Mondoo
Docs
CloudAWS

Secure an AWS Account

Scan an Amazon Web Services account against security and compliance best practices with cnspec.

Scan your Amazon Web Services (AWS) account to find security risks before they become incidents. cnspec evaluates account-level settings such as IAM password policies, access key rotation, MFA enforcement, S3 public access blocks, CloudTrail encryption, and default EBS volume encryption. All you need is your existing AWS CLI credentials.

Prerequisites

To scan AWS with cnspec, you must have:

If you manage multiple accounts, set the AWS_PROFILE environment variable to choose which credentials cnspec uses:

export AWS_PROFILE=production

Verify with a quick AWS check

Confirm that cnspec can reach your AWS account:

cnspec run aws -c 'aws.account.id.length > 0'

cnspec connects to your account and returns:

[ok] value: true

If the command fails, verify that your AWS CLI credentials are configured correctly.

Scan an AWS account

Scan the account that your AWS CLI credentials authenticate to:

cnspec scan aws

Add the -o full flag to see results in detail:

cnspec scan aws -o full

Discover resources during a scan

Use the --discover flag to find and scan specific resource types in your AWS account.

Find and scan all EC2 instances:

cnspec scan aws --discover instances

Find and scan all S3 buckets:

cnspec scan aws --discover s3-buckets

For a complete list of --discover options, run:

cnspec scan aws -h

Scan with the Mondoo AWS Security policy

Mondoo maintains an out-of-the-box AWS Security policy that checks IAM password policies, access key rotation, MFA enforcement, S3 public access blocks, CloudTrail encryption, default EBS volume encryption, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "AWS", and add the policy. All future scans of your AWS account automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan aws \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-aws-security.mql.yaml

Scan using an assumed role

To assess AWS resources that you don't normally have access to, use an assumed role:

cnspec scan aws --role ROLE-ARN

For ROLE-ARN, substitute the role's Amazon resource name (ARN).

Filter EC2 scans using tags

Use the --filters flag to limit which EC2 instances cnspec scans. To scan only EC2 instances with a specific tag:

cnspec scan aws --discover instances --filters ec2:tag:KEY=VALUE

To exclude EC2 instances with certain tag values:

cnspec scan aws --discover instances --filters exclude:ec2:tag:KEY=VALUE1,VALUE2

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell aws

Use help aws to list available resources, or drill down with help aws.iam, help aws.ec2, help aws.eks, and so on.

Query IAM credential reports

cnspec> aws.iam.credentialReport { arn passwordLastChanged mfaActive }

List EC2 instances

cnspec> aws.ec2.instances { arn tags instanceType state }

Filter EC2 instances

Find instances without an owner tag:

cnspec> aws.ec2.instances.where(tags['owner'] == null) { arn instanceType }

Find large (more expensive) instances:

cnspec> aws.ec2.instances.where(instanceType == /\.large$/) { arn instanceType }

List EKS clusters

cnspec> aws.eks.clusters { arn version status }

Query AWS Config recorders

cnspec> aws.config { recorders { name recording region } rules { state arn } }

Example security checks

Ensure CloudTrail trails are encrypted

cnspec> aws.cloudtrail.trails.all(kmsKey != null)
[ok] value: true

Ensure all IAM users have MFA enabled

cnspec> aws.iam.credentialReport.all(mfaActive == true)
[failed] [].all()
  actual:   [
    0: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/abel" {
      mfaActive: false
    }
    1: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/bob" {
      mfaActive: false
    }
  ]

Ensure no running EC2 instances have a public IP

cnspec> aws.ec2.instances.where(state == "running").all(publicIp == empty)
[ok] value: true

Ensure EBS volume encryption is enabled by default

cnspec> aws.ec2.ebsDefaultEncryptionEnabled
[ok] value: true

Learn more

Overview

Secure your Amazon Web Services environment by scanning for vulnerabilities and misconfigurations with cnspec.

Scan Instances Using SSM

Configure AWS Systems Manager (SSM) to scan EC2 instances for security misconfigurations without installing agents.

On this page

PrerequisitesVerify with a quick AWS checkScan an AWS accountDiscover resources during a scanScan with the Mondoo AWS Security policyScan using an assumed roleFilter EC2 scans using tagsExplore and test checks interactivelyQuery IAM credential reportsList EC2 instancesFilter EC2 instancesList EKS clustersQuery AWS Config recordersExample security checksEnsure CloudTrail trails are encryptedEnsure all IAM users have MFA enabledEnsure no running EC2 instances have a public IPEnsure EBS volume encryption is enabled by defaultLearn more