AWS Serverless Integration FAQ
Understand how the Mondoo serverless AWS integration works, including resources created, required permissions, communication, and cost.
What does Mondoo scan?
Mondoo discovers resources across all AWS regions (EC2, S3, RDS, and more) and assesses their configuration against the policies you enable.
How does the serverless integration work?
Mondoo never holds credentials for your AWS account. A CloudFormation template installs a Lambda function in your account, and Mondoo communicates with it over AWS EventBridge. The Lambda authenticates to Mondoo using service credentials stored in the SSM Parameter Store.
Why does Mondoo need to create resources in my AWS account?
To run and schedule scans. The resources are low-cost: a Lambda function, an SNS topic, SQS queues, IAM roles, EventBridge rules, and SSM parameters. EBS volume scanning also adds an Auto Scaling group and a launch template.
Every resource Mondoo creates is tagged Created By: Mondoo. The Lambda's IAM role can only delete EC2 resources that carry this tag.
For background, see Tagging your AWS resources in the AWS documentation.
How do AWS and Mondoo communicate?
When the CloudFormation stack is created, AWS exchanges a short-lived token for Mondoo service credentials. Those credentials live in the SSM Parameter Store and are used by the Lambda and SSM-managed instances to call Mondoo Platform over HTTPS.
The Mondoo side uses AWS EventBridge cross-account routing. The event bus policy and rule are created by the CloudFormation stack.
What information leaves my AWS account?
Scan report results only. Mondoo Platform stores the latest report for every scanned asset, plus counts of various resources in the account.
What permissions does the integration request?
The full permission set is in the Mondoo serverless integration JSON.
Should I integrate an organization or a single account?
If your AWS Organization follows AWS standard practices, choose an organization integration. Before deploying, check the organization StackSet requirements.
How does the Lambda update itself?
The Lambda checks for updates every 24 hours and applies them automatically from Mondoo's S3 bucket. As a safeguard, Mondoo records the SHA-256 of each released file; the Lambda will refuse to update if the hash in S3 doesn't match the expected hash, and Mondoo support is alerted.
What happens if I delete the CloudFormation stack?
The Lambda is notified and immediately deletes every Mondoo-created resource in the account. The integration status becomes deleted in Mondoo. No data is lost on the Mondoo side, and the stack can be recreated at any time.
How much does it cost to run?
Most usage falls inside the AWS Free Tier. A representative monthly bill for one account looked like this (Free Tier limits shown for context):
- CloudWatch PutLogs: 1 GB (Free: first 5 GB ingested)
- CloudWatch TimedStorage: 0.16 GB (Free: first 5 GB-mo)
- CloudWatch Events: 8,000 events ($1.00 per million custom events)
- Lambda compute: 76,000 GB-seconds (Free: 400,000 GB-seconds)
- Lambda requests: 11,000 (Free: 1,000,000)
- SNS HTTP notifications: 2,000 (Free: 100,000)
- SNS API requests: 3,000 (Free: 1,000,000)
- SQS requests: 626,000 (Free: 1,000,000)
- S3 requests: ~300 total, all in Free Tier
How does Mondoo handle AWS API rate limits?
Scan jobs are spread out to avoid hammering the EC2 and SSM APIs. If the Lambda hits a rate-limit error, it pauses all scan jobs for 15 minutes.
Can I inspect what gets deployed?
Yes. The CloudFormation templates and Lambda zip are in Mondoo's public S3 bucket:
- Mondoo StackSet CloudFormation (organization installs)
- Mondoo root CloudFormation (single-account installs)
- Nested stack CloudFormation (single-account installs)
- Lambda zip