Cloud

Secure STACKIT with cnspec

Scan STACKIT projects against security and compliance best practices with cnspec.

Scan your STACKIT project to find security risks before they become incidents. cnspec evaluates servers, volumes, networks, security groups, load balancers, object storage, file storage, managed databases, Kubernetes (SKE) clusters, KMS keys, IAM bindings, and more, all without installing agents on your infrastructure.

New to cnspec? Read the Quickstart to install cnspec and run your first scan. To scan other platforms, see the cloud scanning overview.

Prerequisites

To scan STACKIT with cnspec, you must have:

Authenticate

cnspec authenticates to STACKIT with a service account key. Create one in the STACKIT Portal:

  1. Log in to the STACKIT Portal.
  2. Open the project you want to scan and note its Project ID.
  3. Go to Service Accounts, create a service account (or select an existing one), and assign it a read-capable role on the project.
  4. Create a Service Account Key for that service account and download the JSON key file.

Pass the project ID and the path to the key file on the command line:

cnspec shell stackit --project-id PROJECT_ID --service-account-key-path /path/to/sa-key.json

You can also supply credentials through STACKIT environment variables and reuse them across commands:

export STACKIT_PROJECT_ID=your_project_id
export STACKIT_SERVICE_ACCOUNT_KEY_PATH=/path/to/sa-key.json

cnspec defaults to the eu01 region. To target a different region, use the --region flag or the STACKIT_REGION environment variable. To reach a non-default STACKIT API endpoint, use the --endpoint flag or the STACKIT_ENDPOINT environment variable.

Verify with a quick STACKIT check

Confirm that cnspec can reach your STACKIT project:

cnspec run stackit --project-id PROJECT_ID -c 'stackit.project.id != empty'

If cnspec connects, it prints your project ID and confirms the check passed.

Scan STACKIT

Scan your STACKIT project:

cnspec scan stackit --project-id PROJECT_ID --service-account-key-path /path/to/sa-key.json

If you exported the STACKIT environment variables, you can scan without flags:

cnspec scan stackit

When the scan completes, cnspec prints each check with a pass or fail result and an overall risk score from 0 (no risk) to 100 (highest risk). To learn how to read a report in depth, see Understand Scan Results.

Scan with the Mondoo STACKIT Security policy

Mondoo maintains an out-of-the-box STACKIT Security policy that checks security group attachment, volume encryption, public network exposure, object storage retention, managed database access and backups, service account key lifecycle, KMS key state, SKE cluster health, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "STACKIT", and add the policy. All future scans of your STACKIT projects automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan stackit --project-id PROJECT_ID --service-account-key-path /path/to/sa-key.json \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-stackit-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell stackit --project-id PROJECT_ID --service-account-key-path /path/to/sa-key.json

Retrieve project information

cnspec> stackit.project { id name lifecycleState }

List servers

cnspec> stackit.servers { name status powerStatus machineType availabilityZone }

Find unencrypted volumes

cnspec> stackit.volumes.where(encrypted == false) { name size status }

List networks

cnspec> stackit.networks { name routed ipv4Prefix state }

Find security groups that allow SSH from anywhere

cnspec> stackit.securityGroups.where(rules.any(direction == "ingress" && portRangeMin <= 22 && portRangeMax >= 22 && ipRange == "0.0.0.0/0")) { name }

List object storage buckets without Object Lock

cnspec> stackit.objectStorage.buckets.where(objectLockEnabled == false) { name region }

List managed PostgreSQL instances

cnspec> stackit.postgresFlex.instances { name version status region }

List Kubernetes (SKE) clusters

cnspec> stackit.ske.clusters { name kubernetesVersion status }

List KMS keys

cnspec> stackit.kms.keys { displayName state purpose protection algorithm }

List project IAM members

cnspec> stackit.iam.members { subject role }

Learn more

Hetzner Cloud

Scan Hetzner Cloud projects against security and compliance best practices with cnspec.

Equinix

Scan Equinix Metal infrastructure against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateVerify with a quick STACKIT checkScan STACKITScan with the Mondoo STACKIT Security policyExplore and test checks interactivelyRetrieve project informationList serversFind unencrypted volumesList networksFind security groups that allow SSH from anywhereList object storage buckets without Object LockList managed PostgreSQL instancesList Kubernetes (SKE) clustersList KMS keysList project IAM membersLearn more