Secure OpenStack with cnspec
Scan OpenStack projects against security and compliance best practices with cnspec.
Scan your OpenStack project to find security risks before they become incidents. cnspec evaluates Keystone identity, Nova compute, Glance images, Neutron networking, Cinder block storage, Barbican key management, and Octavia load balancers, all without installing agents on your infrastructure.
Prerequisites
To scan OpenStack with cnspec, you must have:
- cnspec installed on your workstation
- A reachable Keystone v3 endpoint
- Project-scoped credentials (username/password, an application credential, or a
clouds.yamlentry)
Authenticate
cnspec resolves OpenStack credentials in this priority order:
- CLI flags (
--auth-url,--username,--password,--project-name, ...) --cloud <name>to select an entry fromclouds.yamlOS_*environment variables
Use a clouds.yaml entry
If you already manage OpenStack credentials with a clouds.yaml file, reference the entry by name:
cnspec scan openstack --cloud my-cloudUse environment variables
Export the standard OS_* variables once and reuse them across commands:
export OS_AUTH_URL=https://keystone.example.com/v3
export OS_USERNAME=admin
export OS_PASSWORD=secret
export OS_PROJECT_NAME=demo
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=DefaultPass flags explicitly
cnspec scan openstack \
--auth-url https://keystone.example.com/v3 \
--username admin --password secret \
--project-name demo \
--user-domain-name Default --project-domain-name Default \
--region RegionOneUse a Keystone application credential
Application credentials avoid embedding a user's password in scan configuration:
cnspec scan openstack \
--auth-url https://keystone.example.com/v3 \
--application-credential-id <id> \
--application-credential-secret <secret>If your Keystone endpoint uses a certificate cnspec cannot validate, add --insecure to skip TLS verification. Use this only in trusted environments.
Verify with a quick OpenStack check
Confirm that cnspec can reach your OpenStack project:
cnspec run openstack -c 'openstack.projectId != empty'If cnspec connects to Keystone, it prints the scoped project ID and confirms the check passed.
Scan OpenStack
Scan your OpenStack project:
cnspec scan openstackYou can also create your own policies to meet your specific requirements.
Asset model
Each connection produces one asset for the Keystone-scoped project. The asset's platform is openstack-project and the family is openstack. Assets are placed under:
technology=openstack/project=<project-uuid>Calls to services that aren't deployed (for example, Octavia or Barbican on smaller clouds) return empty rather than failing the scan, so policies stay portable across clouds with different service catalogs.
Required permissions
- Project-scoped tokens see their own project's data across all services.
- Listing all
users,roles, or other admin-only Keystone endpoints requires admin scope.
Explore and test checks interactively
Open a cnspec shell to discover resources and try out checks:
cnspec shell openstackIdentify the scoped project
cnspec> openstack { projectId region authUrl }List Nova servers
cnspec> openstack.servers { name status availabilityZone flavor.name image.name }Find servers without an SSH key configured
cnspec> openstack.servers.where(keyName == "") { name status }List Glance images and their visibility
cnspec> openstack.images { name status visibility diskFormat sizeBytes }Find public images you may not have intended to share
cnspec> openstack.images.where(visibility == "public") { name owner createdAt }List Neutron networks
cnspec> openstack.networks { name status external shared subnets.length }Inspect security groups and their rules
cnspec> openstack.securityGroups { name description rules { direction protocol portRangeMin portRangeMax remoteIpPrefix } }Find security group rules that expose any port to the internet
cnspec> openstack.securityGroups.all(
rules.none(direction == "ingress" && remoteIpPrefix == "0.0.0.0/0")
)List FWaaS v2 firewall groups, policies, and rules
cnspec> openstack.firewallGroups { name adminStateUp ingressFirewallPolicy egressFirewallPolicy }
cnspec> openstack.firewallPolicies { name shared audited }
cnspec> openstack.firewallRules { name action protocol enabled }List Cinder volumes and check encryption
cnspec> openstack.volumes { name size status encrypted bootable availabilityZone }
cnspec> openstack.volumes.all(encrypted == true)List Octavia load balancers and listeners
cnspec> openstack.loadBalancers { name provisioningStatus operatingStatus vipAddress listeners.length }
cnspec> openstack.listeners { name protocol protocolPort defaultPool.name }List Barbican secrets
cnspec> openstack.secrets { name secretType algorithm bitLength status expiresAt }Find Nova keypairs and their fingerprints
cnspec> openstack.keypairs { name fingerprint type userId }List Keystone users, roles, and domains (admin scope required)
cnspec> openstack.users { name enabled domain.name }
cnspec> openstack.roles { name description }
cnspec> openstack.domains { name enabled description }Coverage
cnspec queries the following OpenStack services through the project's Keystone service catalog:
| Service | Resources |
|---|---|
| Identity (Keystone v3) | projects, users, roles, domains |
| Compute (Nova v2) | servers, flavors, keypairs, server groups |
| Image (Glance v2) | images |
| Networking (Neutron v2) | networks, subnets, subnet pools, routers, ports, floating IPs, security groups (with rules), QoS policies, trunks, FWaaS v2 (groups/policies/rules) |
| Block Storage (Cinder v3) | volumes, snapshots |
| Key Manager (Barbican v1) | secrets, containers, orders |
| Load Balancer (Octavia v2) | load balancers, listeners, pools, members, health monitors, L7 policies, L7 rules |
Learn more
- OpenStack Resource Pack Reference for every OpenStack resource and field cnspec can query
- Write Effective MQL for a guide to authoring checks and queries