Scan AWS Accounts and EC2 Instances from a Workstation
Use cnspec, Mondoo's CLI security tool, to scan AWS accounts and EC2 instances remotely from your workstation. These fast, on-demand assessments are independent from any native AWS integrations that run continuously within your account.
You can:
- Remotely scan an AWS account using the AWS CLI config
or
- Perform agentless scans of EC2 instances using EC2 Instance Connect, SSH, or snapshot scanning
Remotely scan AWS accounts
cnspec can remotely scan AWS accounts using the configuration and credentials from the AWS CLI on your workstation, which is typically located in ~/.aws/credentials. Before you can scan an AWS account, you must have the AWS CLI installed and configured with credentials for the accounts you want to scan.
Set up AWS credentials
To ensure your AWS credentials are set up properly so you can scan from your workstation, run this command from a terminal:
cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoDYXdzEJr...<remainder of session token>
If you want to use a specific profile, set AWS_PROFILE
export AWS_PROFILE=PROFILENAME
For PROFILENAME, substitute the name of the profile to use.
Permissions required to scan an AWS account
cnspec requires read-only access to assess the configuration of the services and resources within an AWS account. It uses the credentials for the awscli to authenticate with the AWS API. So it inherits the permissions granted to your AWS access keys.
Amazon provides the ReadOnlyAccess IAM profile, which grants read-only access to all AWS Services.
Scan an AWS account with cnspec
To scan an AWS account remotely with cnspec, enter this command in a terminal:
cnspec scan aws
cnspec scans the account using any AWS policies you have enabled in your Mondoo account. It prints the results to STDOUT on the command line. It also sends the results to Mondoo Platform, which generates a report for each policy executed against the account.
Manage multiple AWS profiles
If you manage multiple AWS configurations in your credentials file, you can set the AWS_PROFILE environment variable to specify which profile to use for each scan. For example, this credentials file has two configurations:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[aws-dev-account]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
When you run a scan, you specify which profile to use:
export AWS_PROFILE=PROFILENAME
cnspec scan aws
For PROFILENAME, substitute the name of the profile to use.
Incognito mode
cnspec provides an --incognito mode, which lets you scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a policy before enabling it.
To scan an AWS account using incognito mode, enter this command in a terminal:
cnspec scan aws --incognito
Perform agentless scans of EC2 instances
cnspec supports remote scanning of EC2 instances without installing an agent on the instance. This lets you assess your instances on demand. You must have remote connectivity to instances, either through SSH or EC2 Instance Connect.
Scan an EC2 instance using EC2 Instance Connect
cnspec lets you remotely scan EC2 instances using EC2 Instance Connect:
- Open a terminal.
- Set the
AWS_REGIONenvironment variable where the instance is running. - Run:
cnspec scan aws ec2 instance-connect USER@HOST
| For... | Substitute... |
|---|---|
| USER | Your user name for the AWS account |
| HOST | The instance's public IP address or DNS |
To learn about configuring EC2 instances with EC2 Instance Connect, read Connect to your Linux instance using EC2 Instance Connect in the AWS documentation.
Scan an EC2 instance using SSH
cnspec lets you remotely scan EC2 instances using SSH:
cnspec scan aws ec2 instance-connect USER@HOST --identity-file PATH
| For... | Substitute... |
|---|---|
| USER | Your user name for the AWS account |
| HOST | The instance's public IP address or DNS |
| PATH | The path to the SSH key file |
To learn how to retrieve credentials from a secrets manager (such as AWS Secrets Manager or SSM Parameter Store), read Secrets Management.
Learn more
| To learn about... | Read... |
|---|---|
| Scanning with AWS SSM | Scan Using AWS Systems Manager |
| Snapshot scanning | Scan an EBS Snapshot |
| Continuous AWS scanning | Continuously Scan AWS |
| cnspec | The cnspec documentation |