AWS Serverless Integration FAQ
What does Mondoo scan?
Mondoo analyzes the configuration of the account settings. It discovers resources (EC2 instances, S3 buckets, RDS instances, etc) across all regions and assesses their configuration according to which policies have been enabled.
How does the serverless Mondoo AWS integration work?
With the serverless approach to integrating with AWS, Mondoo never has credentials to your AWS account.
We install a Lambda function in your AWS account via the CloudFormation template, and communicate with that Lambda function over AWS EventBridge. The Lambda function communicates with Mondoo using service credentials stored in the SSM Parameter Store.
Why does the serverless Mondoo integration need to create resources in my AWS account?
The resources created in your AWS account are used to run and schedule configuration and EC2 instance scans. Those resources are low-cost, limited to a Lambda function, SNS topic, SQS Queues, some IAM roles, EventBridge rules, and SSM parameters. If using the EBS volume scanning feature, an Autoscaling Group and launch template will also be created.
How can I see what resources Mondoo has created in my AWS account?
All resources created by the Mondoo AWS Integration have the Created By: Mondoo
tag. The IAM role attached to the Lambda function lets the integration delete EC2 resources only if they have the Created By: Mondoo
tag.
For information about AWS tags, read Tagging your AWS resources in the AWS documentation.
How does the serverless integration communicate from my AWS account to Mondoo Platform?
On CloudFormation stack creation, a short-lived token is exchanged for Mondoo credentials. Those credentials are stored in the SSM Parameter store and used by the Lambda function and SSM instances in the AWS account to communicate with Mondoo Platform over HTTPS.
Should I choose to integrate an organization or an account?
If you've set up your AWS organization according to AWS standard practices, create an organization integration for ease of use.
Before deploying, check the configuration of your AWS organization as described in Requirements for deploying the Mondoo StackSet at the organization level.
What information leaves my AWS Account?
Scan report results only.
What information will Mondoo store about my AWS resources?
Mondoo Platform stores the latest report for all scanned assets in the AWS account as well as the total counts of various resources in the AWS account.
Is the communication channel between Mondoo and my AWS account secure?
Yes. Mondoo communicates with your AWS account using AWS EventBridge. The Eventbus policy and rule are created as part of the CloudFormation stack.
What permissions do the resources created by Mondoo request?
This JSON file informs the Mondoo AWS integration and contains all the required permissions.
How do I update to the latest Lambda version?
The Lambda function updates itself every 24 hours. It updates the AWS CloudFormation stack and the Lambda function code to the latest available from the Mondoo S3 bucket.
There is a safeguard in place to ensure that the Lambda function only updates itself to the expected build: When new versions of the Lambda function and CloudFormation JSON files are uploaded to S3 during the release process, the SHA-256 of those files is recorded and stored in a place accessible to the Mondoo Platform.
Every time the Lambda function updates, it first reads the SHA-256 of each file in the target S3 bucket and compares that to the expected (stored) hash. If the SHA-256 doesn't match, the Lambda doesn't update. Mondoo support receives an alert when this occurs.
What happens if I delete the CloudFormation stack?
When the CloudFormation stack is deleted, the Lambda function receives a notification and immediately deletes all AWS resources created by Mondoo. Mondoo displays the integration status as deleted. No data is lost in Mondoo Platform. A CloudFormation stack can be deleted and recreated multiple times.
How much does operating the serverless Mondoo AWS integration cost?
Most of the costs associated with the serverless Mondoo AWS integration fall into the AWS Free Tier category. Over the course of a month, an example AWS integration incurred this resource usage:
- CloudWatch PutLogs: 1GB (First 5GB per month of log data ingested is free)
- CloudWatch TimedStorage: 0.16GB (First 5GB-mo per month of logs storage is free)
- CloudWatch Events: 8,000 64k chunk events ($1.00 per million EventBridge custom events received)
- Lambda-GB-Seconds: 76,000 seconds (Compute Free Tier - 400,000 GB-Seconds)
- Lambda Request: 11,000 requests (Requests Free Tier - 1,000,000 Requests)
- SNS HTTP: 2,000 notifications (First 100,000 Amazon SNS HTTP/HTTPS Notifications per month are free)
- SNS requests: 3,000 requests (First 1,000,000 Amazon SNS API Requests per month are free)
- SQS requests: 626,000 requests (First 1,000,000 Amazon SQS Requests per month are free)
- Simple Storage Service--Tier1: 257 requests ($0.00 per request - PUT, COPY, POST, or LIST requests under the monthly global Free Tier)
- Simple Storage Service--Tier2: 41 requests ($0.00 per request - GET and all other requests under the monthly global Free Tier)
What do you about rate limiting?
We spread out scan jobs to prevent too many calls to the EC2 and SSM APIs. If the Lambda function encounters a rate-limiting error, it automatically pauses all scan jobs for 15 minutes.
Can I see what runs?
The AWS CloudFormation JSON and Lambda zip are available as part of the Mondoo S3 bucket:
- Mondoo StackSet CloudFormation (applies only to AWS Organization-level installations)
- Mondoo Stack CloudFormation (applies only to single-account installations)
- Nested Stack CloudFormation (applies only to single-account installations)
- Lambda Zip