Skip to main content

cnspec vuln aws

Connect to an AWS account or instance.


Connect to an AWS account or EC2 instance. cnspec uses your local AWS configuration for the account scan. See the subcommands to scan EC2 instances.

cnspec vuln aws [flags]


      --annotation stringToString        Add an annotation to the asset. (default [])
--ask-pass Ask for connection password.
--detect-cicd Try to detect CI/CD environments. If successful, sets the asset category to 'cicd'. (default true)
--discover string Enable the discovery of nested assets. Supported: 'all|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
--discover-filter stringToString Additional filter for asset discovery. (default [])
--external-id string External ID to use for assume-role.
-h, --help help for aws
--id-detector string User override for platform ID detection mechanism. Supported: hostname, machine-id, aws-ec2, cloud-detect, ssh-host-key, transport-platform-id
-i, --identity-file string Select a file from which too read the identity (private key) for public key authentication.
--incognito Incognito mode. Do not report scan results to Mondoo Platform.
--insecure Disable TLS/SSL checks or SSH hostkey config.
--inventory-ansible Set inventory format to Ansible.
--inventory-domainlist Set inventory format to domain list.
--inventory-file string Path to inventory file.
-j, --json Set output to JSON (shorthand).
--no-pager Disable interactive scan output pagination.
--option --option key=value Additional connection options. You can pass multiple options using --option key=value (default [])
-o, --output string Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
--pager string Enable scan output pagination with custom pagination command. The default is 'less -R'.
-p, --password string Password, such as for SSH/WinRM.
--path string Path to a local file or directory for the connection to use
--policy --policy POLICY List policies to execute. This requires incognito mode. To scan multiple policies, pass --policy POLICY
-f, --policy-bundle strings Path to local policy bundle file.
--profile string Pick a named AWS profile to use.
--region string AWS region to scan.
--role-arn string Role ARN to use for assume-role.
--score-threshold int If any score falls below the threshold, exit 1.
--sudo Elevate privileges with sudo.

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output