CVE Vulnerabilities
Today you can get complete vulnerability scanning of your cloud environments without implementing an agent.
With a few simple steps, you get a full report with a simple explanation of the CVE risks.
Enable AWS Scan:
for every AWS Account:
- Make sure Cloudwize IAM Policy ‘cloudwize-policy’ includes ‘ssm:SendCommand’ permission.
- Make sure SSM Agent is enabled on your EC2 Instances.
How to enable SSM:
- Login to your AWS Account
- Go to System Manager quick setup https://us-east-1.console.aws.amazon.com/systems-manager/quick-setup?region=us-east-1
- Under Host Management box click on create

4. Under the configuration options section, make sure only ‘Update Systems Manager (SSM) Agent every two weeks.’ checkbox is checked.


Enable Azure Scan:
Paste the below to your Azure cloud shell bash console to include runCommand permission.
*The script will also install az cli ‘account’ extension, if you wish to remove it simply run at the end: “az extension remove –name account”*
echo '{
"Name": "Cloudwize Vulnerabilities Assessment",
"IsCustom": true,
"Description": "Cloudwize Vulnerabilities Assessment",
"Actions": [
"Microsoft.Compute/virtualMachines/runCommand/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}' > customrole.json
az extension add -n account -y
subscriptionsforrolejson=`az account subscription list | grep id | awk -F'\"' '{print $4}'`
echo "$subscriptionsforrolejson"
subscriptionsforroleassign=`az account subscription list | grep id | awk -F'/' '{print $3}' | rev | cut -c3- | rev`
echo "$subscriptionsforroleassign"
cloudwizespnobjectid=`az ad sp list --all --query "[].{displayName:displayName, objectId:id}" --output table | grep -wi cloudwize | awk -F' ' '{print $2}'`
jq --arg list "$subscriptionsforrolejson" '.AssignableScopes|=.+($list|split("\n"))' < customrole.json | tee customroleupdated.json
sleep 5
roleDefinitionRes=`az role definition list --name "Cloudwize Vulnerabilities Assessment"`
if [ "$roleDefinitionRes" == "[]" ]; then
echo "Creating role definition"
az role definition create --role-definition "./customroleupdated.json"
else
echo "Updating role definition"
az role definition update --role-definition "./customroleupdated.json"
fi
for subid in $subscriptionsforroleassign
do
az role assignment create --assignee "$cloudwizespnobjectid" \
--role "Cloudwize Vulnerabilities Assessment" \
--subscription "$subid"
done