SSM Scan

SSM Integration Scan

By registering AWS authentication information, you can select EC2 instances from the FutureVuls screen and scan them on demand.

The SSM scan results can be checked in SSM command history and Scan history.

Target OS (limited to instances on AWS EC2)

  • Amazon Linux
  • Amazon Linux 2
  • Red Hat
  • Debian
  • Ubuntu

SSM-based scans can only be performed on the local scan server.

SSM scans are only available for scanner version vuls v0.7.0 build-20190605_091348_d2daa3a and later.
If you have an older version, please update the scanner.

SSM Integration Scan Settings

  • Please complete the registration of AWS authentication information in advance.
  • This feature is for local scan servers only and cannot be used with remote scan servers.

AWS Environment Settings

  • Create an AWS instance
    • Create an AWS instance from the AWS Management Console (see Target OS for the OS)
    • Create a role with the AmazonSSMManagedInstanceCore policy (AWS documentation)
    • Assign the created role to the instance as an IAM role.
  • Register SSM on the AWS instance (official documentation)
    • sudo yum -y install amazon-ssm-agent (for AmazonLinux; see the above documentation for other OSes)
    • sudo systemctl start amazon-ssm-agent (for AmazonLinux; see the above documentation for other OSes)
  • Confirm SSM registration
    • Check that the above instance is registered in Managed Instances in AWS System Manager.

FutureVuls Settings

  • Click the Configure button on the AWS Integration page in Group settings. image

  • Install awscli

    • Confirmed to work with version 1.16.80 or later.
  • Execute the displayed command (AWS CLI) in an environment where the AWS CLI is installed and configured (the ssm.CreateDocument and ssm.DeleteDocument permissions are required), and click Next. image

  • If SSM-based scan is set up, it is complete.

Automatic Integration with SSM

  • After configuring SSM as described above, information on whether each server can be integrated with SSM is incorporated into FutureVuls at the time of scanning.

  • If the SSM integration column of the server list is marked with , the setup is complete. image

  • When adding servers managed by SSM after configuring AWS authentication, they will be automatically integrated with FutureVuls during the timing of the scan.

SSM scan execution

  • Click the scan execution button that appears on the server details screen to start the scan. image

  • SSM command execution history and execution status can be checked from SSM command history. image

  • Scan success and failure can be checked from the scan history.

If the scan fails

If a message like the following appears in the command history, follow the steps below to check the result. failed-ssm

  • To check the result (success/failure) of the SSM command
    • You can check it from Amazon Systems Manager > Run Command > Command History of the target AWS account.
  • To check detailed logs of the command execution