Assess AWS Security with cnspec
Assess the security and compliance of an AWS account configuration
Scan your AWS account configuration to find security risks before they become incidents. cnspec evaluates account-level settings like IAM password policies, access key rotation, MFA enforcement, S3 public access blocks, CloudTrail encryption, and default EBS volume encryption. All you need is your existing AWS CLI credentials.
Prerequisites
To test your AWS environment with cnspec, you must have:
- cnspec installed on your workstation
- An AWS account with read access to the resources you want to scan
- The AWS CLI configured with credentials (cnspec uses your local AWS configuration to authenticate)
Verify with a quick AWS check
To quickly confirm that cnspec can access your AWS environment, run this check from your terminal:
cnspec run aws -c 'aws.account.id.length > 0'cnspec connects to your AWS account and verifies that it can read the account ID:
[ok] value: trueIf the command fails, verify that your AWS CLI credentials are configured correctly.
Scan an AWS account
To scan your AWS account:
cnspec scan awsTo examine scan results in detail, add the -o full flag:
cnspec scan aws -o fullDiscover resources during a scan
Use the --discover flag to find and scan specific resource types in your AWS account.
Find and scan all EC2 instances:
cnspec scan aws --discover instancesFind and scan all S3 buckets:
cnspec scan aws --discover s3-bucketsFor a complete list of --discover options, run:
cnspec scan aws -hScan using an assumed role
To assess AWS resources that you don't normally have access to, use an assumed role:
cnspec scan aws --role ROLE-ARNFor ROLE-ARN, substitute the role's Amazon resource name (ARN).
Filter EC2 scans using tags
Use the --filters flag to limit which EC2 instances you scan. To scan only EC2 instances with a certain tag:
cnspec scan aws --discover instances --filters ec2:tag:KEY=VALUETo exclude EC2 instances with certain tag values:
cnspec scan aws --discover instances --filters exclude:ec2:tag:KEY=VALUE1,VALUE2Explore and test checks interactively
Open a cnspec shell to discover resources and test checks:
cnspec shell awsUse help aws to see available resources, or drill down with help aws.iam, help aws.ec2, help aws.eks, etc.
Query IAM credential reports
cnspec> aws.iam.credentialReport { arn passwordLastChanged mfaActive }List EC2 instances
cnspec> aws.ec2.instances { arn tags instanceType state }Filter EC2 instances
Find instances without an owner tag:
cnspec> aws.ec2.instances.where(tags['owner'] == null) { arn instanceType }Find large (more expensive) instances:
cnspec> aws.ec2.instances.where(instanceType == /^.*.large$/) { arn instanceType }List EKS clusters
cnspec> aws.eks.clusters { arn version status }Query AWS Config recorders
cnspec> aws.config { recorders { name recording region } rules { state arn } }Example security checks
Ensure CloudTrail trails are encrypted
cnspec> aws.cloudtrail.trails.all(kmsKey != null)
[ok] value: trueEnsure all IAM users have MFA enabled
cnspec> aws.iam.credentialReport.all(mfaActive == true)
[failed] [].all()
actual: [
0: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/abel" {
mfaActive: false
}
1: aws.iam.usercredentialreportentry arn="arn:aws:iam::921000052404:user/bob" {
mfaActive: false
}
]Ensure no running EC2 instances have a public IP
cnspec> aws.ec2.instances.where(state == "running").all(publicIp == empty)
[ok] value: trueEnsure EBS volume encryption is enabled by default
cnspec> aws.ec2.ebsDefaultEncryptionEnabled
[ok] value: trueLearn more
-
To learn about all the AWS resources and properties you can query, read the Mondoo AWS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.