I'm pretty new to AWS Inspector + SSM for patching but I've got a Windows Server 2019 that is affected by CVE-2022-30136 detected by AWS Inspector. Looks like it was fixed with kb5014692 however when i look it up on AWS SSM it says NotApplicable.
Does it mean that my server is not vulnerable? If so, why would AWS Inspector detect that vulnerability? Or am I missing something here.
Thanks
Related
I'm trying to use the aws inspector service (the new one, not the classic one) and I created an Amazon Linux 2 instance, and I attached the AmazonSSMManagedInstanceCore role and so the instance appeared in the fleet manager but the aws inspector doesn't find any package vulnerabilities in the instance. I can only make it work when I choose the "Amazon Linux 2 AMI with Amazon Inspector Agent" image. Is there something missing to make it work in the default instance?
I already tried using the default Amazon Linux 2 instance, but it only worked with the instance with the agent already installed
The Amazon Inspector Agent needs to be installed in order to run the Amazon Inspector. If you want to use the default AMI or any other AMI. You can use userdata to install the Amazon Inspector Agent or run SSM document to do the installation.
https://docs.aws.amazon.com/inspector/v1/userguide/inspector_installing-uninstalling-agents.html#install-linux
we have dotnet core website hosted on AWS EC2 (windows server 2019), now we want to setup CI/CD using AWS services only.
Is there any way to do it ?
There is so much documentation around this area that a simple google search returns plethora of links. A simple place to start is the AWS documentation on DevOps https://aws.amazon.com/devops/
Then there is a specific AWS service for pipelines called (guess what) AWS CodePipeline
https://aws.amazon.com/codepipeline/
DotNet Core specific documentation is also covered by AWS https://aws.amazon.com/quickstart/architecture/dotnet-core-cicd/
and if you ever want to move to AWS Lambda, then there's an article for that as well: https://aws.amazon.com/blogs/devops/automated-ci-cd-pipeline-for-net-core-lambda-functions-using-aws-extensions-for-dotnet-cli/
Here is a link that can help you. When you are the Create Deployment Group, chose EC2 on Premise. Make sure your agent is installed on your EC2 which it should be by default if your OS image is new.
enter link description here
I have read the AWS docs on Elasticbeanstalk logging and the Cloudwatch agent and it seems the cloudwatch agent should be reporting memory usage (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/metrics-collected-by-CloudWatch-agent.html) but this dosn't seem to be happening for me.
when i go into the Cloudwatch -> metrics -> ec2 i can't see anything related to memory. cpu, network etc is collected but not memory.
The platform version i am using is "PHP 7.2 running on 64bit Amazon Linux/2.8.7"
All the googling seems to indicate that you need to run custom scripts (perl) to get that info, but the article linked above seems to contradict that.
in my .ebextensions folder i have a .config file that turns on the logs. i am also able to send custom application logs without issue.
option_settings:
- namespace: aws:elasticbeanstalk:cloudwatch:logs
option_name: StreamLogs
value: true
am i missing an argument somewhere?
Edit: After a bit more research i dont think the "enable log streaming" option i have set actually uses the cloudwatch agent, /usr/bin/aws logs... is running on the server. so i guess that option enables log pushing via the aws cli?
i have done some googling and can not find an exampled of how to install the cloud watch agent using .ebextentions. i could try my self but if no one else is doing it that way am i thinking about it wrong?
I just started exploring aws system manager feature.
I am using python 3.6 and boto3 to test ssm.
I have created the Ubuntu server EC2(t2 micro) and assigned the IAM role with policy "AmazonEC2RoleforSSM", which as per my knowledge should allow running ssm send command on that EC2. But, instead I get below error:
botocore.errorfactory.InvalidInstanceId: An error occurred (InvalidInstanceId) when calling the SendCommand operation:
I even tried to check the output of:
ssm.describe_instance_information()['InstanceInformationList'])
It doesn't have the instance Id I created, which pretty much tells the story why I am getting that error. But, to my knowledge if I assign the IAM role with above mentioned policy it should show up in the list.
Strangely when I try to do above setup with Amazon Linux AMI server and run ssm everything looks good.
any idea why ssm not working in ubuntu server? I am missing something?
But, to my knowledge if I assign the IAM role with above mentioned
policy it should show up in the list.
No, there's much more to it than that. You need to install the AWS SSM agent on each server you want to manage. The reason it is working for you with Amazon Linux is that the latest version of Amazon Linux has the SSM agent pre-installed.
I have tried sending custom metrics to Cloud Watch.
For Ec2Config version till 4.1, I had to enable the cloud watch logs integration. It looked like the following :
Now, I am trying to do it for the instances whose Ec2Config service version is 4.2.1442, but the Cloud Watch Integration Checkbox is not visible. Infact, the CloudWatch Logs section is not being shown. Because of this, I am unable to send custom metrics to CLoudWatch.
How do I enable CloudWatch Logs integration now? Please suggest.
I am using an updated version of EC2Config (4.2.x), and this is the reason why I am unable to find the CloudWatch Logs Integration checkbox.
According to AWS Documentation :
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/send_logs_to_cwl.html
Step 2 clearly notes the following :
NOTE :
If you don't see the Enable CloudWatch Logs integration option, then you are using an updated version of the EC2Config service that no longer supports enabling CloudWatch integration. You must use Systems Manager Run Command to enable CloudWatch integration.
As suggested, I followed the following link :
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/remote-commands-cloudwatch.html
By following that, I was able to solve it. My instance had no IAM Role attached, so I attached it using the AWS CLI. Then, I ran the Run Command from the AWS EC2 console which automatically pushed custom performance counters to CloudWatch.