Mondoo Client can be used to scan AWS accounts and EC2 instances remotely from your workstation. This workflow is designed to provide fast, on-demand assessments of your AWS infrastructure outside of the native integration that runs continuously within your account.
This page covers the following topics:
- Remote scan AWS accounts - Scan any AWS account using your
- Agent-less scanning of EC2 instances - Scan EC2 instances using EC2 instance connect, SSH or Snapshot scanning.
Remote scanning AWS accounts
Mondoo Client can remotely scan AWS accounts by leveraging the configuration/credentials from the
awscli typically located at
~/.aws/credentials. Before you can scan an AWS account with Mondoo Client you will need to have the
awscli installed and configured with credentials for any accounts you wish to scan.
Set up AWS credentials
You can also scan your AWS account from your workstation!
- Ensure AWS credentials
Ensure you have your AWS credentials configured properly:
$ cat ~/.aws/credentials
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
If you want to use a specific profile, set
$ export AWS_PROFILE=mondoo
Required permissions for remote AWS account scanning
Mondoo Client requires read-only access to assess the configuration of the services and resources within an AWS account. Mondoo leverages the credentials for the
awscli to authenticate with the AWS API and thus inherits the permissions granted to the AWS access keys configured for the user running Mondoo.
Amazon provides the ReadOnlyAccess IAM profile which grants read only to all AWS Services
Scan an AWS account with Mondoo Client
To scan an AWS account remotely with Mondoo:
mondoo scan aws
Mondoo Client will run any AWS policies you have enabled in your Mondoo account and the results from the scan will print to
STDOUT on the command-line. Additionally, the results are sent to Mondoo Platform where a report is generated for each policy executed against the account.
Multiple AWS rofiles
If you are managing multiple AWS configurations in your credentials file, you can set the
AWS_PROFILE environment variable to select which profile to use when scanning.
Example AWS Credentials File
mondoo scan aws
Mondoo Client provides an
--incognito mode which allows you to scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a given policy before enabling it.
To scan an AWS account using
mondoo scan aws --policy <POLICY MRN> --incognito
mondoo scan aws --policy //policy.api.mondoo.app/policies/amazon-web-services-foundations-level-2 --incognito
POLICY MRNs can be retrieved by running
mondoo policy list --public from your workstation.
Discover EC2 instances for an AWS account
Mondoo can also discover the EC2 instances in your AWS account.
mondoo scan aws --discover all
--discover-filter to add filters for regions, instance ids, and tags:
mondoo scan aws --discover all \
--discover-filter regions=us-east-2 \
--discover-filter instance-ids=i-06eab6c104c0f5fb0 \
Note: When scanning AWS accounts from your Workstation, instances can only be scanned via SSH at this point. To associate credentials with instances for SSH scanning, refer to the Mondoo vault docs
Agentless scanning of EC2 instances
Mondoo Client supports remote scanning of EC2 instances enabling on demand security assessments of your instances using policy as code. Remote scanning requires remote connectivity to instances via SSH, or EC2 instance connect.
Scan individual EC2 instances using EC2 instance connect
Mondoo Client supports remote scanning of EC2 instances via EC2 instance connect:
- Open a terminal
- Set the
AWS_REGIONenvironment variable where the instance is running.
mondoo scan aws ec2 instance-connect user@instance-id
mondoo scan aws ec2 instance-connect ec2-user@i-067a3faeded612345
More information on configuring EC2 instances with EC2 instance connect see Connect to your Linux instance using EC2 Instance Connect on the AWS documentation site.
Scan individual EC2 instances using SSH
Mondoo Client supports remote scanning of EC2 instances via SSH.
mondoo scan ssh <username>@<PUBLIC_IP or PUBLIC_DNS> --identity-file /path/to/ssh_key
To retrieve credentials from a secrets manager such as AWS Secrets Manager, or SSM Parameter store see our vault documentation
EC2 snapshot scanning
Mondoo's snapshot scanning offers an easy way to scan Linux EC2 instances without SSH credentials or an SSM agent. You can scan an EC2 instance, an EC2 EBS volume or an EC2 EBS snapshot.
NOTE: this feature requires a AWS EC2 instance since the volumes needs to be attached to the instance
- Spin up an small EC2 instance (e.g. os: amazonlinux2, instance type: t2.micro)
Install Mondoo Client and register it to a Space in the Mondoo Dashboard. For more details about how to set up Mondoo Client and register to the Mondoo Dashboard., see the installation documentation
Create a IAM Role (e.g. name it ebs)
- Attache the create IAM role (ebs) to your ec2 instance
- Login to the ec2 instance and scan an ebs volume from an instance
mondoo scan aws ec2 ebs <instance id>
Alternatively, you can also scan a volume:
mondoo scan aws ec2 ebs volume <volume id>
or a snapshot:
mondoo scan aws ec2 ebs snapshot <snapshot id>