Mondoo
Docs
Integrate Your AssetsCloudAWSServerless

Continuously Scan AWS - Serverless Integration

Deploy the Mondoo serverless AWS integration for continuous scanning of your AWS accounts and EC2 instances.

The Mondoo serverless AWS integration deploys a Lambda function into your AWS account to continuously scan an account or an entire AWS Organization, on a schedule and in response to AWS change events. All scan execution stays in your AWS account; no AWS credentials leave it.

Prefer a faster, agentless setup that scans a single account? See the Mondoo-hosted integration. To compare both options, read Continuously Scan with an AWS Integration.

For background on how the integration runs and what permissions it needs, see the AWS Serverless Integration FAQ.

Choose an install scope

You can install the serverless integration in either of two scopes:

  • Single account. Mondoo deploys a CloudFormation stack into one AWS account and scans that account.
  • AWS Organization. Mondoo uses a CloudFormation StackSet to install the integration into every account in the organization. Every account is scanned with the same configuration.

Check your AWS Organization first

Before deploying at the organization level, confirm your organization meets the StackSet requirements.

An organization StackSet only deploys into target accounts, not the management account itself. If you want to scan the management account too, add a separate single-account integration for it.

Scan many accounts from one hub

To scan many AWS accounts from a single hub account using a read-only cross-account IAM role (without deploying the Mondoo Lambda into every account), see Cross-Account Scanning.

Set up a new AWS integration

  1. In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find AWS by browsing or searching by name, then select it.

  2. Select the Serverless tab.

    Create a serverless AWS integration in Mondoo

  3. Give the new integration a name that is easy to recognize as an AWS integration and differentiates it from any other AWS integrations.

  4. Select the type of integration. For a single account install, also enter the 12-digit AWS account ID where the Mondoo Lambda will run.

    OptionDescription
    Single account installIntegrate Mondoo with a single AWS account.
    Organization installUse CloudFormation StackSets to install the AWS integration in your entire AWS Organization or organizational units.

  5. Select the installation options. This determines where to install the Mondoo integration; it does not determine which region to scan.

    • Select the region in which to deploy the Mondoo Lambda.

    • Select the VPC option Mondoo should use:

      OptionDescription
      AWS default VPCUse the selected region's default VPC. Every AWS region has a default VPC unless it's been deleted.
      Mondoo-created VPCHave Mondoo create a dedicated VPC. In the Configure CIDR box, specify an IPv4 address range. See VPC CIDR blocks in the AWS documentation.
      Custom VPCUse an existing VPC by specifying the AWS tag key and value applied to both the VPC and its subnets.

  6. In the Schedule full scan box, set the interval (in hours) at which to execute a full scan of the AWS account, independent of change events. The default is 12 hours.

  7. (Optional) Enable Cross-account scanning to scan additional AWS accounts from this hub by assuming an IAM role in each target account.

    Configure cross-account scanning

    For full setup, including the IAM role you must deploy in every target account, see Cross-Account Scanning.

  8. Set the EC2 options:

    Mondoo serverless AWS integration EC2 options

    OptionDescription
    Discover EC2 instancesInclude EC2 instances in asset discovery.
    Use SSM for instance connectivityUse the AWS SSM service to trigger scans on EC2 instances with an online SSM agent.
    Use EC2 Instance Connect for instance connectivityUse the AWS EC2 Instance Connect service to trigger scans on EC2 instances with public IPs.
    Use EBS volume scanning for instance scanningUse EBS volume scanning to perform filesystem scans of EC2 instances. No credentialed access required.

  9. Select the EC2 filtering options:

    Mondoo serverless AWS EC2 filtering

    For each filtering option, you can either:

    • Scan only the resources that match your allow list

    OR

    • Scan all resources except those that match your deny list

    Choose any combination of filters:

    • Enable Filter by instance IDs to limit EC2 instance scanning to a subset of IDs or to scan all EC2 instances except specified IDs. This setting does not affect scanning of other types of resources. Enter each ID on a new line. For example:

      i-0d1f840578ca82600
i-07ae83fe5d22600a

    • Enable Filter by regions to limit scanning to a subset of regions or to scan all resources except those in the regions specified. Enter each region on a new line. For example:

      eu-west-1
us-east-2

    • Enable Filter by tags to limit scanning to resources that have a subset of tags or to scan all resources except those with the specified tags. Enter tags using the format key:value. To allow or deny multiple values of the same tag key, separate them with commas. Enter each tag on a new line. For example:

      Name:test
Env:test
env:test,testing,qa,stage

  10. Select the ECS and ECR options:

    Mondoo serverless AWS integration container options

    OptionDescription
    Discover and scan ECS containersDiscover AWS Fargate containers and scan them using ECS Exec.
    Discover and scan container imagesInclude ECR images in asset discovery.

  11. Select the START SCANNING button.

    Create an AWS integration and launch CloudFormation

  12. Follow the instructions to launch the AWS CloudFormation stack (for an account) or StackSet (for an Organization).

IMPORTANT

Selecting START SCANNING does not finalize the integration between Mondoo and AWS. You must launch the AWS CloudFormation stack or StackSet to complete the setup.

Manage an AWS integration

To open an existing integration, navigate to the space, select Integrations > AWS in the side nav, and choose the integration.

integration-detail-image

Mondoo shows the integration status beside the integration name at the top of the page.

Request a fresh scan

Select RUN SCAN at the top of the integration page.

Reconfigure an integration

The CONFIGURATION tab shows the current settings.

Reconfigure a Mondoo AWS integration

To change settings, select the edit (pencil) icon at the top of the integration page. Setting descriptions are in Set up a new AWS integration above.

Remove an integration

Select the trash can icon at the top of the integration page. Mondoo displays a link to the CloudFormation Stacks list in the AWS console. Open the link and delete the stack. This removes the integration from Mondoo Platform and the EventBridge rule that allows Mondoo to communicate with the account.

Learn more

Scan Continuously (Hosted)

Configure the Mondoo-hosted AWS integration to continuously scan your AWS accounts and EC2 instances using Workload Identity Federation or an AWS access key.

Cross-Account Scanning

Configure the Mondoo serverless AWS integration to scan many AWS accounts from a single hub account using a read-only cross-account IAM role.

On this page

Choose an install scopeSet up a new AWS integrationManage an AWS integrationRequest a fresh scanReconfigure an integrationRemove an integrationLearn more