Amazon Inspector + Turbot Guardrails:
Turbot provides Guardrails for a number of AWS Security, Identity, and Compliance products, including Operating System Guardrails for Windows and Linux. Turbot’s existing Operating System Guardrails automatically apply best practice configurations based on company policies for patching, user management, and environment variables, including hardening configurations based on the Center for Internet Security (CIS) Level 1 or 2 Benchmarks.
For an additional audit layer to identify potential security issues, vulnerabilities or deviations from best security practices, Amazon Inspector can be used to identify findings on EC2 Instances while Turbot is enforcing configurations based on corporate policies. Turbot has recently expanded our Guardrail policies for Amazon Inspector to help Enterprises ensure Amazon Inspector is setup and configured consistently across large scale multi-account AWS implementations.
Turbot Enables Amazon Inspector at Scale:
- Turbot allows you to enable / disable Amazon Inspector in multiple AWS accounts. This will block users from managing Inspector per account and allow central configuration management to be enforced globally or managed through exceptions per account and per instance.
- Turbot Guardrails can be set to enable / disable specific regions allowed for Amazon Inspector resources.
- As part of Turbot’s Identity Engine, Enterprises can easily assign Amazon Inspector Role Based Access Controls (RBAC) and identity policies consistent with other Turbot - AWS IAM Policies being managed. In addition, Turbot RBAC policies can be applied with time-based grants.
- Turbot allows you to enforce the Inspector agent installation on Linux and Windows Operating Systems.
- Turbot will auto-create the required Amazon Inspector IAM role with least privilege policies, while providing protection for the role to ensure it is not altered or assumed.
- Turbot will enforce the creation of Inspector Targets and Templates and global or explicit EC2 Instance associations per instance.