Skip to main content

Scan AWS Account and EC2 instances via Mondoo Client CLI

Mondoo Client can be used to scan AWS accounts and EC2 instances remotely from your workstation. This workflow is designed to provide fast, on-demand assessments of your AWS infrastructure outside of the native integration that runs continuously within your account.

This page covers the following topics:

Remote scanning AWS accounts​

Mondoo Client can remotely scan AWS accounts by leveraging the configuration/credentials from the awscli typically located at ~/.aws/credentials. Before you can scan an AWS account with Mondoo Client you will need to have the awscli installed and configured with credentials for any accounts you wish to scan.

Set up AWS credentials​

You can also scan your AWS account from your workstation!

  1. Ensure AWS credentials

Ensure you have your AWS credentials configured properly:

$ cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

If you want to use a specific profile, set AWS_PROFILE

$ export AWS_PROFILE=mondoo

Required permissions for remote AWS account scanning​

Mondoo Client requires read-only access to assess the configuration of the services and resources within an AWS account. Mondoo leverages the credentials for the awscli to authenticate with the AWS API and thus inherits the permissions granted to the AWS access keys configured for the user running Mondoo.

info

Amazon provides the ReadOnlyAccess IAM profile which grants read only to all AWS Services

Scan an AWS account with Mondoo Client​

To scan an AWS account remotely with Mondoo:

Scan an AWS account
mondoo scan aws

Mondoo Client will run any AWS policies you have enabled in your Mondoo account and the results from the scan will print to STDOUT on the command-line. Additionally, the results are sent to Mondoo Platform where a report is generated for each policy executed against the account.

Multiple AWS rofiles​

If you are managing multiple AWS configurations in your credentials file, you can set the AWS_PROFILE environment variable to select which profile to use when scanning.

Example AWS Credentials File

~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[aws-dev-account]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Select AWS profile to scan
export AWS_PROFILE=aws-dev-account
mondoo scan aws

Incognito mode​

Mondoo Client provides an --incognito mode which allows you to scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a given policy before enabling it.

To scan an AWS account using incognito mode:

Scan AWS account with --incognito mode
mondoo scan aws --policy <POLICY MRN> --incognito
Scan AWS account against CIS AWS Foundations Level 2 --incognito mode
mondoo scan aws  --policy //policy.api.mondoo.app/policies/amazon-web-services-foundations-level-2 --incognito
info

POLICY MRNs can be retrieved by running mondoo policy list --public from your workstation.

Discover EC2 instances for an AWS account​

Mondoo can also discover the EC2 instances in your AWS account.

mondoo scan aws --discover all

Use --discover-filter to add filters for regions, instance ids, and tags:

mondoo scan aws --discover all \
--discover-filter regions=us-east-2 \
--discover-filter instance-ids=i-06eab6c104c0f5fb0 \
--discover-filter tags=Name:testnametag

Note: When scanning AWS accounts from your Workstation, instances can only be scanned via SSH at this point. To associate credentials with instances for SSH scanning, refer to the Mondoo vault docs

Agentless scanning of EC2 instances​

Mondoo Client supports remote scanning of EC2 instances enabling on demand security assessments of your instances using policy as code. Remote scanning requires remote connectivity to instances via SSH, or EC2 instance connect.

Scan individual EC2 instances using EC2 instance connect​

Mondoo Client supports remote scanning of EC2 instances via EC2 instance connect:

  1. Open a terminal
  2. Set the AWS_REGION environment variable where the instance is running.
  3. Run mondoo scan aws ec2 instance-connect user@instance-id
Scan EC2 using EC2 instance connect
export AWS_REGION=us-east-1
mondoo scan aws ec2 instance-connect ec2-user@i-067a3faeded612345

More information on configuring EC2 instances with EC2 instance connect see Connect to your Linux instance using EC2 Instance Connect on the AWS documentation site.

Scan individual EC2 instances using SSH​

Mondoo Client supports remote scanning of EC2 instances via SSH.

Scan EC2 instances via SSH
mondoo scan ssh <username>@<PUBLIC_IP or PUBLIC_DNS> --identity-file /path/to/ssh_key
info

To retrieve credentials from a secrets manager such as AWS Secrets Manager, or SSM Parameter store see our vault documentation

EC2 snapshot scanning​

Mondoo's snapshot scanning offers an easy way to scan Linux EC2 instances without SSH credentials or an SSM agent. You can scan an EC2 instance, an EC2 EBS volume or an EC2 EBS snapshot.

NOTE: this feature requires a AWS EC2 instance since the volumes needs to be attached to the instance

  1. Spin up an small EC2 instance (e.g. os: amazonlinux2, instance type: t2.micro)

  1. Install Mondoo Client and register it to a Space in the Mondoo Dashboard. For more details about how to set up Mondoo Client and register to the Mondoo Dashboard., see the installation documentation

  2. Create a IAM Role (e.g. name it ebs)

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Effect": "Allow"
}
]
}
  1. Attache the create IAM role (ebs) to your ec2 instance

  1. Login to the ec2 instance and scan an ebs volume from an instance
mondoo scan aws ec2 ebs <instance id>

Alternatively, you can also scan a volume:

mondoo scan aws ec2 ebs volume <volume id>

or a snapshot:

mondoo scan aws ec2 ebs snapshot <snapshot id>