AWS Vulnerability Management Best Practices [Cheat Sheet]
Tired of chasing hidden vulnerabilities in your AWS environments? Our cheat sheet offers actionable steps to identify, assess, and mitigate critical AWS vulnerabilities.
Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.
Wiz Experts Team
7 minutes read
Vulnerability scanning is the process of identifying and analyzing security flaws in various layers of your IT stack, including networks, endpoints, and cloud environments.
A common problem in software applications is that vulnerabilities stem from code flaws, misconfigurations, security policy weaknesses, or software supply chain risks—for example, nearly half of enterprises have at least one database or storage bucket publicly exposed to the internet. Vulnerability assessment tools detect these security risks by comparing software versions, code, and (system and network) configurations against a database of known vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) database.
Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.
When choosing a vulnerability scanner, it’s important to consider several critical factors. These factors not only determine how effective vulnerability detection is but also impact how easily vulnerability scanning can be integrated into DevOps workflows and CI pipelines like GitLab CI, Jenkins, and Azure DevOps.
For example, keep the following in mind:
To develop secure-by-design apps, DevSecOps teams need vulnerability scanners that automatically trigger a scan as part of the build process whenever code is committed. This enables near-instantaneous vulnerability detection, an important part of shift-left testing.
Stakeholders should consider how exhaustively the tool scans and correlates critical vulnerabilities across workloads. An ideal tool offers various types of vulnerability scans, including cloud infrastructure, network, application, and host scans. Such a tool will provide a holistic view of configurations and seemingly innocuous combinations that actually put your stack at risk of cyberattacks.
The scanner should deploy agentlessly, reducing the complexity and overhead associated with using it. It should also integrate with vulnerability management solutions to facilitate ongoing management throughout the vulnerability lifecycle.
The scanner must accurately detect and prioritize vulnerabilities according to criteria like vulnerability severity, asset exposure, and criticality to business operations.
Top open-source vulnerability scanning tools
Though it's best to have a vulnerability scanner capable of scanning multiple components of your stack, most scanners out there tend to focus on a single layer. Here are our top-rated picks listed by type—based on the layer they secure:
Tool Type
Tool Name
Capability
Strength
Limitation
Network vulnerability scanners
Aircrack-ng
Monitoring wireless networks
Seamless packet injection
May take hours or days to effectively detect and exploit vulnerabilities
Network vulnerability scanners
Masscan
Network troubleshooting and security auditing
Fast scans
Must be integrated with vulnerability management tools for comprehensive vulnerability insights
Application vulnerability scanners
Arachni
Web app security testing
Customizable and distributed scans
Cannot effectively detect vulnerabilities related to business logic (e.g., authorization bypass)
Application vulnerability scanners
Burp Suite
Web application scanning and testing
Enables active and passive scans
Lacks automated scans, making real-time vulnerability detection impossible
Container vulnerability scanners
Clair
Static container vulnerability scanning
Can be customized to suit various use cases without forking
Lacks runtime scanning capabilities; can only analyze images at rest
Container vulnerability scanners
Anchore Engine
Container vulnerability scanning and compliance management
Can be integrated into CI pipelines for automated scans
Focuses on popular OS and software packages; may overlook vulnerabilities in custom-built apps
Code vulnerability scanners
KICS
IaC code scanning and compliance assessment
Vulnerability risk scores
Offers static scans only; may generate false negatives
Code vulnerability scanners
Gitleaks
Git code scanning
Git history and version scanning
Its regex scans may result in false positives
Endpoint vulnerability scanners
Lynis
Endpoint security auditing and hardening
Highly extensible
Ideal for Unix-based operating systems only
Endpoint vulnerability scanners
OSSEC
Endpoint vulnerability scanning and compliance checks
Host-based intrusion detection
Requires extensive manual tuning to reduce false positives
Network vulnerability scanners
Network vulnerability scanners assess LANs, servers, and systems for security risks, such as outdated software, misconfigurations, suspicious traffic patterns, and open ports.
Aircrack-ng
Aircrack-ng is a suite of tools designed mainly for monitoring, attacking, and cracking 802.11 wireless networks. It sniffs packets and captures hashes, collecting insights needed to crack WEP and WPA/WPA2 pre-shared key (PSK) passwords. This in turn lets you know how easily attackers can decrypt your network traffic and packets.
Aircrack supports various attack techniques like deauthentication, packet injection, brute force, replay, and dictionary-based password cracking attacks. It comes pre-installed in Kali Linux and can be accessed by typing the following command in the terminal:
aircrack-ng --help
You'll then receive an output displaying various Aircrack-ng commands you can deploy for your vulnerability scans.
How Aircrack-ng works
You can use any of the tools within Aircrack-ng to conduct a wide range of scans. For instance, you can scan the network using airodump-ng to find suspicious activity or rogue access points.
Masscan
Known for its remarkable speed and scalability, Masscan is a lightweight network security vulnerability scanner and reconnaissance tool. It’s ideal for scanning IP addresses, open ports, and other network components.
How Masscan works
You can use Masscan to detect rogue services, firewall outage/tampering, or misconfigured devices that could result in sensitive data exposure.
For example, you can find misconfigurations by scanning your entire network (Hello, fast scans!), focusing on commonly exploited ports like 80, 22, and 443. Masscan then outputs a report showing all misconfigurations detected—e.g., open port 21 (showing that the unencrypted FTP is being used) or weak authentication and authorization in port 22 (creating potential for brute force attacks and remote code execution).
Application vulnerability scanners
Application scanners are automated tools that find insecure configurations, outdated libraries, and code vulnerabilities in software applications.
Arachni
Arachni is a modular web app vulnerability scanner and security testing tool designed to uncover code and input validation vulnerabilities like SQL injection, cross-site request forgery (CSRF), and file inclusion weaknesses.
How Arachni works
You can use Arachni to scan apps or websites with PINs or credit card numbers collected during transactions. First, you’ll need to set up Arachni on your servers and provide authentication credentials to enable it to crawl your website to identify user input fields for collecting sensitive customer data (e.g., login services, payment dashboards, and checkout processes).
Burp Suite CE
Burp Suite comprises a set of tools for identifying and exploiting web app vulnerabilities. It has an advanced crawler for identifying input fields, forms, and links. Its Interception proxy enables the detection of proxy-based attacks like CSRF and its Intruder tool allows for pen testing via parameter manipulation and brute force attacks.
How Burp Suite works
Burp Suite works like a man-in-the-middle, intercepting packets moving from client to server and analyzing them for security vulnerabilities. To get started, install Burp Suite CE and add 127.0.0.1:8080 to your browser. Then, navigate the target website as a typical user or threat actor would, enabling Burp Suite to capture HTTP requests and responses to detect malicious packets or inputs. You can also test for password vulnerabilities by using Intruder to perform brute-force scans against login pages.
Container vulnerability scanners
Container vulnerability scanners check for security gaps and misconfigurations that attackers can exploit in containers.
Clair
Clair is a scanner that conducts static vulnerability analysis of containers and container images. It’s often deployed to work with built-in container vulnerability scanners available in common container registries like AWS, ECR, and Quay.
How Clair works
Clair works by continuously importing CVE data from pre-configured databases like the National Vulnerability Database (NVD). To use Clair, create a docker-compose file containing a Clair container (for the API) and a PostgreSQL container (for CVE data storage).
2. Anchore Engine
Anchore Engine is a command-line vulnerability scanner for detecting security weaknesses and compliance issues in containers within CI pipelines.
How Anchore Engine works
Anchore Engine works by first fetching a container image from a pre-configured registry, then generating a software bill of materials (SBOM), indexing all components of the image. Afterwards, it compares the indexed components—e.g., software packages—to a vulnerability database, correlating the software risks with known vulnerabilities.
Code vulnerability scanners
Code vulnerability scanners are designed to identify potential vulnerabilities in source code and binary files throughout the software development lifecycle.
1.KICS
Keeping Infrastructure as Code Secure (KICS) is an infrastructure as code (IaC) security scanner for detecting vulnerabilities in IaC tools—like Terraform, Docker, Ansible—before code is shipped.
How KICS works
KICS comes with robust built-in and customizable policy templates that enable it to scan IaC files for misconfigurations, vulnerabilities, and compliance violations. It covers a wide range of compliance standards, such as GDPR, PCI DSS, and HIPAA, and enforces security best practices. KICS parses IaC files, extracts relevant metadata, and matches the data against the CIS’s library of built-in custom rules.
2. Gitleaks
Gitleaks is a code scanner for identifying hard-coded secrets, such as passwords, private keys, API keys, and tokens in code repos before they are exploited by attackers.
How Gitleaks works
Gitleaks can scan code before or after it is committed to Git. If you’ve written some code and need to be sure it contains no secrets or vulnerabilities before pushing it to Git, you’d run the following command:
gitleaks protect .
This will trigger Gitleaks to run a regex scan on the code file, comparing patterns within your code to a set of predefined patterns for detecting common secrets. You can also configure Gitleaks to automatically scan your code or repos for secrets every time code changes are made. Once it finds a matching pattern, Gitleaks alerts you, pinpointing the problematic part of the code.
Endpoint vulnerability scanners
Endpoint vulnerability scanners detect software, OS, and configuration weaknesses on endpoint devices such as desktops, mobile devices, and servers.
1.Lynis
Lynis is a lightweight endpoint security auditing tool for Unix-based systems. It can be used to run continuous or scheduled scans to facilitate ongoing security posture management.
How Lynis works
Lynis assesses endpoints for system/network configuration, file permission, and authentication settings issues. To get Lynis to assess your endpoints for security risks, install it through the source code or package manager. Then run the audit command to scan your device remotely, locally, or to a Docker container.
2. OSSEC
OSSEC is a host-based intrusion detection system (HIDS) for monitoring and auditing endpoints. OSSEC detects endpoint security risks like suspicious activities, rootkits, malware, unauthorized access, and policy violations.
How OSSEC works
OSSEC works via agentless and agent-based deployments. It collects data from operating systems, servers, firewalls, routers, and intrusion prevention systems (IPS). It then uses predefined rules and detection signatures to detect known vulnerabilities, attack patterns, and policy violations in endpoint devices.
Vulnerability management with Wiz
Wiz’s agentless vulnerability management solution offers the full range of capabilities needed to manage vulnerabilities throughout their lifecycle—from discovery to prioritization, auto-remediation, and continuous monitoring. Better yet? Our vulnerability management offerings are integrated into the Wiz cloud-native application protection platform (CNAPP), enabling us to provide unmatched contextual insights on vulnerabilities and their root causes.
As a leader in vulnerability research; we’ve debuted our own vulnerability database and have earned our badge as a CVE Numbering Authority. Insights from the research conducted by our team is used to further enrich the data available to our vulnerability management solution, vastly increasing its vulnerability detection accuracy. And our recent Red Hat Vulnerability Scanner certification further demonstrates Wiz’s unparalleled ability to protect your entire IT stack from threats and vulnerabilities.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.