Skip to main content

Scan Using AWS Systems Manager

Use AWS Systems Manager (SSM) to securely scan EC2 instances. You don't need to deploy cnspec to instances in your environment. Any time Mondoo scans an instance, it automatically installs cnspec for the duration of the scan and then uninstalls cnspec when the scan finishes.

How Mondoo scans with SSM

When Mondoo performs an SSM scan, these steps occur:

  1. SSM Run Command calls the AWS-RunShellScript SSM document.
  2. The latest version of cnspec is installed and configured to authenticate with your Mondoo Platform account.
  3. The EC2 instance runs cnspec scan to execute policy checks.
  4. cnspec publishes results of the scan to Mondoo Platform.
  5. cnspec is uninstalled from the EC2 instance.

Configuring AWS SSM

This section covers a new setup of AWS SSM to manage EC2 instances in AWS. If you are brand new to AWS SSM, read the AWS documentation for additional implementation details.

Create an IAM role and instance profile for SSM

Before you can manage EC2 instances using SSM you need to perform these steps either in the AWS Console or the AWS CLI:

  1. Set up an IAM Role with a trust policy for EC2.
  2. Attach the AWS managed AmazonSSMManagedInstanceCore policy to the IAM role.
  3. Create an instance profile (if you're using the AWS CLI).
  4. Attach the IAM role to the instance profile (if you're using the AWS CLI).

Select your preferred method for configuring SSM, and follow the steps.

Requirements

  • AWS console access to any account you plan to integrate with Mondoo
  • Administrator privileges in those accounts

Create an IAM role for EC2 instances with AmazonSSMManagedInstanceCore policy

Create IAM SSM Role AWS Console

  1. Log in to the AWS Console.
  2. Navigate to IAM.
  3. Select Roles.
  4. Select Create Role.
  5. For the Trust entity type, select AWS service and for the Use case, select EC2. Then select the Next button.
  6. Search for SSM in the Filter policies box, select AmazonSSMManagedInstanceCore, and then select the Next button.
  7. Under Role details, give the role a name (such as EC2_SSM_ROLE), tags, and a description (if you want), and then select Create role.

Your new role is ready for use and can be attached to existing EC2 instances, or to new EC2 instances as an instance profile when launching new instances.

Launch a new EC2 instance with the newly created instance profile

Follow the steps below to launch a new EC2 instance using the AWS console, attach the SSM role created in the last section, and then validate the instance is under management in the AWS SSM console.

Create IAM SSM Role AWS Console

  1. Log in to the AWS Console.
  2. Navigate to EC2.
  3. Select Launch Instance.
  4. Under Name and tags, in the Name field, enter EC2 SSM Instance.
  5. Under Application and OS Images (Amazon Machine Image), select Amazon Linux 2 AMI (HVM), SSD Volume Type, which defaults to 64-bit (x86).
  6. Under Instance type select t2.micro. Create IAM SSM Role AWS Console
  7. Under Key pair (login) you can either add or create a new key pair, but in this instance it's safe to select Proceed without a key pair (Not recommended). If you want remote access to the instance, you can add an SSH key. This is not required.
  8. Under Network settings - Firewall(security groups), select Select existing security group and choose the default security group.
  9. Open the block Advanced details and under IAM instance profile, select the role you created in the instructions above.
  10. Review the details then select Launch.
  11. Copy the instance ID. You need it in the next steps. Create IAM SSM Role AWS Console

Validate that the instance is under management of AWS Systems Manager

Create IAM SSM Role AWS Console

To validate that the EC2 instance is under the management of SSM:

  1. Log in to the AWS console.
  2. Navigate to Systems Manager.
  3. Select Fleet Manager
  4. Locate the instance ID of the instance you launched in the section above and select it to bring up the Instance Overview.

This confirms the instance is under the management of SSM. Mondoo can use it to perform continuous scans of the asset.

Learn more

To learn about...Read...
Snapshot scanningScan an EBS Snapshot
Continuous AWS scanningContinuously Scan AWS
cnspecThe cnspec documentation