Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[inspector2] GetConfiguration is missing the ec2Configuration object #2617

Closed
2 tasks
FlorianSW opened this issue Apr 23, 2024 · 3 comments
Closed
2 tasks
Assignees
Labels
feature-request A feature should be added or improved.

Comments

@FlorianSW
Copy link

Describe the feature

First of all: I don't know if this repository is the correct one to open this issue at. However, as I use the AWS SDK Go v2 as the main development tool when using aws, it feels good to open it here, even if the issue spreads through all SDKs and the CLI as well :)

Recently (yesterday), AWS announced a new agentless scanning for EC2 instances:
https://aws.amazon.com/about-aws/whats-new/2024/04/amazon-inspector-agentless-vulnerability-assessments-ec2-ga/

This includes a new configuration for inspector, which allows an account user to switch between agentless and agent-based scanning. When looking into the AWS Management Console, this is done using the two API calls:

POST https://inspector2.<region>.amazonaws.com/configuration/get
-> used to retrieve the current configuration, which will respond like:

{
    "ec2Configuration": {
        "scanModeState": {
            "scanMode": "EC2_HYBRID",
            "scanModeStatus": "SUCCESS"
        }
    },
    "ecrConfiguration": {
        "rescanDurationState": {
            "pullDateRescanDuration": "DAYS_90",
            "rescanDuration": "DAYS_30"
        }
    }
}

In the ec2Configuration object, the current configuration of the agent-based or agentless configuration is visible. To change the config, there is another API request:
POST https://inspector2.<region>.amazonaws.com/configuration/update
with the following body (as an example):

{"ec2Configuration":{"scanMode":"EC2_SSM_AGENT_BASED"}}

Unfortunately, these new fields are neither documented in the API documentation[1][2], nor exposed in the Go SDK v2. It would be nice to have this visibility (for the GetConfiguration API), as well as the possibility to change the current configuration for EC2 scanning (just like it is possibel with the ECR one).

[1] https://docs.aws.amazon.com/inspector/v2/APIReference/API_GetConfiguration.html
[2] https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateConfiguration.html

Use Case

We use the AWS SDK Go v2 as tooling for account provisioning and automatic account configuration to assist our developers in their usage with AWS. Configuring the EC2 scanning mode is crucial in order for us to be able to use agent-based or agentless scanning (and configuring this in accordance to our requirements) at a scale of multiple hundreds of accounts. Without going into each account manually and setting this config through the UI :)

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/inspector2 v1.24.4

Go version used

go version go1.21.5 darwin/arm64

@FlorianSW FlorianSW added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 23, 2024
@MrGossett
Copy link

MrGossett commented Apr 23, 2024

@FlorianSW hi! Fellow AWS Go SDK v2 user here.

I'm pretty sure the structure you're looking for will appear in the SDK when the Inspector service team publishes an updated API description that includes it. The AWS Go SDK--along with all of the other first-party SDKs and the CLI--is generated from API descriptions like this one for the inspector2 package. There seems to be quite a lot going on within AWS at large, so feature announcements like the one you linked are not typically coordinated with updates to the API service description. Sometimes I have learned about a new feature by way of SDK release notes, and other times I have learned by way of announcement with an update to the SDKs following days after.

If you keep an eye on the releases published in this repository, I would expect a release in the next few days that will add what you're looking for.

@RanVaknin
Copy link
Contributor

Hi @FlorianSW thanks for the detailed description. @MrGossett is absolutely 100% right in this case ( thank you ). These service announcements usually follow an upcoming release of said features by the service team.

It is likely that this feature is already supported, but unless that service team updates their model, the SDKs / CLIs would not have those features.

I actually see in our internal release system that this feature has been submitted, but it takes a bit of time for this to get tested cross SDK, and then officially released.

Like @MrGossett mentioned, keep an eye on the release notes in near future for updates on this.

Since this is not actually actionable by the SDK team, I'm going to go ahead and close this.
Thanks again,
Ran~

@RanVaknin RanVaknin self-assigned this Apr 25, 2024
@RanVaknin RanVaknin removed the needs-triage This issue or PR still needs to be triaged. label Apr 25, 2024
@RanVaknin RanVaknin closed this as not planned Won't fix, can't repro, duplicate, stale Apr 25, 2024
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved.
Projects
None yet
Development

No branches or pull requests

3 participants