Mondoo
Docs
CloudAWS

Assess AWS Security with cnspec

Assess the security and compliance of an AWS account configuration

Scan your AWS account configuration to find security risks before they become incidents. cnspec evaluates account-level settings like IAM password policies, access key rotation, MFA enforcement, S3 public access blocks, CloudTrail encryption, and default EBS volume encryption. All you need is your existing AWS CLI credentials.

Prerequisites

To test your AWS environment with cnspec, you must have:

Verify with a quick AWS check

To quickly confirm that cnspec can access your AWS environment, run this check from your terminal:

cnspec run aws -c 'aws.account.id.length > 0'

cnspec connects to your AWS account and verifies that it can read the account ID:

[ok] value: true

If the command fails, verify that your AWS CLI credentials are configured correctly.

Scan an AWS account

To scan your AWS account:

cnspec scan aws

To examine scan results in detail, add the -o full flag:

cnspec scan aws -o full

Discover resources during a scan

Use the --discover flag to find and scan specific resource types in your AWS account.

Find and scan all EC2 instances:

cnspec scan aws --discover instances

Find and scan all S3 buckets:

cnspec scan aws --discover s3-buckets

For a complete list of --discover options, run:

cnspec scan aws -h

Scan using an assumed role

To assess AWS resources that you don't normally have access to, use an assumed role:

cnspec scan aws --role ROLE-ARN

For ROLE-ARN, substitute the role's Amazon resource name (ARN).

Filter EC2 scans using tags

Use the --filters flag to limit which EC2 instances you scan. To scan only EC2 instances with a certain tag:

cnspec scan aws --discover instances --filters ec2:tag:KEY=VALUE

To exclude EC2 instances with certain tag values:

cnspec scan aws --discover instances --filters exclude:ec2:tag:KEY=VALUE1,VALUE2

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your AWS environment:

cnspec shell aws

Below are some example checks you can run from the shell.

Ensure CloudTrail trails are encrypted

cnspec> aws.cloudtrail.trails.all(kmsKey != null)
[ok] value: true

Ensure all IAM users have MFA enabled

cnspec> aws.iam.credentialReport.all(mfaActive == true)
[failed] [].all()
  actual:   [
    0: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/abel" {
      mfaActive: false
    }
    1: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/bob" {
      mfaActive: false
    }
  ]

Ensure no running EC2 instances have a public IP

cnspec> aws.ec2.instances.where(state == "running").all(publicIp == empty)
[ok] value: true

Ensure EBS volume encryption is enabled by default

cnspec> aws.ec2.ebsDefaultEncryptionEnabled
[ok] value: true

Learn more

Overview

Secure your AWS environment by scanning for vulnerabilities and misconfigurations with cnspec.

Scan Instances Using SSM

Configure AWS Systems Manager (SSM) to scan EC2 instances for security misconfigurations without installing agents.

On this page

PrerequisitesVerify with a quick AWS checkScan an AWS accountDiscover resources during a scanScan using an assumed roleFilter EC2 scans using tagsExample checksEnsure CloudTrail trails are encryptedEnsure all IAM users have MFA enabledEnsure no running EC2 instances have a public IPEnsure EBS volume encryption is enabled by defaultLearn more