Skip to main content

Assess an AWS EC2 Instance

Now that you have an introduction to assessing your AWS security with cnspec, let's dive deeper and test EC2 instances.

We'll continue working in the cnspec shell, which makes running individual queries easy. If it's not already open, enter cnspec shell aws in your terminal. To learn about accessing your AWS account with cnspec, read Assess AWS Security.

EC2 resources

cnspec lets you test any configuration detail of your EC2 instances. To discover all the resources and fields you can query, read aws.ec2. You can also use the help command in the shell:

help aws.ec2

Run tests on EC2 instances

No public IPs

This test assesses whether any running EC2 instances have a public IP:

aws.ec2.instances.all( state = "running" && publicIp != "" )

If the test passes (no running instances have a public IP) then cnspec returns ok:

[ok] value: true`

If the test fails, (one or more running instances have a public IP) then cnspec provides details about the failure:

[failed] [].all()
actual: [
0: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-0fde6c8e0210b7i26
1: aws.ec2.instance id = arn:aws:ec2:us-east-1:177043751234:instance/i-01d9ac4d064722qa4

More examples

This test verifies that all EC2 instances require HTTP tokens:

aws.ec2.instances.all(httpTokens == "required")

This test ensures that no EBS snapshots are publicly restorable:

aws.ec2.snapshots.all(createVolumePermission.none(_['Group'] == "all" ))

Learn more about testing EC2 instances

  • To learn more about how the MQL query language works, read Write Effective MQL.
  • For a list of all the AWS resources and fields you can query, read aws.ec2.

Next step

To discover more of cnspec's AWS capabilities, test your EKS clusters.