Assess AWS Security with cnspec
cnspec assesses your full AWS environment for misconfigurations that put your organization at risk. You can scan your AWS account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.
cnspec can test any aspect of your AWS configuration. For a list of AWS resources you can test, read Mondoo Amazon Web Services (AWS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
Connect cnspec with your AWS environment
Requirements
To analyze and explore your AWS environment with cnspec, you must have:
- cnspec installed on your workstation.
- An AWS account.
- Your AWS credentials. To learn about creating a new access key pair, read Creating new access keys for an IAM user in the AWS documentation.
- Your
AWS_REGIONconfigured. To learn how to set your region, read How to set environment variables in the AWS documentation.
Set up AWS credentials
To ensure your AWS credentials are set up properly so you can scan from your workstation, run this command from a terminal:
cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of session token>
If you want to use a specific profile, set AWS_PROFILE
export AWS_PROFILE=PROFILENAME
For PROFILENAME, substitute the name of the profile to use.
Permissions required to scan an AWS account
cnspec requires read-only access to assess the configuration of the services and resources within an AWS account. It uses the credentials for the awscli to authenticate with the AWS API. So it inherits the permissions granted to your AWS access keys.
Amazon provides the ReadOnlyAccess IAM profile, which grants read-only access to all AWS Services.
Verify with a quick AWS check
To quickly confirm that cnspec has access to your AWS environment, run this test from your terminal:
cnspec run aws -c 'aws.account.id!="foo"'
It asserts that your AWS account ID value is not foo.
cnspec returns [ok] to indicate that the test passed, and includes the actual value of the AWS account ID:
[ok] value: "123456789000"
Scan an AWS account with cnspec
To scan an AWS account remotely with cnspec, enter this command in a terminal:
cnspec scan aws
cnspec scans the account using any AWS policies you have enabled in your Mondoo account. It prints the results to STDOUT on the command line. It also sends the results to Mondoo Platform, which generates a report for each policy executed against the account.
Manage multiple AWS profiles
If you manage multiple AWS configurations in your credentials file, you can set the AWS_PROFILE environment variable to specify which profile to use for each scan. For example, this credentials file has two configurations:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[aws-dev-account]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
When you run a scan, you specify which profile to use:
export AWS_PROFILE=PROFILENAME
cnspec scan aws
For PROFILENAME, substitute the name of the profile to use.
Incognito mode
cnspec provides an --incognito mode, which lets you scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a policy before enabling it.
To scan an AWS account using incognito mode, enter this command in a terminal:
cnspec scan aws --incognito
Perform agentless scans of EC2 instances
cnspec supports remote scanning of EC2 instances without installing an agent on the instance. This lets you assess your instances on demand. You must have remote connectivity to instances, either through SSH or EC2 Instance Connect.
Scan an EC2 instance using EC2 Instance Connect
cnspec lets you remotely scan EC2 instances using EC2 Instance Connect:
- Open a terminal.
- Set the
AWS_REGIONenvironment variable where the instance is running. - Run:
cnspec scan aws ec2 instance-connect USER@HOST
| For... | Substitute... |
|---|---|
| USER | Your user name for the AWS account |
| HOST | The instance's public IP address or DNS |
To learn about configuring EC2 instances with EC2 Instance Connect, read Connect to your Linux instance using EC2 Instance Connect in the AWS documentation.
Scan an EC2 instance using SSH
cnspec lets you remotely scan EC2 instances using SSH:
cnspec scan aws ec2 instance-connect USER@HOST --identity-file PATH
| For... | Substitute... |
|---|---|
| USER | Your user name for the AWS account |
| HOST | The instance's public IP address or DNS |
| PATH | The path to the SSH key file |
To learn how to retrieve credentials from a secrets manager (such as AWS Secrets Manager or SSM Parameter Store), read Secrets Management.
Next step
You've successfully used cnspec to run your first check against your AWS account. Now you're ready to assess your AWS environment.