Advanced AWS Integration Details
This supplemental topic provides detailed information on how the Mondoo AWS integration works. It's not essential knowledge for using Mondoo.
What is an "account scan"?
When an AWS account is integrated with a space in Mondoo Platform, Mondoo performs a configuration assessment of the AWS account by analyzing the configuration of the account (IAM settings), and discovering resources (EC2 instances, S3 buckets, RDS instances, etc) across all regions. The configuration of discovered resources are assessed according to which policies have been ENABLED in the registry.
Account scan schedule
Scanning happens every 12 hours by default, but the scan interval is configurable by going to INTEGRATIONS -> select the AWS Account you want to configure -> CONFIGURATION, under the Account section..
Scan Now (Mondoo Platform)
Additionally, on-demand scans can be triggered in INTEGRATIONS section by selecting the integrated AWS account, selecting the Scan Now" button in the upper right corner of the integration details.
You can also scan an AWS account by running cnspec scan aws from any workstation on which cnspec is installed and configured. To learn more, read Scan AWS from your workstation.
What methods are used for EC2 scanning?
There are three different methods used by Mondoo for EC2 scanning:
Discovery
Mondoo starts by querying the AWS API to get a list of all the EC2 instances in the account, across all regions available to the account, and gathering basic information about the instances.
AWS Systems Manager (SSM)
When gathering information about the instances, the Lambda function checks whether the SSM agent is installed and has a ping with the status Online to indicate the instance is configured to be managed by SSM. In the configuration options for an integrated AWS Account, if the Activate SSM for Instance Connectivity is switched to On, Mondoo triggers a job on all Online instances to run an SSM document that downloads the latest version of cnspec, executes the cnspec scan command, and sends the results to Mondoo Platform. The integration also uses Mondoo Platform API credentials stored in SSM parameter store to authenticate with your Mondoo account, and send results. Once the scan completes, cnspec is completely uninstalled from the instance.
For more details about how to set up SSM machines in your AWS Account, see the ssm documentation
SSH
In order to facilitate the scanning of multiple instances over ssh connectivity, Mondoo has provided users with a way to match groups of instances to stored credentials. When Activate SSH for Instance Connectivity is set to true, an input box appears for the Vault Secret Query.
The Vault Secret Query leverages MQL to define a mapping between instance labels and credentials stores in AWS Secrets Manager or AWS SSM Parameter store. In the example above, any instance with a Name tag of ssh (in AWS) will be scanned using the credential stored in AWS Secrets Manager with arn arn:aws:secretsmanager:us-east-2:172746783610:secret:vj/secret-lHvP9r.
Note: this functionality is not restricted to the Name tag; it will work with any tag
EC2 snapshot scanning
EC2 snapshot scanning offers a way to scan Linux EC2 instances without SSH credentials or an SSM agent. With this option, Mondoo spins up an instance in the AWS account and uses that instance to scan the other instances in the account. This is done by triggering an SSM job on the scanner instance that creates a snapshot of the target instance volume, attaches it to the scanner instance, and performs a scan of the mounted filesystem.
EC2 snapshot scanning involves spinning up instances in an AutoScaling Group as well as one-off instances. It creates scanner instances named ebs-scanner in the same region as the target instances.
It cleans up the scanners shortly after completing all scans, and cleans up any created snapshots and volumes (that are more than twelve hours old) every 8 hours. All created resources have the Created By: Mondoo tag.
Be aware that EC2 snapshot scanning causes a slight increase on your AWS bill (for the EC2 and EBS services).
AWS tags
All resources created by the Mondoo AWS Integration have the Created By: Mondoo tag. The IAM role attached to the Lambda function lets the integration delete EC2 resources only if they have the Created By: Mondoo tag.
For information about AWS tags, read Tagging your AWS resources in the AWS documentation.