Skip to content

serverless-inspec-lambda v0.14.0
Compare
Choose a tag to compare
@jkufro jkufro released this 24 Aug 13:44
· 17 commits to master since this release
0.14.0
ba6981a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Notable changes

Added ability to run SSH via SSM without needing to manage keys

Previously running the "SSH via SSM" method of scanning linux instances required that SSH keys be manually managed by users. This feature has been enhanced by now also allowing the lambda to create, add, and remove temporary SSH keys completely on its own.

This method of InSpec scanning works with the following sequence of events:

  1. Generate a SSH key pair within the lambda function
  2. Use the train-awsssm plugin to send the public key material to ~/.ssh/authorized_keys using SSM Send Command
  3. Immedately queue another SSM Send Command to remove the key from ~/.ssh/authorized_keys after 60 seconds
  4. Start an SSH session using the generated key pair and execute the InSpec scan over SSH

Assumptions with this method:

  • Scanning linux-based instances (i.e. not Windows)
  • The instance has the following commands installed: su, mkdir, touch, echo, sleep, grep, mv
  • The user that runs "SSM Send Command" commands is priviledged to write to any user's ~/.ssh directory (this should default to root unless explicitly changed)

This method is advantageous over the "SSM Send Command" method mentioned above because invoking all InSpec commands over SSM Send Command is significantly slower than over SSH, and it shares advantage of relieving the need to manually manage SSH keys.

{
  "...": "...",
  "ssm_temp_ssh_key": true,
  "config": {
    "target": "ssh://ec2-use@i-00f1868f8f3b4cc03"
  }
}
Assets 2
Loading