Skip to main content

Assess an AWS Account

Once you've ensured that cnspec can access your AWS environment, you can begin testing. The method you choose depends on your goals:

  • For widescale assessment of your AWS infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your AWS security posture.
  • To run ad hoc checks against your AWS environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.

Assess AWS security with policy-based scanning

The AWS Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental AWS security best practices. It checks for misconfigurations across your entire AWS infrastructure.

To scan using the AWS Security by Mondoo policy, run:

cnspec scan aws

cnspec finds the default policy for AWS and runs a scan based on that policy. It returns a report summarizing the scan results:

→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset AWS Account lunalectric-management (177043759486) (api)

██████████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 60% AWS Account lunalectric-management (177043759486)


Asset: AWS Account lunalectric-management (177043759486)
========================================================
Checks:
Fail: Ensure IAM Users Receive Permissions Only Through Groups
Fail: D 20 Checks whether the instance metadata version is configured with IMDSv2 (http tokens required)
Pass: Ensure MFA is enabled for the "root user" account
Fail: D 20 Ensure the default security group of every VPC restricts all traffic
Fail: B 70 Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge (default 90)
Pass: Ensure there is only one active access key available for any single IAM user
Pass: Ensure no root user account access key exists
Pass: Checks if the required S3 public access block settings are configured from the account level
Fail: B 70 Ensure VPC flow logging is enabled in all VPCs
! Error: Checks whether the account password policy for IAM users meets the specified requirements
Fail: F 5 Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
Pass: Checks if Amazon Simple Storage Service (S3) has bucket-level public access restrictions at the bucket level.
Fail: D 20 Ensures no instances have a public IP
Fail: B 70 Ensure EBS volume encryption is enabled by default
Pass: Checks whether IAM groups have at least one IAM user


Summary (1 assets)
==================

Target: AWS Account lunalectric-management (177043759486)
Score: F 0/100 (100% completed)
Passed: ██████ 40% (6)
Failed: ████████ 53% (8)
! Errors:7% (1)
» Skipped: 0% (0)
tip

To examine scan results in detail, run:

cnspec scan aws -o full

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Discover resources during a scan

Use the --discover flag to find and scan resources in your AWS account.

Find and scan all EC2 instances:

cnspec scan aws --discover instances

Find and scan all S3 buckets:

cnspec scan aws --discover s3-buckets

For a complete list of --discover flag options, run the cnspec help:

cnspec scan aws -h

Scan using an assumed role

To assess AWS resources that you don't normally have access to, you can use an assumed role:

cnspec scan aws --role ROLE-ARN

For ROLE-ARN, substitute the role's Amazon resource name (ARN).

Run a filtered EC2 scan using tags

Use the --filters flag to limit the EC2 instances you scan. To scan only EC2 instances that have a certain tag value, run:

cnspec scan aws --discover instances --filters ec2:tag:KEY=VALUE

For example, to include only EC2 instances that have the owner tag dev, run:

--filters --discover instances ec2:tag:owner=dev

To scan all resources except EC2 instances with certain tag values, run:

cnspec scan aws --discover instances --filters exclude:ec2:tag:KEY=VALUE1,VALUE2,VALUEX

For example, to scan all resources except EC2 instances that have the env tag test or qa, run:

cnspec scan aws --discover instances --filters exclude:ec2:tag:env=test,qa

Test AWS with the cnspec shell

The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.

To launch a shell into your AWS environment, enter:

cnspec shell aws

Discover capabilities with the help command

Once inside the shell, use the help command to learn what AWS resources you can test. This command lists all the AWS resources:

help aws

From the resulting list, you can drill down further. For example, enter this command to list all the AWS IAM resources you can test:

help aws.iam

From the resulting list, you can drill down even further. You can also learn about available AWS resources in the Mondoo Amazon Web Services (AWS) Resource Pack Reference.

Run tests in the cnspec shell

Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.

Assess CloudTrail encryption

This test assures that every CloudTrail has a KMS key:

aws.cloudtrail.trails.all(kmsKey != null)

If the test passes (all CloudTrails have KMS keys) then cnspec returns ok:

[ok] value: true

If the test fails, (one or more CloudTrails do not have KMS keys) then cnspec provides details about the failure:

[failed] [].all()
actual: [
0: aws.cloudtrail.trail id = arn:aws:cloudtrail:us-east-1:921877552404:trail/s3-events
]

The sample results above show that the account's single CloudTrail is not using encryption.

Assess IAM

When we explored the help for aws.iam, we saw that cnspec can run checks against your account's IAM credential report. For example, this test asserts that all users have MFA enabled:

aws.iam.credentialReport.all ( mfaActive == true )

If one or more users aren't using MFA, cnspec lists them:

[failed] [].all()
actual: [
0: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/abel
1: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/coco
2: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/ecs-deploy
3: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/gitlab-migration-user
]

Specify fields to include in results

If you're interested in only some details, specify the fields you want in braces. For example, this is the same test as above, but also asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:

aws.iam.credentialReport { mfaActive == true arn passwordLastChanged mfaActive }

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more

Next step

Now that you've scanned your AWS environment and run tests using the cnquery shell, you're ready to dive deeper and test your EC2 instances.