Scan EC2 Instances Using EC2 Instance Connect

Use EC2 Instance Connect to scan EC2 instances over SSH without managing long-lived keys.

Use EC2 Instance Connect to scan EC2 instances over SSH without distributing or managing long-lived SSH keys. EC2 Instance Connect pushes a short-lived public key to the instance through the EC2 control plane, then opens a standard SSH session — cnspec uses that session to evaluate the instance and disconnect.

When to use Instance Connect

Instance Connect is a good fit when:

You want to scan a Linux EC2 instance and have direct or VPN-level network access to it.
You'd rather not manage SSH key pairs.
You don't want to install the SSM Agent on the target instance.

If the instance is unreachable from your network, Scan Instances Using SSM is a better choice. If you want to assess an instance without connecting to it at all, see Scan Instances Using EBS Snapshots.

Prerequisites

To scan an EC2 instance with Instance Connect, you must have:

cnspec installed on your workstation
The AWS CLI configured with credentials
An EC2 instance running an AMI that supports EC2 Instance Connect (Amazon Linux 2 and 2023, recent Ubuntu, and others)
The IAM permission ec2-instance-connect:SendSSHPublicKey on the target instance
Network reachability to the instance on port 22 (either through a public IP, a VPN, or Instance Connect Endpoint)

If your instance has no public IP, scan it through an EC2 Instance Connect Endpoint so cnspec can reach port 22 from the EC2 control plane.

Scan an instance

Set the AWS_REGION environment variable to the region where the instance runs:
```
export AWS_REGION=us-east-1
```
Run cnspec, substituting the AMI's default user and the instance's reachable host:
```
cnspec scan aws ec2 instance-connect USER@HOST
```
Placeholder Value
USER The default user for the AMI (ec2-user, ubuntu, admin, etc.)
HOST The instance's public IP, DNS name, or Instance Connect endpoint

Placeholder	Value
`USER`	The default user for the AMI (`ec2-user`, `ubuntu`, `admin`, etc.)
`HOST`	The instance's public IP, DNS name, or Instance Connect endpoint

For example, to scan an Amazon Linux instance at 203.0.113.42:

cnspec scan aws ec2 instance-connect ec2-user@203.0.113.42

cnspec uses the AWS API to push a temporary key, opens an SSH session, runs your assigned policies, and disconnects.

Limitations

Instance Connect supports Linux only. Use SSM scanning for Windows instances.
Pushed keys live for 60 seconds, so cnspec must connect immediately after the AWS API call. Slow networks or jump hosts can cause connection failures.
The instance's sshd configuration must allow public-key authentication.

Learn more

Scan Instances Using SSM — agentless scanning through AWS Systems Manager
Scan Instances Using EBS Snapshots — assess instances without connecting to them
Secure an AWS Account — scan AWS account configuration
Continuously Scan AWS — set up the Mondoo AWS integration
The cnspec documentation — learn more about cnspec