diff --git a/docs/platform/infra/cloud/aws/lambda/_old-ssh-content.md.old b/docs/platform/infra/cloud/aws/lambda/_old-ssh-content.md.old deleted file mode 100644 index a4a61ad6b..000000000 --- a/docs/platform/infra/cloud/aws/lambda/_old-ssh-content.md.old +++ /dev/null @@ -1,8 +0,0 @@ -8. To scan EC2 instances using SSH, enable **Use SSH for instance connectivity**. You must use the vault secret query if you use SSH. Provide this information: - - | Option | Description | - | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Vault type** | Specify whether to read the secret from AWS Secrets Manager or AWS SSM Parameter store. | - | **Vault secret query** | Provide the query to match vault credentials to instances. To learn how to write the query, read [Secrets Management](/platform/infra/opsys/automation/vault.md). | - -9. diff --git a/docs/platform/infra/cloud/aws/lambda/aws-integration-faq.mdx b/docs/platform/infra/cloud/aws/lambda/aws-integration-faq.mdx index 09b07b400..7811d613e 100644 --- a/docs/platform/infra/cloud/aws/lambda/aws-integration-faq.mdx +++ b/docs/platform/infra/cloud/aws/lambda/aws-integration-faq.mdx @@ -6,6 +6,10 @@ description: This document covers how the Mondoo AWS integration works. It inclu sidebar_position: 3 --- +## What does Mondoo scan? + +Mondoo analyzes the configuration of the account settings. It discovers resources (EC2 instances, S3 buckets, RDS instances, etc) across all regions and assesses their configuration according to which [policies have been enabled](/platform/security/posture/pac/). + ## How does the serverless Mondoo AWS integration work? With the serverless approach to integrating with AWS, Mondoo never has credentials to your AWS account. @@ -16,6 +20,12 @@ We install a Lambda function in your AWS account via the CloudFormation template The resources created in your AWS account are used to run and schedule configuration and EC2 instance scans. Those resources are low-cost, limited to a Lambda function, SNS topic, SQS Queues, some IAM roles, EventBridge rules, and SSM parameters. If using the EBS volume scanning feature, an Autoscaling Group and launch template will also be created. +## How can I see what resources Mondoo has created in my AWS account? + +All resources created by the Mondoo AWS Integration have the `Created By: Mondoo` tag. The IAM role attached to the Lambda function lets the integration delete EC2 resources only if they have the `Created By: Mondoo` tag. + +For information about AWS tags, read [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the AWS documentation. + ## How does the serverless integration communicate from my AWS account to Mondoo Platform? On CloudFormation stack creation, a short-lived token is exchanged for Mondoo credentials. Those credentials are stored in the SSM Parameter store and used by the Lambda function and SSM instances in the AWS account to communicate with Mondoo Platform over HTTPS. @@ -26,78 +36,22 @@ If you've set up your AWS organization according to [AWS standard practices](htt Before deploying, check the configuration of your AWS organization as described in [Requirements for deploying the Mondoo StackSet at the organization level](/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level). -## What information will leave my AWS Account? +## What information leaves my AWS Account? Scan report results only. ## What information will Mondoo store about my AWS resources? -Mondoo Platform stores the latest report for all scanned assets in the AWS account (the reports viewable under **Inventory**) as well as the total counts of various resources in the AWS account, displayed on the Integration detail page. +Mondoo Platform stores the latest report for all scanned assets in the AWS account as well as the total counts of various resources in the AWS account. ## Is the communication channel between Mondoo and my AWS account secure? -Yes, Mondoo communicates with your AWS account using [AWS EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html). The Eventbus policy and rule are created as part of the CloudFormation stack. - -## What permissions will the resources created by Mondoo request? - -There are three IAM roles created during the CloudFormation install: - -- MondooLambdaRole - Lambda function role enable AWS account scanning, includes: - - - managed policy: arn:aws:iam::aws:policy/ReadOnlyAccess - - managed policy: arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole - - managed policy: arn:aws:iam::aws:policy/AmazonEC2FullAccess - - limited to resources tagged with `Created By: Mondoo`: - - events:PutRule, - events:DeleteRule, - events:TagResource, - iam:CreateRole, - iam:CreateServiceLinkedRole, - iam:PutRolePolicy, - iam:AttachRolePolicy,iam:DetachRolePolicy,iam:DeleteRolePolicy,iam:TagRole - - unrestricted: cloudformation:UpdateStack,events:PutTargets, events:RemoveTargets,iam:PassRole,secretsmanager:GetSecretValue,ssm:GetParameter - - limited to RunShellScript and RunPowershellScript documents: ssm:SendCommand - - limited to Mondoo-\* SSM parameters: ssm:PutParameter,ssm:DeleteParameter,ssm:AddTagsToResource - - limited to Mondoo-created SQS queue:sqs:SendMessage,sqs:DeleteMessage,sqs:SetQueueAttributes - - limited to Mondoo-created SNS topic:sns:SetTopicAttributes,sns:TagResource - - limited to Mondoo Lambda function: lambda:UpdateFunctionConfiguration,lambda:GetFunctionConfiguration,lambda:AddPermission,lambda:UpdateFunctionCode,lambda:InvokeFunction - -- MondooEventBusRole - Eventbus role to allow Mondoo AWS account to send messages to your AWS account, includes: - - - events:PutEvents on the default event bus - - sts:AssumeRole on events.amazonaws.com - -- EBSVolumeScanningInstancePolicy - Role to be used by the scanner instances in the autoscaling group if EBS volume scanning is active, includes: - - limited to resources tagged with `Created By: Mondoo`: ec2:AttachVolume,ec2:DetachVolume,ec2:DeleteVolume,ec2:DeleteSnapshot - - unrestricted: ec2:CreateSnapshot,ec2:CreateVolume,ec2:CopySnapshot,ec2:CreateTags,ec2:DescribeInstances,ec2:DescribeVolumes,ec2:DescribeSnapshots,kms:Decrypt,kms:ReEncryptTo,kms:GenerateDataKeyWithoutPlaintext,kms:DescribeKey,kms:ReEncryptFrom - -## What specific resources will the Mondoo integration create in my AWS account? - -During install (CloudFormation): - -The Mondoo AWS CloudFormation stack creates these resources: - -- Lambda function -- SNS topic/subscription (tells Mondoo about CloudFormation stack status) -- EventBridge rule (lets Mondoo AWS talk to your AWS) -- IAM roles/policies (for the Lambda function, the ASG instances, and the EventBridge bus) -- SQS queue (for queueing scan jobs) - -All resources are tagged with: +Yes. Mondoo communicates with your AWS account using [AWS EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html). The Eventbus policy and rule are created as part of the CloudFormation stack. -``` -Created By: Mondoo -Mondoo Integration Mrn: -``` +## What permissions do the resources created by Mondoo request? -Created by the Lambda function: +[This JSON file](https://s3.amazonaws.com/mondoo.us-east-1/mondoo-serverless-v2.json) informs the Mondoo AWS integration and contains all the required permissions. -- SSM parameters (to store the env configuration and credentials to communicate with Mondoo Platform) -- EventBridge rules (to track aws events and set up cron events) -- Launch configuration template & autoscaling group (only if using ebs volume scanning) ## How do I update to the latest Lambda version? @@ -109,9 +63,9 @@ Every time the Lambda function updates, it first reads the SHA-256 of each file ## What happens if I delete the CloudFormation stack? -When the CloudFormation stack is deleted, the Lambda function receives a notification and immediately deletes all AWS resources created by Mondoo. Mondoo Platform UI will display the integration as deleted. No data will be lost in Mondoo Platform. A CloudFormation stack can be deleted and recreated multiple times. +When the CloudFormation stack is deleted, the Lambda function receives a notification and immediately deletes all AWS resources created by Mondoo. Mondoo displays the integration status as deleted. No data is lost in Mondoo Platform. A CloudFormation stack can be deleted and recreated multiple times. -## How much will operating the serverless Mondoo AWS integration cost? +## How much does operating the serverless Mondoo AWS integration cost? Most of the costs associated with the serverless Mondoo AWS integration fall into the AWS Free Tier category. Over the course of a month, an example AWS integration incurred this resource usage: diff --git a/docs/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting.mdx b/docs/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting.mdx index 22cf1890c..ac0a508b8 100644 --- a/docs/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting.mdx +++ b/docs/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting.mdx @@ -6,7 +6,7 @@ image: /img/featured_img/mondoo-aws.jpg description: This document covers how to debug and troubleshoot problems that may come up with the AWS Integration. --- -Troubleshoot problems that may come up deploying, running, and updating the serverless Mondoo AWS integration. +Troubleshoot problems deploying, running, and updating the serverless Mondoo AWS integration. :::tip @@ -133,9 +133,7 @@ You can manually force an update to the AWS Lambda from within the Mondoo Consol 3. Select **Force Lambda Update**. -## VPC - -### Lambda VPC access +## Lambda VPC access The [AWSLambdaVPCAccessExecutionRole](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features) is already attached to the Mondoo Lambda Role in order to discover assets, and run policies against those assets. diff --git a/docs/platform/infra/cloud/aws/lambda/aws-scan-details.mdx b/docs/platform/infra/cloud/aws/lambda/aws-scan-details.mdx deleted file mode 100644 index 7988788f6..000000000 --- a/docs/platform/infra/cloud/aws/lambda/aws-scan-details.mdx +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Advanced Serverless AWS Integration Details -sidebar_label: Advanced Serverless Integration Details -sidebar_position: 5 -image: /img/featured_img/mondoo-aws.jpg -description: This document provides detailed information on how the Mondoo AWS integration works. ---- - -:::note - -This supplemental topic provides detailed information on how the serverless Mondoo AWS integration works. It's not essential knowledge for using Mondoo. - -::: - -## What is an "account scan"? - -When an AWS account is integrated with a Mondoo space, Mondoo performs a configuration assessment of the AWS account by analyzing the configuration of the account (IAM settings), and discovering resources (EC2 instances, S3 buckets, RDS instances, etc) across all regions. The configuration of discovered resources are assessed according to which policies have been **ENABLED** in the **registry**. - -### Account scan schedule - -![Mondoo Platform - Configure AWS account scan interval](/img/platform/infra/cloud/aws/aws-configure-scan-schedule.png) - -Scanning happens every 12 hours by default, but the scan interval is configurable by going to **INTEGRATIONS** -> select the **AWS Account** you want to configure -> **CONFIGURATION**, under the **Account** section.. - -### Scan Now (Mondoo Platform) - -![](/img/platform/infra/cloud/aws/integration-scan-now.png) - -Additionally, on-demand scans can be triggered in **INTEGRATIONS** section by selecting the integrated AWS account, selecting the **Scan Now**" button in the upper right corner of the integration details. - -:::info - -You can also scan an AWS account by running `cnspec scan aws` from any workstation on which cnspec is installed and configured. To learn more, read [Scan AWS from your workstation](/cnspec/cloud/aws/). - -::: - -## What methods are used for EC2 scanning? - -There are three different methods used by Mondoo for EC2 scanning: - -- [AWS Systems Manager](#aws-systems-manager-ssm) -- [SSH connection](#ssh) -- [EC2 snapshot scanning](#ec2-snapshot-scanning) - -### Discovery - -Mondoo starts by querying the AWS API to get a list of all the EC2 instances in the account, across all regions available to the account, and gathering basic information about the instances. - -### AWS Systems Manager (SSM) - -When gathering information about the instances, the Lambda function checks whether the SSM agent is installed and has a ping with the status `Online` to indicate the instance is configured to be managed by SSM. In the configuration options for an integrated AWS Account, if the **Activate SSM for Instance Connectivity** is switched to **On**, Mondoo triggers a job on all `Online` instances to run an SSM document that downloads the latest version of cnspec, executes the `cnspec scan` command, and sends the results to Mondoo Platform. The integration also uses Mondoo Platform API credentials stored in SSM parameter store to authenticate with your Mondoo account, and send results. Once the scan completes, cnspec is completely uninstalled from the instance. - -For more details about how to set up SSM machines in your AWS Account, see the [ssm documentation](https://docs.aws.amazon.com/systems-manager/index.html) - -### SSH - -In order to facilitate the scanning of multiple instances over ssh connectivity, Mondoo has provided users with a way to match groups of instances to stored credentials. When `Activate SSH for Instance Connectivity` is set to true, an input box appears for the `Vault Secret Query`. - -The `Vault Secret Query` leverages MQL to define a mapping between instance labels and credentials stores in AWS Secrets Manager or AWS SSM Parameter store. In the example above, any instance with a Name tag of `ssh` (in AWS) will be scanned using the credential stored in AWS Secrets Manager with arn `arn:aws:secretsmanager:us-east-2:172746783610:secret:vj/secret-lHvP9r`. - -_Note: this functionality is not restricted to the `Name` tag; it will work with any tag_ - -### EC2 snapshot scanning - -EC2 snapshot scanning offers a way to scan Linux EC2 instances without SSH credentials or an SSM agent. -With this option, Mondoo spins up an instance in the AWS account and uses that instance to scan the other instances in the account. This is done by triggering an SSM job on the scanner instance that creates a snapshot of the target instance volume, attaches it to the scanner instance, and performs a scan of the mounted filesystem. - -EC2 snapshot scanning involves spinning up instances in an AutoScaling Group as well as one-off instances. It creates scanner instances named `ebs-scanner` in the same region as the target instances. - -It cleans up the scanners shortly after completing all scans, and cleans up any created snapshots and volumes (that are more than twelve hours old) every 8 hours. All created resources have the `Created By: Mondoo` tag. - -Be aware that EC2 snapshot scanning causes a slight increase on your AWS bill (for the EC2 and EBS services). - -### AWS tags - -All resources created by the Mondoo AWS Integration have the `Created By: Mondoo` tag. The IAM role attached to the Lambda function lets the integration delete EC2 resources only if they have the `Created By: Mondoo` tag. - -For information about AWS tags, read [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the AWS documentation. - ---- diff --git a/docs/platform/infra/cloud/aws/lambda/integration-lambda.mdx b/docs/platform/infra/cloud/aws/lambda/integration-lambda.mdx index 2e431099b..ff3c99776 100644 --- a/docs/platform/infra/cloud/aws/lambda/integration-lambda.mdx +++ b/docs/platform/infra/cloud/aws/lambda/integration-lambda.mdx @@ -21,7 +21,7 @@ The serverless Mondoo AWS integration supports scanning multiple AWS accounts. T :::caution IMPORTANT -Before creating a serverless Mondoo deployment on an AWS Organization, make sure to check if the configuration of your AWS organization meets the [requirements](/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting/#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level). +Before creating a serverless Mondoo deployment on an AWS Organization, be sure the configuration of your AWS Organization meets the [requirements](/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting/#requirements-for-deploying-the-mondoo-stackset-at-the-organization-level). ::: @@ -32,7 +32,7 @@ When you deploy an integration with Mondoo using a StackSet on the organizationa The [administrator account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-accts) in which the StackSet for the target accounts resides needs its own separate [single account integration](/platform/infra/cloud/aws/lambda/integration-lambda/#integrate-with-an-entire-organization-or-single-account). -This is intentional and reflects the [architectural concepts of AWS StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html). +This follows the [architectural concepts of AWS StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html). ::: ## Set up a new AWS integration @@ -51,34 +51,32 @@ import Partial from "../../../../partials/_editor-owner.mdx"; ![AWS integration options](/img/platform/infra/cloud/aws/hosted-or-serverless.png) -2. Select **Serverless**. +2. Select the **SELECT SERVERLESS INTEGRATION** button. - ![integration-create-image](/img/platform/infra/cloud/aws/add-aws-top.png) + ![Create a serverless AWS integration in Mondoo](/img/platform/infra/cloud/aws/add-aws-top.png) -3. Select the type of integration: +3. Give the new integration a name that is easy to recognize as an AWS integration and differentiates it from any other AWS integrations. + +4. Select the type of integration: | Option | Description | | -------------------------- | ------------------------------------------------- | | **Organization install** | Integrate Mondoo with an entire AWS Organization. | | **Single account install** | Integrate Mondoo with a single AWS account. | -4. Identify the account or Organization and the region: +5. Select the region in which you want to deploy the integration. + +6. Choose whether to use the region's default virtual private cloud (VPC) or to create a new VPC dedicated for Mondoo's use. - | If you're integrating with... | Then... | - | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | - | An entire AWS Organization | In the **AWS Organization(s)** box, enter any name for the integration. Select the region in which you want to deploy the integration. | - | A single AWS account | In the **AWS account** box, enter your AWS account ID. Select the region in which you want to deploy the integration. | + - If you select **AWS default VPC**, be sure the selected region has a default VPC. Every VPCs created after 2013 has a default VPC unless it's been deleted. To check in the AWS console, choose the region, go to the VPC service, and select **VPCs**. -5. Set the account options: + - If you select **Mondoo-created VPC**, in the **Configure CIDR** box, specify an IPv4 address range for the VPC that Mondoo creates. To learn more, read [VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html) in the AWS documentation. - | Option | Description | - | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | - | **Schedule full scan** | Set the interval (in hours) at which to execute a full scan of the AWS account, independent of change [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html). The default is 12 hours. | - | **Trigger on AWS console sign-in event** | Trigger an account scan whenever a user logs into the AWS console. | +7. In the **Schedule full scan** box, set the interval (in hours) at which to execute a full scan of the AWS account, independent of change [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html). The default is 12 hours. -6. Set the EC2 options: +8. Set the EC2 options: - ![integration-create-image](/img/platform/infra/cloud/aws/add-aws-ec2.png) + ![Mondoo serverless AWS integration EC2 options](/img/platform/infra/cloud/aws/add-aws-ec2.png) | Option | Description | | ----------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | @@ -88,14 +86,9 @@ import Partial from "../../../../partials/_editor-owner.mdx"; | **Use EC2 Instance Connect for instance connectivity** | If an EC2 instance has a public IP, connect using EC2 Instance Connect. | | **Use EBS volume scanning for instance connectivity** | Use _EBS volume scanning_ to scan the filesystems of instances that Mondoo otherwise can't reach. This includes stopped instances. | -7. If you enable EBS volume scanning, you can customize these options: - - | Option | Description | - | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **EBS targets per scanner** | Customize the number of targets a single scanner instance is responsible for scanning. Setting a low number (such as 5) results in faster scans, but requires AWS to create more scanner instances. Setting a high number (such as 50) reduces the number of scanner instances, but results in slower scans. The default is 20. | - | **Max ASG instances** | Set your own limit for how many instances AWS can spin up in the AutoScalingGroup to perform the filesystem scans. The default is 50. | +9. If desired, limit the EC2 instances that Mondoo scans: -8. If desired, limit the EC2 instances that Mondoo scans: + ![Mondoo serverless AWS EC2 filtering](/img/platform/infra/cloud/aws/filter-ec2.png) | Option | Description | Example | | -------------------------- | ------------------------------------------------------------------------------ | ---------------------------------------- | @@ -103,23 +96,24 @@ import Partial from "../../../../partials/_editor-owner.mdx"; | **Filter by regions** | Limit instance scanning to a subset of regions, separating values with commas. | `us-east-1,us-east-2` | | **Filter by tags** | To Limit instance scanning to a subset of tags, separated with commas. | `Name:testname, env:test` | -9. Set ECS, S3, and ECR options: +10. Specify if you want to scan containers or container images: - ![integration-create-image](/img/platform/infra/cloud/aws/add-aws-bottom.png) + ![Mondoo serverless AWS integration container options](/img/platform/infra/cloud/aws/containers.png) + + | Option | Description | + | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | + | **Discover and scan ECS containers** | Discover AWS Fargate containers and scan them using [ECS Exec](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html). | + | **Discover and scan container images** | Discover container images and scan them for security misconfigurations. | - | Option | Description | - | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | - | **Discover and scan ECS containers** | Use Amazon ECS Exec to scan Fargate containers. | - | **Trigger on S3 bucket [events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html)** | Trigger a scan whenever a change is made to an S3 bucket. | - | **Discover and scan ECR images** | Include ECR images in asset discovery and scan them when found. | +11. Select the **START SCANNING** button. -10. Select the **START SCANNING** button. + ![Create an AWS integration and launch CloudFormation](/img/platform/infra/cloud/aws/launch-cf.png) 11. Follow the instructions to launch the AWS CloudFormation stack (for an account) or StackSet (for an Organization). :::caution IMPORTANT -Selecting **Create** does not finalize the integration between Mondoo and AWS. You must launch the AWS CloudFormation stack or StackSet to complete the setup. +Selecting **START SCANNING** does not finalize the integration between Mondoo and AWS. You must launch the AWS CloudFormation stack or StackSet to complete the setup. ::: @@ -147,16 +141,6 @@ Mondoo shows the status at the top of the integration page, beside the integrati ![Mondoo AWS integration status and actions](/img/platform/infra/cloud/aws/integration-scan-now.png) -Theses are the possible statuses for an AWS integration: - -| Status | Meaning | -| --------------- | ---------------------------------------------------------------------------------------------------------------- | -| **configuring** | Mondoo is sending the scan configuration options to the integration and the integration is saving those options. | -| **active** | The integration is active and healthy. | -| **error** | Mondoo detected an error during installation. | -| **missing** | Mondoo hasn't received a check-in from the Lambda function for over an hour. | -| **deleted** | CloudFormation for the integration has been deleted. | - ### Ping an integration At the top of the integration page, below the integration name, Mondoo shows the time of the last ping. @@ -173,11 +157,7 @@ To see fresh scan results, select the **SCAN NOW** button. Mondoo retrieves new To stop all currently running AWS scans, on the ellipsis menu of the integration page, select **Cancel Scans**. -![Stop an AWS scan in Mondoo](/img/platform/infra/cloud/aws/cancel-scan.png) - -### Retry a failed integration setup - -If an error occurred during setup and the CloudFormation stack is now up and running but the integration is unhealthy, you can try to return it to a healthy state: Select the ellipsis to the right of the integration name and select **Retry Setup**. +![Stop an AWS scan in Mondoo](/img/platform/infra/cloud/aws/dotmenu.png) ### Enable and disable policies for an AWS integration @@ -199,7 +179,7 @@ The **CONFIGURATION** tab on the integration page shows the current settings and ![Reconfigure a Mondoo AWS integration](/img/platform/infra/cloud/aws/integration-config.png) -To learn about individual settings, read the sections under the _Set up a new AWS integration_ section above. +To learn about individual settings, read the _Set up a new AWS integration_ section above. ### Remove an integration diff --git a/docs/platform/security/posture/pac.mdx b/docs/platform/security/posture/pac.mdx index 85a95f23f..144e04d95 100644 --- a/docs/platform/security/posture/pac.mdx +++ b/docs/platform/security/posture/pac.mdx @@ -12,20 +12,23 @@ But documents don't evaluate your environments. The work to verify that your inf _Policy as code_ lets you automate compliance using security benchmarks and best practices. The code serves two purposes: It documents the security guidelines and it tests your systems to ensure they follow those guidelines. -Each Mondoo policy is a codified collection of _checks_, assertions that test for certain configurations. Each check can be true or false, and has an impact score that determines its importance within the policy. For example, the _Linux Security_ policy might include checks that ensure the asset: +Each Mondoo policy is a codified collection of _checks_, assertions that test for certain configurations. Each check can be true or false, and has an impact score that determines its importance within the policy. -- Doesn't accept ICMP redirects + For example, the _Linux Security_ policy might include checks that ensure the asset: -- Has prelink disabled + - Doesn't accept ICMP redirects -- Has reverse path filtering enabled + - Has prelink disabled -... and dozens more. + - Has reverse path filtering enabled -To learn more about policy as code, read [About Policies](/cnspec/cnspec-policies/). To learn more about checks, read [Checks](/cnspec/cnspec-policies/write/simple/#checks). + ... and dozens more. -You choose whether to enable the _Linux Security_ policy. If it's enabled, then when Mondoo scans Linux-based assets, it evaluates them based on the checks defined in that policy (as well as any other applicable policies you enable). + You choose whether to enable the _Linux Security_ policy. If it's enabled, then when Mondoo scans Linux-based assets, it evaluates them based on the checks defined in that policy (as well as any other applicable policies you enable). Mondoo has hundreds of policies for dozens of different types of platforms. You choose which policies you want to use as a basis to assess the security of your infrastructure. To learn how, read [Manage Policies](/platform/security/posture/policies/). +To learn more about policy as code, read [About Policies](/cnspec/cnspec-policies/). To learn more about checks, read [Checks](/cnspec/cnspec-policies/write/simple/#checks). + + --- diff --git a/docusaurus.config.js b/docusaurus.config.js index fc3f9ed43..ccd19b5e8 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -61,10 +61,6 @@ const legacyRedirects = [ from: "/platform/infra/cloud/aws/aws-integration-troubleshooting", to: "/platform/infra/cloud/aws/lambda/aws-integration-troubleshooting", }, - { - from: "/platform/infra/cloud/aws/aws-scan-details", - to: "/platform/infra/cloud/aws/lambda/aws-scan-details", - }, { from: "/platform/infra/cloud/aws/aws-ebs-snapshot-scan", to: "/cnspec/cloud/aws/aws-ebs-snapshot-scan", diff --git a/static/img/platform/infra/cloud/aws/add-aws-ec2.png b/static/img/platform/infra/cloud/aws/add-aws-ec2.png index 3d8fe6587..62d0e3774 100644 Binary files a/static/img/platform/infra/cloud/aws/add-aws-ec2.png and b/static/img/platform/infra/cloud/aws/add-aws-ec2.png differ diff --git a/static/img/platform/infra/cloud/aws/add-aws-top.png b/static/img/platform/infra/cloud/aws/add-aws-top.png index 6eb0c88da..3a4275c64 100644 Binary files a/static/img/platform/infra/cloud/aws/add-aws-top.png and b/static/img/platform/infra/cloud/aws/add-aws-top.png differ diff --git a/static/img/platform/infra/cloud/aws/containers.png b/static/img/platform/infra/cloud/aws/containers.png new file mode 100644 index 000000000..aee530a2a Binary files /dev/null and b/static/img/platform/infra/cloud/aws/containers.png differ diff --git a/static/img/platform/infra/cloud/aws/dotmenu.png b/static/img/platform/infra/cloud/aws/dotmenu.png index 8959ad8a0..0dad4eb91 100644 Binary files a/static/img/platform/infra/cloud/aws/dotmenu.png and b/static/img/platform/infra/cloud/aws/dotmenu.png differ diff --git a/static/img/platform/infra/cloud/aws/filter-ec2.png b/static/img/platform/infra/cloud/aws/filter-ec2.png new file mode 100644 index 000000000..83b74e5a8 Binary files /dev/null and b/static/img/platform/infra/cloud/aws/filter-ec2.png differ diff --git a/static/img/platform/infra/cloud/aws/launch-cf.png b/static/img/platform/infra/cloud/aws/launch-cf.png new file mode 100644 index 000000000..71cf3aa9c Binary files /dev/null and b/static/img/platform/infra/cloud/aws/launch-cf.png differ diff --git a/static/img/platform/infra/cloud/aws/old-interval.png b/static/img/platform/infra/cloud/aws/old-interval.png new file mode 100644 index 000000000..5d56786b6 Binary files /dev/null and b/static/img/platform/infra/cloud/aws/old-interval.png differ