Skip to main content

Scan AWS from your workstation

Overview

This guide covers how to run security assessments of an AWS account from a local workstation. This includes accessing reports generated from security scans in Mondoo Platform, analyzing scan results, and configuring additional Mondoo security policies.

info

Need Help?

Join us in the Mondoo Community Slack channel if you run into any issues. We are here to help!

Prerequisites

Before you begin, you should have the following:

Configure the AWS CLI from your terminal. Follow the prompts to input your AWS Access Key ID and Secret Access Key.

aws configure

The configuration process stores your credentials in a file at ~/.aws/credentials on macOS and Linux, or %UserProfile%\.aws\credentials on Windows.

Mondoo Scan

Mondoo Client provides the mondoo scan command to run policies against your assets. When run by itself, mondoo scan will execute policies against the local environment. Additionally, the -t flag can be used to target remote assets such as ssh, docker, aws, gcp, k8s, and more.

info

Mondoo Client provides a --help command to provide information on its various functionality. For instance, mondoo scan --help will provide detailed information on using Mondoo Client to scan various assets.

When you execute the command mondoo scan aws, Mondoo Client authenticates with Mondoo Platform to find the policies configured for AWS in your account. After syncing policies, Mondoo Client authenticates against the AWS API using the configured credentials for the AWS CLI, and executes the policies against your account.

tip

If you are using multiple AWS profiles, you can configure Mondoo Client to use any profile by running export AWS_PROFILE=<profile-name> in your terminal.

Validate Mondoo Client installation and configuration

Before scanning AWS, open a terminal shell and run mondoo status to validate Mondoo Client is configured correctly with Mondoo Platform.

Mondoo Client - mondoo status

mondoo status

Run a scan from your workstation

To scan your AWS account, open a terminal and run the following command:

mondoo scan aws

Scan results - Mondoo Client

Scan results in AWS CloudShell

After the scan completes, the results from the scan are returned to STDOUT in the default pager. In your terminal you can scroll up and down using the up and down arrows, or the j and k keys.

Once you have finished reviewing the results, you can hit the q key to exit the pager.

tip

The default pager for mondoo scan results is less -R, but you can choose another with using the --pager flag. You can also disable this functionality with --no-pager

The scan results are also sent back to Mondoo Platform.

Asset scoring - Mondoo Platform

Mondoo Platform - AWS scan results overview

The results from the scan are sent back to Mondoo Platform where an asset score is generated. You can find all of the results by selecting FLEET in Mondoo Platform.

Click anywhere on the results to view more details about the policies that ran against the AWS account.

Mondoo Platform - AWS scan results with one policy

This page provides an overview of any policies that ran against the AWS account, and the score for those policies.

At this point we can see that the only policy that ran is the AWS by Mondoo, which contains recommendations based on the AWS Operational Best Practices conformance packs from AWS.

Results from individual checks

Mondoo Platform - AWS scan results details

Selecting any policy will take you to the details for the policy as well as the results for each of the individual checks that were executed. Each check will show one of the following in the status column:

  • PASS - The check passed
  • FAIL - The check failed
  • ERROR - An error occurred when executing the check

Details for individual checks

Selecting any individual check will provide more details about that check.

Query

Mondoo policy details - Query

The Query box provides MQL query that was executed to assess the configuration of the specific resource.

Results

Mondoo policy details - Query

The Result box contains the results from the query.

Description

Mondoo policy details - Query

The Description provides a description and rationale for the check.

Audit

Mondoo policy details - Query

The Audit provides a method for auditing.

Remediation

Mondoo policy details - Query

The Remediation provides any remediation steps.

Enable an additional policy

When you navigate to the POLICY HUB, you will see a list of all of the policies that are enabled in that space. A new space comes with a default list of policies enabled.

Enabling Policies

To enable additional policies:

  1. Log in to Mondoo Platform
  2. Navigate to the POLICY HUB.
  3. Select the ADD POLICY button to view all the available policies.
  4. Locate the policy, or policies you want to enable either by scrolling through the list of available policies, or by using the Filter search box.
  5. Check the box next to any policy, and then select the ENABLE button.

Any changes will take effect immediately. Assets registered to the space will automatically run applicable policies on their next scan.

Run another scan

Switch back to your terminal and run another scan.

mondoo scan aws

After the scan completes, the results for each of the two policies will be returned to STDOUT along with an aggregated score for both policies. The same results are also sent back to Mondoo Platform.

Aggregated score

Back in Mondoo Platform, select FLEET and locate the AWS account you just scanned from CloudShell. Select that account to see the updated score.

Mondoo Policy - Aggregated Score

info

You may need to select the refresh button at the top of console to see the updated score. You can also refresh your browser

When multiple policies are executed against an asset, each policy receives a graded score based on the total checks and their results. After all of the individual policies are scored, an overall aggregated score is calculated from the score of all of the policies.

In the example above, the first policy executed, AWS Baseline by Mondoo, received a C. The second policy Amazon Web Services (AWS) Operational Best Practices For S3 received an F. This lowered the aggregate score for the AWS account from a C to a D.

Next steps

In this tutorial, we covered how you can scan AWS accounts directly from your workstation by leveraging the credentials from the AWS CLI.

We also covered the basics of Mondoo policies, including how they are scored when executed against your assets and how aggregate scores are calculated when you enable additional policies against your assets.