Continuously Scan with an AWS Integration
Choose between the Mondoo-hosted AWS integration and the serverless AWS integration for continuous account scanning.
Mondoo offers two ways to continuously scan an AWS account, EC2 instances, EKS clusters, EBS volumes, and more. Pick the one that fits your environment.
At a glance
| Mondoo-hosted | Serverless | |
|---|---|---|
| Continuous AWS account scanning | ✅ | ✅ |
| Continuous AWS Organization scanning | ❌ | ✅ |
| Agentless (no code in your account) | ✅ | ❌ |
| Requires an AWS Lambda function | ❌ | ✅ |
| Stability | Highest; not subject to API limits | High; very large accounts can hit AWS API rate limits |
| Setup complexity | Easy | Requires CloudFormation in your AWS environment |
| Infrastructure cost | No additional AWS cost | Small AWS cost |
| Credential handling | Mondoo securely stores credentials for your environment (or uses keyless WIF) | No AWS credentials leave your account |
When to choose which
-
Pick the Mondoo-hosted integration if you scan a single account, want the fastest setup, and prefer not to deploy anything in AWS. Authenticate with Workload Identity Federation (recommended, keyless) or an access key.
-
Pick the serverless integration if you need to scan an AWS Organization, or you want all credentials and scan execution to stay inside your AWS account. To scan many accounts from a single hub account using a read-only cross-account IAM role, see Cross-Account Scanning.
Overview
Secure your AWS environment by continuously scanning EC2, EKS, S3, IAM, and more for misconfigurations and vulnerabilities.
Scan Continuously (Hosted)
Configure the Mondoo-hosted AWS integration to continuously scan your AWS accounts and EC2 instances using Workload Identity Federation or an AWS access key.