsightCloudSec:

    json
    1
    {
    2
    "properties": {
    3
    "roleName": "Disk Access for Host Vulnerability Assessment",
    4
    "description": "Read Disk Properties, Revoke and Generate SAS URLs, Create and Delete Snapshots",
    5
    "assignableScopes": [
    6
    "/subscriptions/<subscription-id>"
    7
    ],
    8
    "permissions": [
    9
    {
    10
    "actions": [
    11
    "Microsoft.Compute/disks/read",
    12
    "Microsoft.Compute/disks/beginGetAccess/action",
    13
    "Microsoft.Compute/snapshots/beginGetAccess/action",
    14
    "Microsoft.Compute/snapshots/delete",
    15
    "Microsoft.Compute/snapshots/endGetAccess/action",
    16
    "Microsoft.Compute/snapshots/read",
    17
    "Microsoft.Compute/snapshots/write"
    18
    ],
    19
    "notActions": [],
    20
    "dataActions": [],
    21
    "notDataActions": []
    22
    }
    23
    ]
    24
    }
    25
    }

Visit the third-party vendor's documentation

For the most accurate information on updating or attaching roles, we recommend that you visit Azure's Role-Based Access Control documentation.

Azure HVA limitations

HVA for Azure does not support:

  • VMWare vSphere VMs or Azure Classic VMs (EOL in September 2023).
  • Disks with data access authentication mode enabled.
  • Disks encrypted with customer-provided keys. Review the Azure Blog for more information.
GCP

InsightCloudSec supports in-cloud assessment for GCP, which means we create disk snapshots and copy them directly to an InsightCloudSec-owned GCP project where the assessment and any other necessary operations are performed, minimizing cost to you. To perform GCP in-cloud assessment, InsightCloudSec uses a separate in-cloud service account that is owned by InsightCloudsec and created for each user instead of using the service account associated with InsightCloudSec harvesting.

To turn on HVA for GCP:

  1. Create a custom role in the appropriate GCP Project with the following permissions:

    GCP HVA permissions
    PermissionDescription
    compute.disks.createSnapshotRequired to create a disk snapshot.

    Additional Permissions for CMEK-encrypted Disks (Optional):

    If any disks use Customer Managed Encryption Keys (CMEK), the projects containing those disks will have to grant the following permissions to the InsightCloudSec HVA Compute Engine Service Agent to use those CMEKs. You can read more on the CMEK requirement in the GCP documentation.

    PermissionDescription
    cloudkms.cryptoKeyVersions.useToDecryptRequired only if your disks use Customer Managed Encryption Keys (CMEK). You can read more the CMEK requirement in the GCP documentation.
    cloudkms.cryptoKeyVersions.useToEncryptRequired only if your disks use Customer Managed Encryption Keys (CMEK). You can read more the CMEK requirement in the GCP documentation.
  2. Login to InsightCloudSec and navigate to Vulnerabilities > Vulnerability Settings > Vulnerability Assessment.

  3. Click In-Cloud Assessment

  4. Click Generate Service Account.

  5. Click Copy and Open GCP Console.

  6. Grant the created service account the custom HVA role you just created.

    • If you also added the CMEK-related permissions, you'll also need to grant the InsightCloudSec HVA Compute Engine Service Agent (for example: service-491641900622@compute-system.iam.gserviceaccount.com) the custom role you just created.

Visit the third-party vendor's documentation

For the most accurate information on creating and granting roles, we recommend that you visit GCP's IAM documentation on creating a role and granting a role.

GCP HVA limitations

HVA for GCP does not support:

  • Instances with disks encrypted by a Customer Supplied Encryption Key
  • Local SSDs

InsightCloudSec configuration

Before hosts can be regularly assessed for vulnerabilities, you must turn on the feature and properly scope the hosts that should be assessed.

Turning on assessments

Settings are per Organization

The Vulnerability Settings are unique to the particular InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. Click Settings.
  3. Navigate to the Vulnerability Assessment tab.
  4. Click the Enable Host Vulnerability Assessment toggle. The Assessment Coverage Settings section appears.

Scoping Assessments

After turning on the feature, you must scope your environment to the hosts that should be assessed. Scoping relies on the filtering feature seen throughout InsightCloudSec.

Scope Required

Assessments are not be queued until at least one filter exists.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature. This only applies to your user account and will not affect other users' default filter.
  5. Select the checkbox for Make this a Public Filter to allow other users to use and see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Now that a scope has been applied, InsightCloudSec begins reporting on the assessment coverage for the scoped cloud accounts. Click the View Details next to the In-scope coverage graph to open the Assessment Coverage window, which shows a detailed report that includes failed and pending scans as well as a list of unsupported resources that cannot be scanned.

In-region Assessment Mapping

In this section, you can find the region that InsightCloudSec runs assessments in based on which region the host is located for each supported CSP (AWS, GCP, and Azure).

To change the region assessment mapping:

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. Click Settings.
  3. Navigate to the Vulnerability Assessment tab.
  4. Click In-region Assessment Mapping.
  5. Click the tab for the provider you want to update the mapping in.
  6. Update the Run Assessment In drop-down menu for the Hosting Region.

Downloading Assessment History

From the Assessment Coverage section, click the Download Assessment History button to download all Host-related assessment history.

Troubleshooting

If you're experiencing issues harvesting and assessing hosts, review the Cloud VM HVA FAQ or contact support.

Using Cloud VM

Cloud VM is available from the main navigation in InsightCloudSec under Security > Vulnerabilities. Review the Vulnerability Management User Guide for more information.