Unapproved software package loaded on EC2 instances

Scenario

The security team was notified by the network team that they have seen network scanning activity from EC2 instances. NMAP is a common software package that is used to scan networks. Identify servers that have the NMAP package installed.

How do I investigate?

  • Navigate to the Shared Services account
  • Go to Systems Manager and select Inventory from the side menu
  • Select Detailed View
  • Select Run Advanced Queries
  • Enter the below query in the New query window and click Run Query
SELECT * 
FROM "aws_application" 
WHERE "packageid" LIKE '%nmap%' limit 20;

Team Discussion

  • What other teams could use the Systems Manager Inventory solution?
  • Are there any other scenarios that the inventory could help with?

Resources