Does cnspec have the ability to scan multiple AWS accounts? #736

chris-rock · 2023-01-06T16:06:22Z

chris-rock
Jan 6, 2023
Maintainer

Question from John Anderson in Slack:

We are evaluating this as alternative to what we do with cloud custodian. Custodian has a tool c7n-org that allows us to run the policies against multiple AWS accounts. But I don't see a way to say "Run this against all of these accounts", I only see a way to run it against one.

Answered by chris-rock

Jan 6, 2023

I updated the example above. It includes references to the aws config of the profiles to use its credentials. The example uses the accounts discovery target which focuses purely on the AWS account. You can extend the list with the following entries:

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  assets:
    - id: account-1
      connections:
        - backend: aws
          options:
            profile: example-dev
          discover:
            targets:
              - "accounts" # aws account
              - "instances" # ec2 instances
              - "ssm-instances" # ec2 instances with ssm
              - "ecr" # elasti…

View full answer

chris-rock · 2023-01-06T16:49:57Z

chris-rock
Jan 6, 2023
Maintainer Author

We have different ways to scan multiple AWS accounts:

cnspec scan aws which uses your default AWS configuration to connect to the AWS account
We support inventories to scan multiple AWS accounts
Mondoo SaaS Platform ships with a full AWS Org and Account Integration

If you want to configure an inventory that scans multiple AWS accounts, use the following setup with an aws-inventory.yml:

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  assets:
    - id: account-1
      connections:
        - backend: aws
          options:
            profile: example-dev
          discover:
            targets:
              - "accounts"
      annotations:
        owner: [email protected]
    - id: account-2
      connections:
        - backend: aws
          options:
            profile: example-demo
          discover:
            targets:
              - "accounts"
      annotations:
        owner: [email protected]

Then you scan the system via:

# run aws inventory
cnquery scan --inventory-file aws-inventory.yml

# run aws security scan
cnspec scan --inventory-file aws-inventory.yml

0 replies

chris-rock · 2023-01-06T22:27:25Z

chris-rock
Jan 6, 2023
Maintainer Author

I updated the example above. It includes references to the aws config of the profiles to use its credentials. The example uses the accounts discovery target which focuses purely on the AWS account. You can extend the list with the following entries:

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  assets:
    - id: account-1
      connections:
        - backend: aws
          options:
            profile: example-dev
          discover:
            targets:
              - "accounts" # aws account
              - "instances" # ec2 instances
              - "ssm-instances" # ec2 instances with ssm
              - "ecr" # elastic container registry
              - "ecs" # elastic container services

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mondoo Inc

Does cnspec have the ability to scan multiple AWS accounts? #736

{{title}}

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Mondoo Inc

Does cnspec have the ability to scan multiple AWS accounts? #736

chris-rock Jan 6, 2023 Maintainer

Replies: 2 comments

chris-rock Jan 6, 2023 Maintainer Author

chris-rock Jan 6, 2023 Maintainer Author

chris-rock
Jan 6, 2023
Maintainer

chris-rock
Jan 6, 2023
Maintainer Author

chris-rock
Jan 6, 2023
Maintainer Author