Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.

Abstract: Systems for performing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a scanning service that facilitates duplication of all or a portion of the target computing resource, and then performs the security assessment on the duplicate computing resource to avoid consuming processing time, processing power, and storage space of the target computing resource. A snapshot of the target computing resource, containing the data necessary to reproduce the portion to be assessed, is captured and used to implement the duplicate computing resource in newly allocated resources. The snapshot can be an image of a logical volume implementing the target computing resource. To reproduce a target virtual machine, the snapshot may include a configuration used to instantiate the target virtual machine; the scanning service may implement a duplicate virtual machine that is instantiated with the same configuration.

Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.

Abstract: Systems for providing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a security assessments provisioning service that provisions third-party-authored rules packages and security assessments into the computing environment of the target computing resource. The third-party rules package includes rules that can operate on telemetry and configuration data of the target computing resource, produced by sensors that are native to the computing environment, but the sensor protocols, message format, and sensitive data are not exposed to the rules. The provisioning service can provide security assessments and/or rules packages that are “native” and are thus able to operate directly on the telemetry and configuration data.

Abstract: Systems for performing a security assessment of a target computing resource, such as a virtual machine or an instance of a virtual machine, include a security assessment service that enables the use of third-party-authored rules packages in the security assessment. The third-party rules package includes rules that can operate on telemetry and configuration data of the target computing resource, produced by sensors that are native to the computing environment, but the sensor protocols, message format, and sensitive data are not exposed to the rules. An interface, such as an ingest function, may be used to convert telemetry data in the form of sensor messages into assessment data objects. The assessment data objects contain the data elements the rules evaluate, and may also have corresponding retrieval methods that are exposed to the rules; the rules call the retrieval methods to extract parameter-value pairs from the data object.

Abstract: Techniques for configurable event-based compute instance security assessments are described. A security assessment service receives one or more configuration messages, sent on behalf of a user, indicating a request to perform a security assessment of one or more computing resources managed by a service provider system responsive to any of one or more events being determined to have occurred. The security assessment is to include attempting to identify security vulnerabilities of the one or more computing resources. The security assessment service determines that an event of the one or more events has occurred subsequent to event data being reported that is indicative of the event, and performs the security assessment of the one or more computing resources responsive to the determining that the event has occurred.