Continuously Scan AWS - Serverless Integration
The Mondoo serverless AWS integration enables continuous cron-scheduled and event-based scanning of your AWS account or Organization.
To learn about how an integration runs and its required permissions, read AWS Integration FAQ.
Mondoo also offers a Mondoo-hosted method for assessing AWS security. It requires no agent in AWS and is easier to set up. To compare the two approaches, read Continuously Scan with an AWS Integration.
Integrate with an entire organization or single account
The serverless Mondoo AWS integration supports scanning multiple AWS accounts. To do this, you install Mondoo across an AWS Organization using CloudFormation StackSets. All scan configuration options you choose apply to every AWS account in the AWS Organization.
Before creating a serverless Mondoo deployment on an AWS Organization, be sure the configuration of your AWS Organization meets the requirements.
You can also opt to scan a single AWS account only. Single account integrations rely on CloudFormation stacks.
When you deploy an integration with Mondoo using a StackSet on the organizational level, the StackSet only creates an integration of the target accounts.
The administrator account in which the StackSet for the target accounts resides needs its own separate single account integration.
This follows the architectural concepts of AWS StackSets.
Set up a new AWS integration
Only team members with Editor or Owner access can perform this task.
-
Access the Integrations > Add > AWS page in one of two ways:
-
New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select AWS.
-
INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Near the top of the page, select AWS.
-
-
Select the SELECT SERVERLESS INTEGRATION button.
-
Give the new integration a name that is easy to recognize as an AWS integration and differentiates it from any other AWS integrations.
-
Select the type of integration:
Option Description Organization install Integrate Mondoo with an entire AWS Organization. Single account install Integrate Mondoo with a single AWS account. -
Select the region in which you want to deploy the integration.
-
Choose whether to use the region's default virtual private cloud (VPC) or to create a new VPC dedicated for Mondoo's use.
-
If you select AWS default VPC, be sure the selected region has a default VPC. Every VPCs created after 2013 has a default VPC unless it's been deleted. To check in the AWS console, choose the region, go to the VPC service, and select VPCs.
-
If you select Mondoo-created VPC, in the Configure CIDR box, specify an IPv4 address range for the VPC that Mondoo creates. To learn more, read VPC CIDR blocks in the AWS documentation.
-
-
In the Schedule full scan box, set the interval (in hours) at which to execute a full scan of the AWS account, independent of change events. The default is 12 hours.
-
Set the EC2 options:
Option Description Discover EC2 instances Include EC2 instances in asset discovery. By default, this applies across all regions. Trigger on instance state change events Trigger a scan of all EC2 instances whenever an instance changes state. Use SSM for instance connectivity Use the AWS SSM service to trigger scans for EC2 instances (when it's available). Use EC2 Instance Connect for instance connectivity If an EC2 instance has a public IP, connect using EC2 Instance Connect. Use EBS volume scanning for instance connectivity Use EBS volume scanning to scan the filesystems of instances that Mondoo otherwise can't reach. This includes stopped instances. -
If desired, limit the resources that Mondoo scans:
For each filtering option, you can either:
- Scan only the resources that match your allow list
OR
- Scan all resources except those that match your deny list
Choose any combination of filters:
-
Enable Filter by instance IDs to limit EC2 instance scanning to a subset of IDs or to scan all EC2 instances except specified IDs. This setting does not affect scanning of other types of resources. Enter each ID on a new line. For example:
i-0d1f840578ca82600
i-07ae83fe5d22600a -
Enable Filter by regions to limit scanning to a subset of regions or to scan all resources except those in the region specified. Enter each region on a new line. For example:
eu-east-1
us-east-2 -
Enable Filter by tags to limit scanning to resources that have a subset of tags or to scan all resources except those with the specified tags. Enter tags using the format
key:value. To allow or deny multiple values of the same tag key, separate them with commas. Enter each tag on a new line. For example:Name:test
env:test
Environment:stage,test,qa,edge
-
Specify whether you want to scan containers and container images:
| Option | Description |
|---|---|
| Discover and scan ECS containers | Discover AWS Fargate containers and scan them using ECS Exec. |
| Discover and scan container images | Discover container images and scan them for security misconfigurations. |
- Select the START SCANNING button.
- Follow the instructions to launch the AWS CloudFormation stack (for an account) or StackSet (for an Organization).
Selecting START SCANNING does not finalize the integration between Mondoo and AWS. You must launch the AWS CloudFormation stack or StackSet to complete the setup.
Manage an AWS integration
You can view the status of an AWS integration, change its configuration options, and more on its integration page.
Only team members with Editor or Owner access can perform this task.
To access an existing integration:
-
In the Mondoo Console, navigate to the space containing the integration.
-
In the side navigation bar, under Integrations, select AWS.
-
Select the integration you want to view or manage.
View an integration's status
Mondoo shows the status at the top of the integration page, beside the integration name.
Ping an integration
At the top of the integration page, below the integration name, Mondoo shows the time of the last ping.
To ping the integration now, select the ping icon (a heartbeat to the left of the SCAN NOW button).
Request a fresh scan
To see fresh scan results, select the SCAN NOW button. Mondoo retrieves new scan results as soon as possible.
Stop all running scans
Only team members with Editor or Owner access can perform this task.
To stop all currently running AWS scans, on the ellipsis menu of the integration page, select Cancel Scans.
Enable and disable policies for an AWS integration
The RECOMMENDED POLICIES tab on the integration page lists policies that can help you protect your AWS environment. It shows which policies are enabled and disabled.
Only team members with Editor or Owner access can perform this task.
Use the toggle on the right side of each policy's row to enable or disable the policy.
To learn more about policies, read Policy as Code.
Reconfigure an AWS integration
Only team members with Editor or Owner access can perform this task.
The CONFIGURATION tab on the integration page shows the current settings and lets you make changes.
To learn about individual settings, read the Set up a new AWS integration section above.
Remove an integration
Only team members with Editor or Owner access can perform this task.
To remove an integration, select the Remove (trash can) icon at the top of the integration page.
A notification displays with a link to the CloudFormation Stacks list in the AWS console. Select the link and, in the AWS console, delete the stack. This removes the configured integration from Mondoo Platform and deletes the rule allowing the Mondoo AWS account to send events to the target account.