Unapproved software package loaded on EC2 instances
The security team was notified by the network team that they have seen network scanning activity from EC2 instances. NMAP is a common software package that is used to scan networks. Identify servers that have the NMAP package installed.
How do I investigate?
- Navigate to the Shared Services account
- Go to Systems Manager and select Inventory from the side menu
- Select Detailed View
- Select Run Advanced Queries
- Enter the below query in the New query window and click Run Query
WHERE "packageid" LIKE '%nmap%' limit 20;
- What other teams could use the Systems Manager Inventory solution?
- Are there any other scenarios that the inventory could help with?