This guide covers how to run security assessments of an AWS account from a local workstation. This includes accessing reports generated from security scans in Mondoo Platform, analyzing scan results, and configuring additional Mondoo security policies.
Join us in the Mondoo Community Slack channel if you run into any issues. We are here to help!
Before you begin, you should have the following:
- Mondoo Platform account and Mondoo Client set up and configured
- An AWS Account
- The AWS CLI installed.
- Your AWS credentials. You can create a new Access Key on this page.
Configure the AWS CLI from your terminal. Follow the prompts to input your AWS Access Key ID and Secret Access Key.
The configuration process stores your credentials in a file at
~/.aws/credentials on macOS and Linux, or
%UserProfile%\.aws\credentials on Windows.
Mondoo Client provides the
mondoo scan command to run policies against your assets. When run by itself,
mondoo scan will execute policies against the local environment. Additionally, the
-t flag can be used to target remote assets such as
k8s, and more.
Mondoo Client provides a
--help command to provide information on its various functionality. For instance,
mondoo scan --help will provide detailed information on using Mondoo Client to scan various assets.
When you execute the command
mondoo scan aws, Mondoo Client authenticates with Mondoo Platform to find the policies configured for AWS in your account. After syncing policies, Mondoo Client authenticates against the AWS API using the configured credentials for the AWS CLI, and executes the policies against your account.
If you are using multiple AWS profiles, you can configure Mondoo Client to use any profile by running
export AWS_PROFILE=<profile-name> in your terminal.
Validate Mondoo Client installation and configuration
Before scanning AWS, open a terminal shell and run
mondoo status to validate Mondoo Client is configured correctly with Mondoo Platform.
Run a scan from your workstation
To scan your AWS account, open a terminal and run the following command:
mondoo scan aws
Scan results - Mondoo Client
After the scan completes, the results from the scan are returned to
STDOUT in the default
pager. In your terminal you can scroll up and down using the up and down arrows, or the
Once you have finished reviewing the results, you can hit the
q key to exit the pager.
mondoo scan results is
less -R, but you can choose another with using the
--pager flag. You can also disable this functionality with
The scan results are also sent back to Mondoo Platform.
Asset scoring - Mondoo Platform
The results from the scan are sent back to Mondoo Platform where an asset score is generated. You can find all of the results by selecting FLEET in Mondoo Platform.
Click anywhere on the results to view more details about the policies that ran against the AWS account.
This page provides an overview of any policies that ran against the AWS account, and the score for those policies.
At this point we can see that the only policy that ran is the AWS by Mondoo, which contains recommendations based on the AWS Operational Best Practices conformance packs from AWS.
Results from individual checks
Selecting any policy will take you to the details for the policy as well as the results for each of the individual checks that were executed. Each check will show one of the following in the status column:
- PASS - The check passed
- FAIL - The check failed
- ERROR - An error occurred when executing the check
Details for individual checks
Selecting any individual check will provide more details about that check.
The Query box provides MQL query that was executed to assess the configuration of the specific resource.
The Result box contains the results from the query.
The Description provides a description and rationale for the check.
The Audit provides a method for auditing.
The Remediation provides any remediation steps.
Enable an additional policy
When you navigate to the POLICY HUB, you will see a list of all of the policies that are enabled in that space. A new space comes with a default list of policies enabled.
To enable additional policies:
- Log in to Mondoo Platform
- Navigate to the POLICY HUB.
- Select the ADD POLICY button to view all the available policies.
- Locate the policy, or policies you want to enable either by scrolling through the list of available policies, or by using the Filter search box.
- Check the box next to any policy, and then select the ENABLE button.
Any changes will take effect immediately. Assets registered to the space will automatically run applicable policies on their next scan.
Run another scan
Switch back to your terminal and run another scan.
mondoo scan aws
After the scan completes, the results for each of the two policies will be returned to
STDOUT along with an aggregated score for both policies. The same results are also sent back to Mondoo Platform.
Back in Mondoo Platform, select FLEET and locate the AWS account you just scanned from CloudShell. Select that account to see the updated score.
You may need to select the refresh button at the top of console to see the updated score. You can also refresh your browser
When multiple policies are executed against an asset, each policy receives a graded score based on the total checks and their results. After all of the individual policies are scored, an overall aggregated score is calculated from the score of all of the policies.
In the example above, the first policy executed, AWS Baseline by Mondoo, received a C. The second policy Amazon Web Services (AWS) Operational Best Practices For S3 received an F. This lowered the aggregate score for the AWS account from a C to a D.
In this tutorial, we covered how you can scan AWS accounts directly from your workstation by leveraging the credentials from the AWS CLI.
We also covered the basics of Mondoo policies, including how they are scored when executed against your assets and how aggregate scores are calculated when you enable additional policies against your assets.