Assess an AWS Account
Once you've ensured that cnspec can access your AWS environment, you can begin testing. The method you choose depends on your goals:
- For widescale assessment of your AWS infrastructure, scan using policy bundles. These collections of tests work together to present a broad picture of your AWS security posture.
- To run ad hoc checks against your AWS environment, use cnspec's interactive shell. It has auto-complete to guide you, which is especially helpful when you're new to cnspec and learning MQL.
Assess AWS security with policy-based scanning
The AWS Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental AWS security best practices. It checks for misconfigurations across your entire AWS infrastructure.
To scan using the AWS Security by Mondoo policy, run:
cnspec scan aws
cnspec finds the default policy for AWS and runs a scan based on that policy. It returns a report summarizing the scan results:
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
→ connecting to asset AWS Account lunalectric-management (177048008586) (api)
██████████████████████████████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 60% AWS Account lunalectric-management (177048008586)
Asset: AWS Account lunalectric-management (177048008586)
========================================================
Checks:
✕ Fail: Ensure IAM Users Receive Permissions Only Through Groups
✕ Fail: D 20 Checks whether the instance metadata version is configured with IMDSv2 (http tokens required)
✓ Pass: Ensure MFA is enabled for the "root user" account
✕ Fail: D 20 Ensure the default security group of every VPC restricts all traffic
✕ Fail: B 70 Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge (default 90)
✓ Pass: Ensure there is only one active access key available for any single IAM user
✓ Pass: Ensure no root user account access key exists
✓ Pass: Checks if the required S3 public access block settings are configured from the account level
✕ Fail: B 70 Ensure VPC flow logging is enabled in all VPCs
! Error: Checks whether the account password policy for IAM users meets the specified requirements
✕ Fail: F 5 Checks whether the AWS IAM users have multi-factor authentication (MFA) enabled
✓ Pass: Checks if Amazon Simple Storage Service (S3) has bucket-level public access restrictions at the bucket level.
✕ Fail: D 20 Ensures no instances have a public IP
✕ Fail: B 70 Ensure EBS volume encryption is enabled by default
✓ Pass: Checks whether IAM groups have at least one IAM user
Summary (1 assets)
==================
Target: AWS Account lunalectric-management (177048008586)
Score: F 0/100 (100% completed)
✓ Passed: ██████ 40% (6)
✕ Failed: ████████ 53% (8)
! Errors: █ 7% (1)
» Skipped: 0% (0)
To examine scan results in detail, run:
cnspec scan aws -o full
You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.
Discover resources during a scan
Use the --discover
flag to find and scan resources in your AWS account.
Find and scan all EC2 instances:
cnspec scan aws --discover instances
Find and scan all S3 buckets:
cnspec scan aws --discover s3-buckets
For a complete list of --discover
flag options, run the cnspec help:
cnspec scan aws -h
Scan using an assumed role
To assess AWS resources that you don't normally have access to, you can use an assumed role:
cnspec scan aws --role ROLE-ARN
For ROLE-ARN
, substitute the role's Amazon resource name (ARN).
Run a filtered EC2 scan using tags
Use the --filters
flag to limit the EC2 instances you scan. To scan only EC2 instances that have a certain tag value, run:
cnspec scan aws --discover instances --filters ec2:tag:KEY=VALUE
For example, to include only EC2 instances that have the owner tag dev, run:
--filters --discover instances ec2:tag:owner=dev
To scan all resources except EC2 instances with certain tag values, run:
cnspec scan aws --discover instances --filters exclude:ec2:tag:KEY=VALUE1,VALUE2,VALUEX
For example, to scan all resources except EC2 instances that have the env tag test or qa, run:
cnspec scan aws --discover instances --filters exclude:ec2:tag:env=test,qa
Test AWS with the cnspec shell
The cnspec shell is handy for quick checks and tests, or for developing your MQL skills. Its auto-complete and help features guide you in writing checks.
To launch a shell into your AWS environment, enter:
cnspec shell aws
Discover capabilities with the help
command
Once inside the shell, use the help
command to learn what AWS resources you can test. This command lists all the AWS resources:
help aws
From the resulting list, you can drill down further. For example, enter this command to list all the AWS IAM resources you can test:
help aws.iam
From the resulting list, you can drill down even further. You can also learn about available AWS resources in the Mondoo Amazon Web Services (AWS) Resource Pack Reference.
Run tests in the cnspec shell
Now that you know how to discover what's possible with cnspec, let's run some actual tests in the shell.
Assess CloudTrail encryption
This test assures that every CloudTrail has a KMS key:
aws.cloudtrail.trails.all(kmsKey != null)
If the test passes (all CloudTrails have KMS keys) then cnspec returns ok
:
[ok] value: true
If the test fails, (one or more CloudTrails do not have KMS keys) then cnspec provides details about the failure:
[failed] [].all()
actual: [
0: aws.cloudtrail.trail id = arn:aws:cloudtrail:us-east-1:921877552404:trail/s3-events
]
The sample results above show that the account's single CloudTrail is not using encryption.
Assess IAM
When we explored the help for aws.iam
, we saw that cnspec can run checks against your account's IAM credential report. For example, this test asserts that all users have MFA enabled:
aws.iam.credentialReport.all ( mfaActive == true )
If one or more users aren't using MFA, cnspec lists them:
[failed] [].all()
actual: [
0: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/abel
1: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/coco
2: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/ecs-deploy
3: aws.iam.usercredentialreportentry id = aws/iam/credentialreport/arn:aws:iam::921000052404:user/gitlab-migration-user
]
Specify fields to include in results
If you're interested in only some details, specify the fields you want in braces. For example, this is the same test as above, but also asks for each user's ARN, when they last changed their password, and whether they have MFA enabled:
aws.iam.credentialReport { mfaActive == true arn passwordLastChanged mfaActive }
Exit the cnspec shell
To exit the cnspec shell, either press Ctrl + D
or type exit
.
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
Explore the complete Mondoo AWS Resource Pack Reference.
Next step
Now that you've scanned your AWS environment and run tests using the cnquery shell, you're ready to dive deeper and test your EC2 instances.