-
Notifications
You must be signed in to change notification settings - Fork 23
/
config.go
173 lines (164 loc) · 5.52 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
// Copyright (c) Mondoo, Inc.
// SPDX-License-Identifier: BUSL-1.1
package config
import (
"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
"go.mondoo.com/cnquery/v11/providers/aws/connection/awsec2ebsconn"
"go.mondoo.com/cnquery/v11/providers/aws/provider"
"go.mondoo.com/cnquery/v11/providers/aws/resources"
)
var Config = plugin.Provider{
Name: "aws",
ID: "go.mondoo.com/cnquery/v9/providers/aws",
Version: "11.5.13",
ConnectionTypes: []string{provider.DefaultConnectionType, string(awsec2ebsconn.EBSConnectionType)},
Connectors: []plugin.Connector{
{
Name: "aws",
Use: "aws",
Short: "an AWS account",
Long: `Use the aws provider to query the resources in an AWS account.
To query or scan AWS resources, you must have an AWS credentials file. To learn how to create one, read https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-files.html. Mondoo uses the default profile in the credentials file unless you specify a different one using the --profile flag.
Available commands:
ec2 Query or scan an AWS EC2 instance
Subcommands:
instance-connect Access the EC2 instance using Amazon EC2 Instance Connect
Provide <user@host>
ssm Access the EC2 instance using AWS Systems Manager
Provide a path to the identity file
--identity-file <path>
ebs Query or scan an EBS volume
Provide the volume ID
ebs snapshot Query or scan an EBS volume snapshot
Provide the snapshot ID
Examples:
cnquery shell aws
cnspec scan aws
cnquery scan aws -f mondoo-aws-incident-response.mql.yaml --querypack mondoo-incident-response-aws
cnquery shell aws --role <role-arn>
cnspec scan aws ec2 instance-connect <user@host>
cnspec scan aws ec2 instance-connect <user@host> --identity-file <path>
cnspec scan aws ec2 ebs <snapshot-id>
cnspec scan aws --filters region=ap-south-1
Notes:
If you set the AWS_PROFILE environment variable, you can omit the profile flag.
To learn about setting up your AWS credentials, read https://mondoo.com/docs/cnspec/cloud/aws/.
`,
MinArgs: 0,
MaxArgs: 4,
Discovery: []string{
resources.DiscoveryAccounts,
resources.DiscoveryInstances,
resources.DiscoveryEC2InstanceAPI,
resources.DiscoverySSMInstances,
resources.DiscoverySSMInstanceAPI,
resources.DiscoveryECR,
resources.DiscoveryECRImageAPI,
resources.DiscoveryECS,
resources.DiscoveryECSContainersAPI,
resources.DiscoveryOrg,
resources.DiscoveryResources,
resources.DiscoveryS3Buckets,
resources.DiscoveryCloudtrailTrails,
resources.DiscoveryRdsDbInstances,
resources.DiscoveryRdsDbClusters,
resources.DiscoveryVPCs,
resources.DiscoverySecurityGroups,
resources.DiscoveryIAMUsers,
resources.DiscoveryIAMGroups,
resources.DiscoveryCloudwatchLoggroups,
resources.DiscoveryLambdaFunctions,
resources.DiscoveryDynamoDBTables,
resources.DiscoveryDynamoDBGlobalTables,
resources.DiscoveryRedshiftClusters,
resources.DiscoveryVolumes,
resources.DiscoverySnapshots,
resources.DiscoveryEFSFilesystems,
resources.DiscoveryAPIGatewayRestAPIs,
resources.DiscoveryELBLoadBalancers,
resources.DiscoveryESDomains,
resources.DiscoveryKMSKeys,
resources.DiscoverySagemakerNotebookInstances,
},
Flags: []plugin.Flag{
{
Long: "profile",
Type: plugin.FlagType_String,
Default: "",
Desc: "Profile to use when reading from ~/.aws/credentials",
},
{
Long: "region",
Type: plugin.FlagType_String,
Default: "",
Desc: "Region to use for authentication with the API (Note: This does not limit the discovery to the region.)",
},
{
Long: "role",
Type: plugin.FlagType_String,
Default: "",
Desc: "ARN of the role to use for authentication with the API",
},
{
Long: "endpoint-url",
Type: plugin.FlagType_String,
Default: "",
Desc: "Endpoint URL override for authentication with the API",
},
{
Long: "no-setup",
Type: plugin.FlagType_String,
Default: "",
Desc: "Override option for EBS scanning that tells it to not create the snapshot or volume",
},
{
Long: "scope",
Type: plugin.FlagType_String,
Default: "",
Desc: "Set the scope for the AWS WAFV2 to either CLOUDFRONT or REGIONAL",
},
{
Long: "filters",
Type: plugin.FlagType_KeyValue,
Default: "",
Desc: "Filter options, e.g., --filters region=us-east-2",
},
},
},
},
AssetUrlTrees: []*inventory.AssetUrlBranch{
{
PathSegments: []string{"technology=aws"},
Key: "account",
Title: "Account",
Values: map[string]*inventory.AssetUrlBranch{
"*": {
Key: "service",
Title: "Service",
Values: map[string]*inventory.AssetUrlBranch{
"account": nil,
"s3": nil,
"cloudtrail": nil,
"rds": nil,
"vpc": nil,
"ec2": nil,
"iam": nil,
"cloudwatch": nil,
"lambda": nil,
"ecs": nil,
"efs": nil,
"apigateway": nil,
"es": nil,
"kms": nil,
"sagemaker": nil,
"ecr": nil,
"dynamodb": nil,
"elb": nil,
"other": nil,
},
},
},
},
},
}