Using AWS Systems Manager to Run Compliance Scans Using InSpec

Starting today, all AWS customers have the ability to perform compliance as code using InSpec through AWS EC2 Systems Manager (SSM). InSpec, an open-source testing framework from Chef, provides teams the ability to define and assess system state and status across the entire application lifecycle. InSpec can already be used with AWS OpsWorks for Chef Automate to track the compliance of your infrastructure based on predefined policies. For example, you can describe compliance controls in InSpec and integrate these tests into any stage of your deployment pipeline or choose from a set of pre-packaged InSpec profiles. You can then use the Compliance pane as a unified dashboard to identify issues, remediate them, and track progress for various nodes and profiles.

AWS Systems Manager now gives you visibility and control of your infrastructure on AWS. Previously, AWS customers could get configuration compliance information using SSM State Manager and Patch Manager, but could not declaratively author compliance checks.

With this latest release, customers now have a simple way to write tests in an easy but rich manner as per their IT requirements. Customers can author InSpec profiles in their GitHub repos, perform ad hoc or periodic scans on their instances, using InSpec profiles and then identify and remediate non-compliant instances.

InSpec allows IT administrators to identify non-compliant instances as they define their system configuration, while Security/Audit teams can now specify the exact compliance baselines or policies they need. The InSpec profile can be run from a private or public GitHub repository or an S3 bucket. InSpec is cross-platform, and works across Windows and Linux, as well as on-prem instances.

Use cases that you can express using InSpec include ensuring instance ports are open or closed, check if a service (e.g. Apache) is running, check if certain packages are installed, and scan your Windows registry keys for specific properties. The output of InSpec scans are available on the SSM Compliance console or through the Compliance APIs. The future releases will also include an access to predefined profiles available on Chef Supermarket, for example to scan for CVE (Common Vulnerabilities and Exposures) or CIS (Center of Internet Security).

A common question we get is what is the difference between SSM InSpec support and Amazon Inspector. While Amazon Inspector lets you perform security assessments on your instances (based on best-practices or common vulnerabilities such as CIS standards), the SSM support for InSpec lets you create your own compliance checks based on your own business needs, as well take advantage of pre-defined compliance profiles.

Learn More

You can learn more about this integration in the AWS blogpost that provides a more in depth overview of the new functionality. The blog also features a walk-through that uses Run Command to execute individual tests on EC2. You can also create State Manager Associations to execute these tests on a schedule so that you can continuously assess the compliance of your systems.

Want a taste of InSpec right away? Our preconfigured, ready-to-go environments on Learn Chef Rally will help you explore how it work in minutes. See how InSpec can help you quickly identify potential compliance and security issues on your infrastructure.

Author Gershon Diner

Gershon is a Director of Business Development at Chef Software, and much of his focus is on penetrating and scaling or partnership with the leading cloud partners. Gershon has over 20 years of leadership experience in engineering, sales, Biz Dev and strategic alliances, in startups and OSS communities. He is a customer-obsessed and implemented many successful products for the most recognizable enterprise global brands. Gershon moved from Israel to Palo Alto, CA with his family to enjoy the outdoors, the people, innovation, vibe and the buzz in the heart of the Silicon Valley.