AWS CloudShell makes it easy to spin up a terminal right in your AWS account. Since CloudShell is just like any other terminal, you have the ability to bootstrap other tools without the need to spin up an instance.
In a prior post I showed how to install Steampipe in AWS CloudShell to instantly query over 460+ resource types from your AWS APIs using SQL, and another post on how to use the Steampipe AWS Compliance mod to assess over 25+ security benchmarks across your AWS accounts.
In this post we are going to show how to run the latest AWS CIS benchmark v3.0 in AWS CloudShell.
How to run an AWS CIS v3.0 assessment
Here's how to get started:
If you've already completed steps 1 - 3, skip to step 4:
1. Install Steampipe
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"
2. Install the AWS plugin
steampipe plugin install aws
3. Install the AWS Compliance Mod
git clone https://github.com/turbot/steampipe-mod-aws-compliance
cd steampipe-mod-aws-compliance
4. Run the AWS CIS v3.0 benchmark:
steampipe check aws_compliance.benchmark.cis_v300
There are over 60 controls in that benchmark, so the command produces many screenfuls of output, here's the last one:
Export and Review the Findings
The summary is helpful, but you may want to digest the full report in varying formats. You can export to CSV, Markdown, HTML. Example of an HTML format:
steampipe check aws_compliance.benchmark.cis_v300 --export=output.html
Using Files -> Download File in AWS CloudShell's Actions menu, you can download your output file steampipe-mod-aws-compliance/output.html and work with it locally.
Here's what the HTML report looks like:
Final Thoughts
I really enjoy using AWS CloudShell + Steampipe for these type of quick win use cases within an AWS account. It's remarkably easy to install your CLI tools like Steampipe, with no configuration required and instant gratification!
CloudShell is just one place to run Steampipe in AWS, beyond ECS containers, EC2 instances and AWS Workspaces, you can also run Steampipe in Cloud9 and CodeBuild.
Try Steampipe for other AWS use cases, and let me know how you go.
Top comments (0)