Skip to main content

AWS & Mondoo - Overview

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in AWS.

Mondoo AWS integration

The Mondoo AWS integration enables cron-scheduled and event-based continuous scanning of your AWS account and EC2 instances. You can either scope it to a single AWS account or apply it to an AWS Organization to scan all AWS accounts associated with the organizational unit.

How it works​

The Mondoo AWS Integration configures a Lambda function using AWS CloudFormation. The function enables continuous automated configuration assessments of your AWS accounts and the deployed resources. By default, the Lambda function scans across all AWS regions every 12 hours.

The integration authenticates with the configured Mondoo Platform space, and retrieves any Mondoo policies for AWS ENABLED in the Policy Hub. After a successful scan, the integration sends results back to Mondoo Platform, which generates reports for each ENABLED policy.

The AWS CloudFormation JSON and Lambda zip are available as part of the Mondoo S3 bucket:

To learn more about enabling and disabling policies, see Policy Management.


Create a new integration​

Access the Mondoo AWS integration create screen in any of three ways:

  • New space setup: After creating a new Mondoo account, or creating a new space, the initial setup guide lets you select AWS environment.


  • INTEGRATIONS page: Navigate to INTEGRATIONS. In the left navigation, select AWS Accounts and then select ADD INTEGRATION.


  • Add integration page: In the left navigation, select AWS.

Scan configuration​


The Mondoo AWS integration supports scanning multiple AWS Accounts when installed across an AWS Organization using CloudFormation StackSets. It can also be installed to a single AWS Account.

First, select whether this will be an AWS Organization install or a single account install.

Organization vs. single account install.​

If you're installing the integration to an AWS Organization, use any name for the integration. This name is only for your reference, and has no bearing on the behavior of the integration. When installing to an AWS Organization, all scan configuration options will apply to every AWS Account in the AWS Organization.

If you're installing the integration to a single account, enter the AWS Account ID. For a single account installation, the AWS Account ID must match the ID of the AWS account you plan to integrate with Mondoo.

Select your desired scan configuration options and select Create.


Selecting Create does not finalize the integration between Mondoo and AWS. You must also launch the AWS CloudFormation stack to complete the setup.


The word "Event" in the scan configuration options refers to AWS EventBridge Events


  • Schedule Full Scan: Set the interval (in hours) at which to execute a full scan of the AWS account, independent of change events.
  • Trigger on AWS Console Sign-in Event: Trigger an account scan whenever a user signs in to the AWS console.


  • Discover EC2 Instances: Include EC2 instances in asset discovery. (By default, this applies across all regions.)
  • Use SSM for Instance Connectivity: Use the AWS SSM service to trigger scans for EC2 instances when available.
  • Use EBS Volume Scanning for Instance Connectivity: Use EBS volume scanning to scan the filesystem of instances that are not otherwise reachable for scanning. This includes stopped instances.
  • Use SSH for Instance Connectivity: Connect to EC2 instances using SSH. You must use the vault secret query.
  • Vault Secret Query: Provide the query to match vault credentials to instances. See Mondoo vault docs to learn how to write the query.
  • Vault Secrets Option: When using the vault secret query, there is an option to read the secret from AWS Secrets Manager or AWS SSM Parameter store.
  • Optional Filters: You can filter instance scanning to a subset of regions, instance ids, or tags.
  • Trigger on Instance State Change Event: Trigger a scan of all EC2 instances whenever an instance changes state.
  • Trigger on EC2 Autoscaling Event: Trigger a scan of all EC2 instances on all autoscaling events.


  • Trigger on S3 Bucket Event: Trigger an account scan whenever a change is made to an S3 bucket.

List and view integrations​

Find a list of integrations and their configuration options on the INTEGRATIONS page:


Select an integration row to see the details for that integration.


The primary screen provides you with general information about the integration. This is where Mondoo reports status and errors.


The possible statuses for the AWS Integration are:

  • configuring: Mondoo is sending the scan configuration options to the integration; the integration is saving those options.
  • active: The integration is active/healthy.
  • error: Mondoo detected an error during installation.
  • missing: Mondoo hasn't received a check-in from the Lambda function for over an hour.
  • deleted: CloudFormation for the integration has been deleted.

Below, there are three tabs:

  • Overview lists AWS resources that Mondoo has discovered in your account.


  • Recommended Policies is where you enable and disable recommended policies.


  • Configuration presents scan configuration options.


Action buttons​

You can take these actions from the integration read configuration page:

  • Ping sends a ping message to the integration. The integration will send a check-in message to Mondoo, and the last ping time will be updated.
  • Retry Setup is available only if the integration state is not active. If an error occurred during setup and the CloudFormation stack is now up and running but the integration is unhealthy, select Retry Setup to return it to a healthy state.

Remove an integration​

When you remove an AWS Integration from Mondoo Platform, a notification will appear with a link to the CloudFormation Stacks list in the AWS console. Select the link and, in the AWS console, delete the stack. This removes the configured integration from Mondoo Platform and deletes the rule allowing the Mondoo AWS account to send events to the target account.


Mondoo does not delete your AWS CloudFormation stack for you. You must follow the link and delete the stack in the AWS Console.


The Lambda function updates itself every 8 hours. This is done by updating the AWS CloudFormation stack and the Lambda function code to the latest available from the Mondoo S3 Bucket.

There is a safeguard in place to ensure that the Lambda function only updates itself to the expected build. When new versions of the Lambda function and cloudformation json files are uploaded to S3 during the release process, the SHA-256 of those files is recorded and stored in a place accessible to the Mondoo Nexus Server.

Every time the Lambda function updates, it first reads the SHA-256 of each file in the target S3 bucket and compares that to the expected (stored) hash. If the SHA-256 doesn't match, the Lambda doesn't update. Mondoo employees receive an alert when this occurs.

Mondoo AWS integration query

Once your Mondoo AWS integration is set up, you can run AWS queries against it just like you would in the shell. The queries run across all regions and AWS accounts associated with the integration.

To run a Mondoo query against your AWS integration:

  1. Elevate your service account permissions to Gateway Agent:

[add service accounts photo here]

  1. Copy the integration MRN, which identifies the AWS integration:
  • On the INTEGRATIONS tab, select Amazon AWS and then select the integration.

  • Select the ellipsis (...) on the right, above the status indicator, and select Copy MRN.

[add copy mrn photo here]

  1. Run the query in your terminal.
  • This example finds an S3 bucket with a name that contains "bucket_name":
mondoo exec --integration-mrn INTEGRATION_MRN 'aws.s3.buckets.where(name.contains("bucket_name"))'
  • This example lists details about all EC2 instances across all regions and accounts:
mondoo exec --integration-mrn INTEGRATION_MRN 'aws.ec2.instances { instanceType tags launchTime }'

Example results:

β†’ query integration query="aws.cloudwatch.logGroups { name }"
started query job, waiting for results
..β†’ resolved assets for integration resolved-assets=2

734646854570/aws.cloudwatch.logGroups { name }: [
"name": "/aws/lambda/MondooLambda"
"name": "/aws/lambda/aws-controltower-NotificationForwarder"
"name": "aws-controltower/CloudTrailLogs"
"name": "/aws/lambda/MondooLambda"

992041710484/aws.cloudwatch.logGroups { name }: [
"name": "/aws/lambda/MondooLambda"
"name": "/aws/lambda/aws-controltower-NotificationForwarder"
"name": "aws-controltower/CloudTrailLogs"
"name": "/aws/lambda/MondooLambda"


Gather vulnerability information during build-time

Gather vulnerability information during run-time