AWS systems manager now has support for inspec, a CHEF software. It is an open-source framework that permits you to configure compliance as a code easily. With the structure, you can define and assess the state as well as the condition of the system using the entire application. Already, it can be used with AWS OpsWorks for Chef Automate to follow up on your compliance.
Before, you had to make scripts of the compliance checks in the systems manager to get the appropriate information for the configuration compliance. Now the process is simple, with the new framework you can create profiles or use the already built patterns.
What are Profiles?Profiles refer to the compliance, policy requirement, or security necessary during your computing process. For instance, you make a profile that determines whether particular ports are open or closed, if certain processes are running, whether recommended packages are installed, or run a check on Windows Registry keys for specific characteristics.
How Does It Work?
Whether you are using virtual machines or specific servers, you can easily create profiles for Amazon EC2 illustrations.
Inspec consists of an assembly of tools that aid in the process of writing or making audits. It uses the Domain-Specific Language (DSL) in Ruby, that is if you don’t want to use the pre-built profiles by other users.
The Framework’s ProcessYou can run the framework’s scans using the AWS-RunInSpecChecks, the new AWS systems manager document, and choose either the Amazon S3 bucket or GitHub as the type of the source. Here is a summary of the process:
- Create a profile or choose a particular profile that you want to use. GitHub has predefined you can utilize as you start.
- After choosing a profile, store it either in public or a private repository. Amazon S3 bucket comes handy at this too.
- Use the profile you created to run Compliance using AWS-RunInSpecChecks document. To commence a Compliance scan, you can use the run command, or schedule a scan using the State Manager. Alternatively, instead of using the run commands, you can use the on-demand scans.
- Determine non-compliant instances by utilizing the Compliance API. Another option is to use the Systems Manager Compliance interface.
It is worth noting that CHEF makes use of a client on the created instances while dispensing your profile. This negates the need for installing the files that necessitate the process.
During the execution of the AWS-RunInSpecChecks SSM document, a process determines if the necessary files are installed before running the scan. If there isn’t one, the AWS manager installs the CHEF software files. On completion, the installed files are removed.
Difference Between SSM-Inspec and Amazon Inspector
The difference between SSM-Inspec support and Amazon Inspector might still confuse many. Amazon Inspector allows you to enhance the security and compliance of the instances created on AWS.
On the other hand, the SSM-Inspec support offers you a platform to generate compliance checks depending on your business needs. With it, you can also conveniently make use of the pre-made profiles that will make the process much more straightforward.
The SSM-Inspec is available in all regions where the AWS Systems Manager is available.