Scan an EBS Snapshot
Mondoo can scan your EBS volume snapshots to evaluate the security and compliance of Linux-based EC2 instances. It doesn't require an agent or any connection to the instance that could impact your business applications.
Snapshot scanning with Mondoo relies on cnspec, Mondoo's CLI security tool.
Scan EBS volumes
Create a VM for EBS volume scanning
- Spin up a small EC2 instance (for example an Amazon Linux instance with the type
t2.micro
) where you'll attach the EBS snapshot.
Create an IAM policy for EBS volume scanning
- Log into the AWS console.
- Navigate to IAM.
- In the side navigation, select Policies.
- Select the Create policy button.
- Under Specify permissions select JSON, add the following block and select "Next":
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Effect": "Allow"
}
]
}
- Under Policy details -> Policy name give the policy a name such as ebs-scanning-mondoo, assign tags and a description to the role (if you want), and then select Create policy.
Create an IAM role for EBS volume scanning
- Log into the AWS console.
- Navigate to IAM.
- Select Roles.
- Select Create Role.
- For the Trust entity type, select AWS service and for the Use case, select EC2, the select the "Next" button.
- Search for ebs in the Filter policies box, select the policy you just created ebs-scanning-mondoo, and then select the "Next" button.
- Under Role details in the field "Role name" give the role a name ebs, assign tags and a description to the role (if you want), and then select Create role.
Attach the new IAM role (ebs
) to your new EC2 instance.
Your new role is ready for use and can be attached to existing EC2 instances, or to new EC2 instances as an instance profile when launching new instances.
Using your new EC2 instance for scanning
-
Log into your new EC2 instance.
-
Scan a snapshot from your new instance:
cnspec scan aws ec2 ebs snapshot SNAPSHOT_ID
For SNAPSHOT_ID, substitute the ID of the snapshot, for example snap-123456b123a123da2
.
Learn more
To learn about... | Read... |
---|---|
Scanning with AWS SSM | Scan Using AWS Systems Manager |
Scanning from a workstation | Scan from a Workstation |
Continuous AWS scanning | Continuously Scan AWS |
cnspec | The cnspec documentation |