an app to report AWS Inspector findings
AIR is a tool to retrieve the latest AWS Inspector findings (latest run of each template) from your AWS accounts and presents them in an auto-filtered Excel spreadsheet. It can run from the command-line or using AWS Lambda.
By specifying filters it enables you to adjust severity of specific findings, or ignore them and state the justification.
Generated reports can be automatically emailed using AWS SES (Simple Email Service).
Download the latest release for your OS from here: https://github.com/jonhadfield/aws-inspector-reporter/releases
For running on AWS Lambda see here.
Install:$ install <downloaded binary> /usr/local/bin/air
Type air and press enter.
AIR retrieves Inspector findings using the AWS API that requires a set of API credentials. See here for instructions on how to set credentials.
In order for AIR to access the AWS Inspector findings the user or role that it runs under will need the following policy:arn
iam:
policy/AmazonInspectorReadOnlyAccess
For AIR to be able to use the AWS Account alias (name) instead of just the AWS Account ID number, it additionally requires this permission:iam:ListAccountAliases
AIR will additionally require the following permission for the identity resource sending the email:ses:SendRawEmail
By default, AIR will report the severity stated by AWS Inspector. To override these, create a directory called config with a file called ‘filters.yml’ in with a list of filters to apply:
- title-match: <finding title to match, supporting regexp>
severity: <high|medium|low|informational|ignore>
comment: <comment to add to spreadsheet>
See here for examples.
AIR supports sending generated reports via email using AWS SES. Note: this requires the provided AWS credentials have the necessary permissions.
To configure: create a directory called config with a file called ‘report.yml’ with the email settings:
email:
provider: ses
region: <AWS region for SES>
source: "<email address of sender>"
recipients:
- "<email recipient>"
- "<email recipient>"
subject: "<email subject>"
See here for an example.
By default, AIR will retrieve findings from the AWS account that corresponds to the credentials specified.
To run against multiple accounts you need to:
directory called ‘config’ with a file called ‘targets.yml’ that specifies a list of target account roles:
See here for example.