Mondoo
Docs
Cloud

Assess Hetzner Cloud with cnspec

Query and assess Hetzner Cloud projects with cnspec

Rely on cnspec to query and assess your Hetzner Cloud projects, including servers, networks, load balancers, volumes, firewalls, floating IPs, and SSH keys.

Prerequisites

To analyze your Hetzner Cloud environment with cnspec, you must have:

Configure access to Hetzner Cloud

To create an API token:

  1. Log in to the Hetzner Cloud Console.
  2. Select your project.
  3. In the left navigation, choose Security > API Tokens.
  4. Generate a new token with the permissions cnspec needs (read access is sufficient for assessment).

Connect to Hetzner Cloud

To launch an interactive shell against a Hetzner Cloud project:

cnspec shell hetzner --token YOUR_API_TOKEN

You can also set the HCLOUD_TOKEN environment variable instead of passing the --token flag:

export HCLOUD_TOKEN=your_token_here
cnspec shell hetzner

If you need to target a non-default Hetzner Cloud API endpoint, use the --endpoint flag or the HCLOUD_ENDPOINT environment variable.

Scan Hetzner Cloud

To scan your Hetzner Cloud project:

cnspec scan hetzner --token YOUR_API_TOKEN

You can also create your own policies to meet your specific requirements.

Example queries

List servers

cnspec> hetzner.servers { name status serverType.name datacenter.name }

Find servers without backups enabled

cnspec> hetzner.servers.where(backupWindow == "") { name status }

List networks and their subnets

cnspec> hetzner.networks { name ipRange subnets }

List firewalls and their rules

cnspec> hetzner.firewalls { name rules servers }

List load balancers

cnspec> hetzner.loadBalancers { name loadBalancerType.name location.name services }

List volumes

cnspec> hetzner.volumes { name size location.name server }

List SSH keys

cnspec> hetzner.sshKeys { name fingerprint }

Learn more

Workload Identity Federation

Use Workload Identity Federation to let a service account in one GCP project scan resources in other GCP projects without exporting keys.

Overview

Secure your Kubernetes environment by scanning for vulnerabilities and misconfigurations with cnspec.

On this page

PrerequisitesConfigure access to Hetzner CloudConnect to Hetzner CloudScan Hetzner CloudExample queriesList serversFind servers without backups enabledList networks and their subnetsList firewalls and their rulesList load balancersList volumesList SSH keysLearn more