Skip to main content

Assess AWS Security from AWS CloudShell

If you prefer to work in AWS's browser-based CloudShell, you don't have to switch to a different interface to scan your AWS infrastructure. You can interact with cnspec within CloudShell.

To learn about CloudShell, read the AWS documentation.

Set up cnspec in CloudShell

To set up cnspec in CloudShell, sign up for a free Mondoo account. In the Mondoo Console you'll find a guide that helps you install cnspec in AWS CloudShell and run your first security assessment of AWS.

Step 1: Launch the Mondoo AWS CloudShell Setup Guide

Mondoo AWS Guide - Start

  1. Open the AWS Guide.

  2. Select Let's do this!

Mondoo AWS Guide - Choose AWS

  1. On the Choose your cloud service step, select Amazon AWS and choose Next step.

Step 2: Launch CloudShell

Mondoo AWS Guide - Open CloudShell

  1. Select Open CloudShell to open AWS CloudShell in a new browser tab.

  2. Once CloudShell finishes launching, return to the browser tab containing the Mondoo AWS Guide.

  3. Select Next step.

Step 3: Install cnspec in CloudShell and register with Mondoo Platform

AWS Setup Guide - Copy Token

  1. This next step contains a temporary registration token and a one-line install script to install cnspec in CloudShell. Select the copy icon in the command window, and then select Continue.

  2. Return to the browser tab with AWS CloudShell and paste the contents of the clipboard with the installation command.

  3. When you paste the command, AWS CloudShell shows a warning about external code. Select Paste

  4. Press Enter to install cnspec.


The cnspec install script is open source. You can find it in Mondoo's GitHub organization

Step 4: Scan

The cnspec scan command checks your assets against policies. cnspec scan aws executes policies against your aws account.


cnspec provides a --help command. For instance, cnspec scan --help returns detailed information on using cnspec to scan various assets.

How AWS scans work

When an AWS CloudShell session starts, cnspec relies on your AWS credentials (which you used to log into the AWS console) to run policies against the account. This pre-authentication lets you skip configuring credentials for AWS services with cnspec.

By running cnspec scan aws, cnspec authenticates with Mondoo Platform to find the policies configured for AWS in your account. After syncing policies, cnspec authenticates against the AWS API using the configured credentials in AWS CloudShell and then runs the policies against your account.


Mondoo Platform comes with a default set of policies activated in the registry to get you started.

Scan AWS from CloudShell

  1. Open the Mondoo AWS Setup Guide where you left off in your browser and copy the cnspec scan aws command to your clipboard.
cnspec scan aws
  1. Paste the cnspec scan aws command into AWS CloudShell and press Enter to start the scan.

The scan takes only a few minutes to complete.

After the scan completes, cnspec returns the results to STDOUTand also sends the scan results to the Mondoo Platform. To view results:

  1. Return to the browser tab containing the Mondoo AWS Guide and select Next Step. Mondoo Platform locates the results from the AWS scan.

  2. Select Explore Mondoo to see the results from the scan.