Continuously Scan AWS - Mondoo-Hosted Integration
Configure the Mondoo-hosted AWS integration to continuously scan your AWS accounts and EC2 instances using Workload Identity Federation or an AWS access key.
A Mondoo-hosted AWS integration provides continuous security and compliance scanning for an AWS account without installing any agents in your AWS environment or incurring additional AWS cost.
Mondoo also offers a serverless method for assessing AWS security. It provides cron-scheduled and event-based continuous scanning of your AWS accounts or your entire AWS Organization using a Lambda function. To compare the two approaches, read Continuously Scan with an AWS Integration.
Requirements
-
A Mondoo account with Editor or Owner permissions for the space in which you want to add the integration
-
An AWS account with permission to create IAM roles and (for WIF) IAM identity providers
Set up authentication
Mondoo supports two ways to authenticate with AWS for continuous scanning:
-
Workload Identity Federation (WIF) eliminates the need to store and rotate access keys. Mondoo authenticates to AWS using short-lived OIDC tokens that AWS STS exchanges for temporary credentials through an IAM role. This is the recommended approach.
-
Access key uses a static IAM user access key and secret. This is simpler to set up but requires you to securely store and regularly rotate the key.
With WIF, Mondoo acts as an OIDC identity provider. When it's time to scan, Mondoo issues a short-lived OIDC token and presents it to AWS STS through the AssumeRoleWithWebIdentity action. AWS validates the token against Mondoo's public signing keys (fetched from Mondoo's OIDC discovery endpoint), then issues temporary credentials for an IAM role that Mondoo assumes to read resources from your account. No static keys are stored or transmitted.
Setting up WIF is a three-phase process. You create an IAM role that trusts Mondoo as an OIDC provider, create the integration in Mondoo to get a unique subject identifier, and then return to AWS to lock the IAM role down to that exact subject.
Step 1: Add Mondoo as an IAM OIDC identity provider
Register Mondoo as a trusted OpenID Connect identity provider in your AWS account. AWS fetches Mondoo's public signing keys from this provider to validate tokens.
-
In the AWS Management Console, go to Identity and Access Management (IAM).
-
In the left menu, select Identity providers.
-
Select Add provider.
-
For Provider type, select OpenID Connect.
-
Set the Provider URL to the Mondoo STS endpoint for your environment:
Environment Provider URL Mondoo (US) https://sts.us.mondoo.comMondoo (EU) https://sts.eu.mondoo.comMondoo Edge https://sts.edge.mondoo.comDedicated deployment https://sts.mondoo.CUSTOMER.comTo learn more about Mondoo's OIDC endpoints, read Mondoo as an OIDC identity provider.
-
Set the Audience to
mondoo. -
Select Get thumbprint and then select Add provider.
Step 2: Create an IAM role for Mondoo to assume
Create an IAM role that trusts the Mondoo OIDC provider and has read-only access to your AWS account. At this point you cannot yet pin the trust policy to a specific integration subject, so you configure it with a placeholder and tighten it in Step 5.
-
In the IAM console, select Roles and then select Create role.
-
For Trusted entity type, select Web identity.
-
For Identity provider, choose the Mondoo provider you created in Step 1 (for example,
sts.example.mondoo.com). -
For Audience, choose
mondoo. -
Select Next.
-
Search for
ReadOnlyAccessand check the box next to the policy named simply ReadOnlyAccess. Its ARN isarn:aws:iam::aws:policy/ReadOnlyAccess. -
Select Next. Give the role a name (for example,
MondooScan) and select Create role. -
Open the role you just created and note its ARN. It looks like
arn:aws:iam::111122223333:role/MondooScan. You enter this value in Mondoo in the next step.
Step 3: Create the AWS integration in Mondoo
Note: Only team members with Editor or Owner access can perform this task.
-
In a new browser window, access the Integrations > Add > AWS page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select AWS.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Near the top of the page, select AWS.
-
-
Select SELECT MONDOO-HOSTED INTEGRATION.
-
In the Choose an integration name box, type a recognizable name for this AWS account.
-
Under Configure authentication, select Workload Identity Federation.
-
In the Role ARN box, enter the ARN of the IAM role you created in Step 2 (for example,
arn:aws:iam::111122223333:role/MondooScan). -
In the Audience box, enter
mondoo. This must match the audience you configured on the IAM OIDC provider in Step 1. -
Select CREATE INTEGRATION.
Step 4: Copy the WIF subject value
After you create the integration, Mondoo computes a WIF subject value that uniquely identifies this integration. You need this value to authorize Mondoo in AWS.
-
On the integration details page in the Mondoo Console, find the WifSubject field.
-
Copy the subject value. It has the format
INTEGRATION_ID@integrations.SPACE_ID, for example:ExampleIntegrationID@integrations.example-space-000000.spaces.iam.example.mondoo.app
The WIF subject is a computed, read-only value. Mondoo generates it automatically when you create the integration. You cannot set or change it.
Step 5: Pin the IAM role trust policy to the WIF subject
Return to AWS and edit the IAM role's trust policy so that only the specific Mondoo integration you just created can assume the role.
-
In the IAM console, open the role you created in Step 2 (for example,
MondooScan). -
Select the Trust relationships tab and then select Edit trust policy.
-
Replace the trust policy with this document, substituting your own AWS account ID, Mondoo OIDC provider host, and the WIF subject value you copied in Step 4:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:oidc-provider/sts.example.mondoo.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "sts.example.mondoo.com:sub": "ExampleIntegrationID@integrations.example-space-000000.spaces.iam.example.mondoo.app", "sts.example.mondoo.com:aud": "mondoo" } } } ] }Placeholder Replace with 111122223333Your AWS account ID sts.example.mondoo.comThe Mondoo STS host for your environment (without https://), in all three places it appearsExampleIntegrationID...mondoo.appThe WIF subject value you copied in Step 4 -
Select Update policy.
Step 6: Enable policies and verify the integration
-
On the Recommended Policies page, enable the policies on which you want to base assessments of your AWS environment. To learn more, read Manage Policies.
-
Return to the integration details page and wait for the first scan to complete. If the status changes to active, the setup is working correctly.
If the scan fails, double-check:
- The Role ARN entered in Mondoo matches the IAM role exactly.
- The audience value in Mondoo, on the IAM OIDC provider, and in the trust policy's
:audcondition are allmondoo. - The
:subcondition in the trust policy matches the WIF subject value from the integration details page exactly. - The IAM role has the
ReadOnlyAccesspolicy attached.
Step 1: Create an AWS user and access key for Mondoo
To give Mondoo the access it needs to continuously scan your AWS account, create an AWS user and access key. You give the key and its secret to Mondoo, which securely stores them. To learn about AWS access keys, read Managing access keys for IAM users in the AWS documentation.
-
In the AWS access portal for the account you want to integrate with Mondoo, go to Identity and Access Management (IAM).
-
In the left menu, select Users.
-
Select the Create user button.
-
Enter the user name
Mondooand select the Next button. -
Select Attach policies directly.
-
Search for
ReadOnlyAccessand check the box next to the permission named simply ReadOnlyAccess. The ARN for this permission isarn:aws:iam::aws:policy/ReadOnlyAccess.
-
Select the Next button and then select the Create User button.
-
In the success confirmation message, select the View user button.
-
Select the Security Credentials tab.
-
Under Access Keys, select the Create access key button.
-
Select Third-party service, check the I understand the above recommendation and want to proceed to create an access key box, and select the Next button.
-
Enter a description for the key and select the Create access key button.
-
Keep the page with the key open in your browser as you continue to the next steps.
Step 2: Set up a new AWS integration
Note: Only team members with Editor or Owner access can perform this task.
-
In a new browser window, access the Integrations > Add > AWS page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select AWS.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Near the top of the page, select AWS.
-
-
Select SELECT MONDOO-HOSTED INTEGRATION.
-
In the Choose an integration name box, type a recognizable name for this AWS asset.
-
Under Configure authentication, select Access Key.
-
Access the AWS IAM tab in your browser that shows the access keys you created in the steps above. Copy the Access key value.
-
In the Mondoo Console tab in your browser, under Enter authentication details, paste the value in the Access Key ID box.
-
In the AWS IAM tab in your browser, copy the Secret access key value.
-
In the Mondoo Console tab in your browser, under Enter authentication details, paste the value in the AWS secret access key box.
-
Select the START SCANNING button.
Manage an AWS integration
You can view the status of an AWS integration, change its configuration options, and more on its integration page.
Note: Only team members with Editor or Owner access can perform this task.
To access an existing integration:
-
In the Mondoo Console, navigate to the space containing the integration.
-
In the side navigation bar, under Integrations, select AWS.
-
Select the integration you want to view or manage.
View an integration's status
Mondoo shows the status at the top of the integration page, beside the integration name.
These are the possible statuses for an AWS integration:
| Status | Meaning |
|---|---|
| configuring | Mondoo is sending the scan configuration options to the integration and the integration is saving those options. |
| active | The integration is active and healthy. |
| error | Mondoo detected an error during installation. |
| missing | Mondoo hasn't received a check-in from the Lambda function for over an hour. |
| deleted | CloudFormation for the integration has been deleted. |
Ping an integration
At the top of the integration page, below the integration name, Mondoo shows the time of the last ping.
To ping the integration now, select the ping icon (a heartbeat to the left of the SCAN NOW button).
Request a fresh scan
Note: Only team members with Editor or Owner access can perform this task.
To see fresh scan results, select the SCAN NOW button. Mondoo retrieves new scan results as soon as possible.
Enable and disable policies for an AWS integration
The RECOMMENDED POLICIES tab on the integration page lists policies that can help you protect your AWS environment. It shows which policies are enabled and disabled.
Use the toggle on the right side of each policy's row to enable or disable the policy.
Note: Only team members with Editor or Owner access can perform this task.
To learn more about policies, read Policy as Code.
Remove an integration
Note: Only team members with Editor or Owner access can perform this task.
To remove an integration, select the Remove (trash can) icon at the top of the integration page.
A notification displays with a link to the CloudFormation Stacks list in the AWS console. Select the link and, in the AWS console, delete the stack. This removes the configured integration from Mondoo Platform and deletes the rule allowing the Mondoo AWS account to send events to the target account.