Skip to main content

Assess AWS Security with cnspec

cnspec assesses your full AWS environment for misconfigurations that put your organization at risk. You can scan your AWS account for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

cnspec can test any aspect of your AWS configuration. For a list of AWS resources you can test, read Mondoo Amazon Web Services (AWS) Resource Pack Reference and Mondoo Core Resource Pack Reference.

Connect cnspec with your AWS environment

Requirements

To analyze and explore your AWS environment with cnspec, you must have:

Set up AWS credentials

To ensure your AWS credentials are set up properly so you can scan from your workstation, run this command from a terminal:

cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of session token>

If you want to use a specific profile, set AWS_PROFILE

export AWS_PROFILE=PROFILENAME

For PROFILENAME, substitute the name of the profile to use.

Permissions required to scan an AWS account

cnspec requires read-only access to assess the configuration of the services and resources within an AWS account. It uses the credentials for the awscli to authenticate with the AWS API. So it inherits the permissions granted to your AWS access keys.

info

Amazon provides the ReadOnlyAccess IAM profile, which grants read-only access to all AWS Services.

Verify with a quick AWS check

To quickly confirm that cnspec has access to your AWS environment, run this test from your terminal:

cnspec run aws -c 'aws.account.id!="foo"'

It asserts that your AWS account ID value is not foo.

cnspec returns [ok] to indicate that the test passed, and includes the actual value of the AWS account ID:

[ok] value: "123456789000"

Scan an AWS account with cnspec

To scan an AWS account remotely with cnspec, enter this command in a terminal:

cnspec scan aws

cnspec scans the account using any AWS policies you have enabled in your Mondoo account. It prints the results to STDOUT on the command line. It also sends the results to Mondoo Platform, which generates a report for each policy executed against the account.

Manage multiple AWS profiles

If you manage multiple AWS configurations in your credentials file, you can set the AWS_PROFILE environment variable to specify which profile to use for each scan. For example, this credentials file has two configurations:

~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[aws-dev-account]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

When you run a scan, you specify which profile to use:

Select AWS profile to scan
export AWS_PROFILE=PROFILENAME
cnspec scan aws

For PROFILENAME, substitute the name of the profile to use.

Incognito mode

cnspec provides an --incognito mode, which lets you scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a policy before enabling it.

To scan an AWS account using incognito mode, enter this command in a terminal:

cnspec scan aws --incognito

Perform agentless scans of EC2 instances

cnspec supports remote scanning of EC2 instances without installing an agent on the instance. This lets you assess your instances on demand. You must have remote connectivity to instances, either through SSH or EC2 Instance Connect.

Scan an EC2 instance using EC2 Instance Connect

cnspec lets you remotely scan EC2 instances using EC2 Instance Connect:

  1. Open a terminal.
  2. Set the AWS_REGION environment variable where the instance is running.
  3. Run: cnspec scan aws ec2 instance-connect USER@HOST
For...Substitute...
USERYour user name for the AWS account
HOSTThe instance's public IP address or DNS

To learn about configuring EC2 instances with EC2 Instance Connect, read Connect to your Linux instance using EC2 Instance Connect in the AWS documentation.

Scan an EC2 instance using SSH

cnspec lets you remotely scan EC2 instances using SSH:

cnspec scan aws ec2 instance-connect USER@HOST --identity-file PATH
For...Substitute...
USERYour user name for the AWS account
HOSTThe instance's public IP address or DNS
PATHThe path to the SSH key file
info

To learn how to retrieve credentials from a secrets manager (such as AWS Secrets Manager or SSM Parameter Store), read Secrets Management.

Next step

You've successfully used cnspec to run your first check against your AWS account. Now you're ready to assess your AWS environment.