DEV Community

bob-bot for AWS Community Builders

Posted on

How to run an AWS CIS v3.0 assessment in CloudShell

AWS CloudShell makes it easy to spin up a terminal right in your AWS account. Since CloudShell is just like any other terminal, you have the ability to bootstrap other tools without the need to spin up an instance.

In a prior post I showed how to install Steampipe in AWS CloudShell to instantly query over 460+ resource types from your AWS APIs using SQL, and another post on how to use the Steampipe AWS Compliance mod to assess over 25+ security benchmarks across your AWS accounts.

In this post we are going to show how to run the latest AWS CIS benchmark v3.0 in AWS CloudShell.

How to run an AWS CIS v3.0 assessment

Here's how to get started:
If you've already completed steps 1 - 3, skip to step 4:

1. Install Steampipe

sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"

Enter fullscreen mode Exit fullscreen mode

2. Install the AWS plugin

steampipe plugin install aws
Enter fullscreen mode Exit fullscreen mode

3. Install the AWS Compliance Mod

git clone https://github.com/turbot/steampipe-mod-aws-compliance
cd steampipe-mod-aws-compliance
Enter fullscreen mode Exit fullscreen mode

4. Run the AWS CIS v3.0 benchmark:

steampipe check aws_compliance.benchmark.cis_v300
Enter fullscreen mode Exit fullscreen mode

There are over 60 controls in that benchmark, so the command produces many screenfuls of output, here's the last one:

Steampipe AWS CIS v3.0 benchmark assessment

Export and Review the Findings

The summary is helpful, but you may want to digest the full report in varying formats. You can export to CSV, Markdown, HTML. Example of an HTML format:

steampipe check aws_compliance.benchmark.cis_v300 --export=output.html
Enter fullscreen mode Exit fullscreen mode

Using Files -> Download File in AWS CloudShell's Actions menu, you can download your output file steampipe-mod-aws-compliance/output.html and work with it locally.

Here's what the HTML report looks like:

Steampipe AWS CIS v3.0 benchmark assessment - HTML Output

Final Thoughts

I really enjoy using AWS CloudShell + Steampipe for these type of quick win use cases within an AWS account. It's remarkably easy to install your CLI tools like Steampipe, with no configuration required and instant gratification!

CloudShell is just one place to run Steampipe in AWS, beyond ECS containers, EC2 instances and AWS Workspaces, you can also run Steampipe in Cloud9 and CodeBuild.

Try Steampipe for other AWS use cases, and let me know how you go.

Top comments (0)