Cloud native vulnerability management

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Elastic’s Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads.

Setup uses infrastructure as code. For instructions, refer to Get started with Cloud Native Vulnerability Management.

CNVM currently only supports AWS EC2 Linux workloads.

Requirements

  • CNVM only works in the Default Kibana space. Installing the CNVM integration on a different Kibana space will not work.
  • To view vulnerability scan findings, you need the appropriate user role to read the following indices:

    • logs-cloud_security_posture.vulnerabilities-*
    • logs-cloud_security_posture.vulnerabilities_latest-*
How CNVM works
edit

During setup, you will use an infrastructure as code provisioning template to create a new virtual machine (VM) in the cloud region you wish to scan. This VM installs Elastic Agent and the Cloud Native Vulnerability Management (CNVM) integration, and conducts all vulnerability scanning.

The CNVM integration uses Trivy, a comprehensive open-source security scanner, to scan cloud workloads and identify security vulnerabilities. During each scan, the VM running the integration takes a snapshot of all cloud workloads in its region using the snapshot APIs of the cloud service provider, and analyzes them for vulnerabilities using Trivy. Therefore, scanning does not use resources on the VMs being scanned. All resource usage occurs on the VM installed during CNVM setup.

The scanning process begins immediately upon deployment, then repeats every twenty-four hours. After each scan, the integration sends the discovered vulnerabilities to Elasticsearch, where they appear in the Vulnerabilities tab of the Findings page.

Environments with more VMs take longer to scan.