mondoohq · tas50 · May 22, 2024 · May 16, 2024 · May 20, 2024 · May 20, 2024
diff --git a/docs/cnspec/cloud/aws/README.mdx b/docs/cnspec/cloud/aws/README.mdx
@@ -22,6 +22,36 @@ To analyze and explore your AWS environment with cnspec, you must have:
 - Your AWS credentials. To learn about creating a new access key pair, read [Creating new access keys for an IAM user](https://docs.aws.amazon.com/keyspaces/latest/devguide/access.credentials.html#create.keypair) in the AWS documentation.
 - Your `AWS_REGION` configured. To learn how to set your region, read [How to set environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-set) in the AWS documentation.
 
+### Set up AWS credentials
+
+To ensure your AWS credentials are set up properly so you can scan from your workstation, run this command from a terminal:
+
+```bash
+cat ~/.aws/credentials
+[default]
+aws_access_key_id = AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+aws_session_token = AQoDYXdzEJr...<remainder of session token>
+```
+
+If you want to use a specific profile, set `AWS_PROFILE`
+
+```bash
+export AWS_PROFILE=PROFILENAME
+```
+
+For PROFILENAME, substitute the name of the profile to use.
+
+### Permissions required to scan an AWS account
+
+cnspec requires read-only access to assess the configuration of the services and resources within an AWS account. It uses the credentials for the `awscli` to authenticate with the AWS API. So it inherits the permissions granted to your AWS access keys.
+
+:::info
+
+Amazon provides the **ReadOnlyAccess** IAM profile, which grants read-only access to all AWS Services.
+
+:::
+
 ### Verify with a quick AWS check
 
 To quickly confirm that cnspec has access to your AWS environment, run this test from your terminal:
@@ -38,6 +68,79 @@ cnspec returns `[ok]` to indicate that the test passed, and includes the actual
 [ok] value: "123456789000"
 ```
 
+### Scan an AWS account with cnspec
+
+To scan an AWS account remotely with cnspec, enter this command in a terminal:
+
+```bash
+cnspec scan aws
+```
+
+cnspec scans the account using any AWS policies you have enabled in your Mondoo account. It prints the results to `STDOUT` on the command line. It also sends the results to Mondoo Platform, which generates a report for each policy executed against the account.
+
+### Manage multiple AWS profiles
+
+If you manage multiple AWS configurations in your credentials file, you can set the `AWS_PROFILE` environment variable to specify which profile to use for each scan. For example, this credentials file has two configurations:
+
+```bash title='~/.aws/credentials'
+[default]
+aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+[aws-dev-account]
+aws_access_key_id=AKIAI44QH8DHBEXAMPLE
+aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
+```
+
+When you run a scan, you specify which profile to use:
+
+```bash title="Select AWS profile to scan"
+export AWS_PROFILE=PROFILENAME
+cnspec scan aws
+```
+
+For PROFILENAME, substitute the name of the profile to use.
+
+### Incognito mode
+
+cnspec provides an `--incognito` mode, which lets you scan your AWS account against a specific policy without sending the results back to Mondoo Platform. This can be helpful for assessing how an account will score against a policy before enabling it.
+
+To scan an AWS account using `incognito` mode, enter this command in a terminal:
+
+```bash
+cnspec scan aws --incognito
+```
+
+## Perform agentless scans of EC2 instances
+
+cnspec supports remote scanning of EC2 instances without installing an agent on the instance. This lets you assess your instances on demand. You must have remote connectivity to instances, either through SSH or EC2 Instance Connect.
+
+### Scan an EC2 instance using EC2 Instance Connect
+
+import Partial from "./_aws-incl-ic.mdx";
+
+<Partial />{" "}
+
+### Scan an EC2 instance using SSH
+
+cnspec lets you remotely scan EC2 instances using SSH:
+
+```bash
+cnspec scan aws ec2 instance-connect USER@HOST --identity-file PATH
+```
+
+| For... | Substitute...                           |
+| ------ | --------------------------------------- |
+| USER   | Your user name for the AWS account      |
+| HOST   | The instance's public IP address or DNS |
+| PATH   | The path to the SSH key file            |
+
+:::info
+
+To learn how to retrieve credentials from a secrets manager (such as AWS Secrets Manager or SSM Parameter Store), read [Secrets Management](/platform/infra/opsys/automation/vault.md).
+
+:::
+
 ## Next step
 
 You've successfully used cnspec to run your first check against your AWS account. Now you're ready to [assess your AWS environment.](/cnspec/cloud/aws/account)

diff --git a/...platform/infra/cloud/aws/_aws-incl-ic.mdx → docs/cnspec/cloud/aws/_aws-incl-ic.mdx b/...platform/infra/cloud/aws/_aws-incl-ic.mdx → docs/cnspec/cloud/aws/_aws-incl-ic.mdx
diff --git a/...infra/cloud/aws/aws-ebs-snapshot-scan.mdx → ...nspec/cloud/aws/aws-ebs-snapshot-scan.mdx b/...infra/cloud/aws/aws-ebs-snapshot-scan.mdx → ...nspec/cloud/aws/aws-ebs-snapshot-scan.mdx
@@ -1,7 +1,7 @@
 ---
 title: Scan an EBS Snapshot
 sidebar_label: Scan an EBS Snapshot
-sidebar_position: 9
+sidebar_position: 55
 description: This document covers the configuration and use of the Mondoo AWS Integration to scan AWS accounts and EC2 Instances
 ---
 
@@ -111,8 +111,8 @@ For SNAPSHOT_ID, substitute the ID of the snapshot, for example `snap-123456b123
 
 | To learn about...           | Read...                                                                    |
 | --------------------------- | -------------------------------------------------------------------------- |
-| Scanning with AWS SSM       | [Scan Using AWS Systems Manager](/platform/infra/cloud/aws/aws-ssm-scan/)  |
-| Scanning from a workstation | [Scan from a Workstation](/platform/infra/cloud/aws/aws-workstation-scan/) |
+| Scanning with AWS SSM       | [Scan Using AWS Systems Manager](/cnspec/cloud/aws/aws-ssm-scan/)  |
+| Scanning from a workstation | [Scan from a Workstation](/cnspec/cloud/aws/) |
 | Continuous AWS scanning     | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/)   |
 | cnspec                      | [The cnspec documentation](/cnspec/cnspec-about/)                          |
 

diff --git a/...tform/infra/cloud/aws/aws-ec2-ic-scan.mdx → docs/cnspec/cloud/aws/aws-ec2-ic-scan.mdx b/...tform/infra/cloud/aws/aws-ec2-ic-scan.mdx → docs/cnspec/cloud/aws/aws-ec2-ic-scan.mdx
@@ -1,7 +1,7 @@
 ---
 title: Scan Using EC2 Instance Connect
 sidebar_label: Scan Using EC2 Instance Connect
-sidebar_position: 8
+sidebar_position: 35
 image: /img/featured_img/mondoo-aws.jpg
 description: This document covers the configuration and use of EC2 Instance Connect to scan EC2 instances.
 ---
@@ -14,9 +14,9 @@ import Partial from "./_aws-incl-ic.mdx";
 
 | To learn about...           | Read...                                                                    |
 | --------------------------- | -------------------------------------------------------------------------- |
-| Scanning with AWS SSM       | [Scan Using AWS Systems Manager](/platform/infra/cloud/aws/aws-ssm-scan/)  |
-| Scanning from a workstation | [Scan from a Workstation](/platform/infra/cloud/aws/aws-workstation-scan/) |
-| Snapshot scanning           | [Scan an EBS Snapshot](/platform/infra/cloud/aws/aws-ebs-snapshot-scan/)   |
+| Scanning with AWS SSM       | [Scan Using AWS Systems Manager](/cnspec/cloud/aws/aws-ssm-scan/)  |
+| Scanning from a workstation | [Scan from a Workstation](/cnspec/cloud/aws/) |
+| Snapshot scanning           | [Scan an EBS Snapshot](/cnspec/cloud/aws/aws-ebs-snapshot-scan/)   |
 | Continuous AWS scanning     | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/)   |
 | cnspec                      | [The cnspec documentation](/cnspec/cnspec-about/)                          |
 

diff --git a/...platform/infra/cloud/aws/aws-ssm-scan.mdx → docs/cnspec/cloud/aws/aws-ssm-scan.mdx b/...platform/infra/cloud/aws/aws-ssm-scan.mdx → docs/cnspec/cloud/aws/aws-ssm-scan.mdx
@@ -1,7 +1,7 @@
 ---
 title: Scan Using AWS Systems Manager
 sidebar_label: Scan Using AWS SSM
-sidebar_position: 6
+sidebar_position: 25
 image: /img/featured_img/mondoo-aws.jpg
 description: This document covers the configuration and use of AWS Systems Manager (SSM) to scan EC2 instances without agents.
 ---
@@ -202,7 +202,7 @@ aws ssm describe-instance-information --query "InstanceInformationList[?Instance
 
 | To learn about...       | Read...                                                                  |
 | ----------------------- | ------------------------------------------------------------------------ |
-| Snapshot scanning       | [Scan an EBS Snapshot](/platform/infra/cloud/aws/aws-ebs-snapshot-scan/) |
+| Snapshot scanning       | [Scan an EBS Snapshot](/cnspec/cloud/aws/aws-ebs-snapshot-scan/) |
 | Continuous AWS scanning | [Continuously Scan AWS](/platform/infra/cloud/aws/aws-integration-scan/) |
 | cnspec                  | [The cnspec documentation](/cnspec/cnspec-about/)                        |
 

diff --git a/docs/platform/infra/cloud/aws/_aws-client-service.mdx b/docs/platform/infra/cloud/aws/_aws-client-service.mdx