Skip to main content

cnspec shell aws

Connect to an AWS account or instance.


Connect to an AWS account or EC2 instance. This uses your local AWS configuration for the account scan. See the subcommands to scan EC2 instances.

cnspec shell aws [flags]


      --ask-pass                         Prompt for connection password.
-c, --command string MQL query to execute in the shell.
--discover string Enable the discovery of nested assets. Supported: 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
--discover-filter stringToString Additional filter for asset discovery. (default [])
--external-id string External ID to use for assume-role.
-h, --help help for aws
--host-machines Also scan host machines like ESXi server.
-i, --identity-file string Select a file from which to read the identity (private key) for public key authentication.
--insecure Disable TLS/SSL checks or SSH hostkey config.
--instances Also scan instances. This only applies to API targets like AWS, Azure, or GCP.
--option --option key=value Additional connection options. You can pass multiple options using --option key=value. (default [])
-p, --password string Set the connection password, such as for SSH/WinRM.
--path string Path to a local file or directory for the connection to use.
--platform-id string Select a specific target asset by providing its platform ID.
--profile string Pick a named AWS profile to use.
--region string AWS region to scan.
--role-arn string Role ARN to use for assume-role.
--sudo Elevate privileges with sudo.

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output