AWS Vulnerability Management: From Services to ISMS Strategy

Eric Lansbery

The recently released blog that talks about building a scalable vulnerability management program on AWS is a great reference for anyone managing security services or implementing vulnerability management in the cloud.

You can find it here –

We’re here today to talk about how the blog breaks down their guidance and how all of it relates to getting ISO 27001 certified, in the cloud!

Focus On The Critical Aspects of Vulnerability Management

First up are the main factors to consider when using AWS security services to enable your vulnerability management practice. These references are provided to further define key points in the vulnerability management lifecycle and clarify the important components to make your program effective.

  • Phases of Vulnerability Management: The guide outlines three phases for building and iterating on a vulnerability management program: Prepare, Triage and Remediate, and Report and Improve.
  • Accumulation of Security Findings: Without effective processes in place, security findings in a cloud environment can accumulate rapidly, reaching an unmanageable number of findings in a short time.
  • Vulnerability Management vs. Patch Management: Vulnerability management involves discovering, prioritizing, assessing, remediating, and reporting on vulnerabilities. Patch management focuses on updating software to address security vulnerabilities and is just one aspect of vulnerability management.
  • Patch-In-Place and Standard Processes: It’s recommended to establish a patch-in-place process for all vulnerabilities, patch-now scenarios for critical exploitable vulnerabilities, and a standard process for regularly scheduled patches.
  • Tools for Patch Management: AWS provides tools like Patch Manager and EC2 Image Builder for patch management and the creation of up-to-date server images.
  • Managing Cloud Configuration Risks: Scalable vulnerability management on AWS should include managing software and network vulnerabilities but also cloud configuration risks, such as unencrypted Amazon S3 buckets.
  • Ownership and Accountability: Application teams should own and be accountable for the security of their applications, including the underlying infrastructure. This distribution of ownership is crucial for an effective vulnerability management program.
  • Iteration in Cloud Vulnerability Management: Building a cloud vulnerability management program often involves iterating on the most effective solutions to meet the standards of your program and the rigors of everchanging vulnerability landscapes. Prioritize recommendations and regularly revisit your approach to stay current with technology changes and business requirements.

These key points emphasize the importance of structured processes, the relationship between vulnerability and patch management, the need to address cloud configuration risks, and the iterative nature of building a successful vulnerability management program on AWS.

AWS Security Services and Solutions for Vulnerability Management

To cover the main solutions and achieve a comprehensive vulnerability management program for a cloud-based infrastructure, AWS offers a variety of native security services for AWS environment protection:

  • Amazon GuardDuty: Detects active threats and helps identify vulnerabilities.
  • AWS Health: Provides ongoing visibility into resource performance and service availability.
  • IAM Access Analyzer: Identifies vulnerabilities related to unintended access.
  • Amazon Inspector: Scans for software vulnerabilities and network exposure.
  • AWS Security Hub: Checks AWS environment against standards and aggregates security findings.

Management of the Vulnerability Management Program

It’s always recommended to have security operations meetings to enhance ownership, accountability, and alignment across security, cloud infrastructure, and application teams. These meetings should involve reviewing outstanding security findings and those beyond service level agreements (SLAs) put in place by the organization to remediate.

They also aid in evaluating the effectiveness of the vulnerability management program, guiding improvements. By sharing insights, teams can enhance their security posture and reduce security-related SLAs. They can provide context around the challenges they face when remediating vulnerabilities impacting the environment or their customers.

Much like managing an ISO 27001 ready environment, these AWS security services, when implemented correctly and used regularly, support your ability to maintain a robust vulnerability management program.

  1. Identify Valuable Assets: Recognize data, devices, or components with value, often holding sensitive information or supporting critical operations.
  2. Assess Risks: Identify vulnerabilities in these assets, starting with scans and possibly penetration tests.
  3. Record Findings: Prioritize significant risks and suggest remedies like software updates, device reconfiguration, or policy changes. Provide comprehensive, step-by-step instructions.
  4. Implement Remedies: Put into action the identified solutions.
  5. Confirm Success: Verify if vulnerabilities were properly addressed, promoting transparency and accountability.

Vulnerability Management Shared Responsibility

It’s important to note that security and compliance in AWS is a shared responsibility. AWS manages infrastructure down to physical security, while customers handle guest OS, applications, and AWS security groups. So, who does the vulnerability management?

AWS also publishes the ins and outs of the shared responsibility in detail here –

Customer Specific vulnerability management means that AWS is not responsible for patching all Guest OS and Customer Managed Applications. The Customer is responsible for the configuration behind their OS’s, Databases, and Applications. Any mis-configurations resulting in system vulnerabilities while using AWS services is not AWS’s responsibility to protect or patch.

Deployment Using AWS Cloud Formation Brief

AWS Security Services can be deployed using the native CDK and AWS Cloud Formation templates. This is mostly true for all the services needed to implement before deploying security services. Do your research on the dependencies you’ll need to click buttons and check boxes first based on your own environment variables. Consider the number of accounts, root access requirements, total number of administrators, and required access for other services, vendors, suppliers, or 3rd party managed services groups.

e.g. Deploying Amazon Inspector using AWS CDK and AWS Cloud Formation.

Figure 1 Ref: