scan aws-parameter-store
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan aws-parameter-store
command is used for scanning parameters of type String
and
StringList
AWS Parameter Store.
Note
Parameters of type SecureString
will not be scanned as they are secure by definition.
Authentication
The scan aws-parameter-store
command needs permissions to read the parameter,
its history and tags, see the following simplified policy document.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters", "ssm:GetParameterHistory", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListTagsForResource" ], "Resource": "*" } ]}
See AWS Authentication for more information on how to authenticate with AWS.
Usage
Usage: vault-radar scan aws-parameter-store [options]
Command options
--region, -r
: Specifies the region of AWS Parameter Store to scan (required)--outfile , -o
: Specifies the file to store information about found secrets (required)--skip-history
: If specified, scans only the most recent version of the parameters. Default is to scan all available versions--format, -f
: Specifies the output format, csv and json are supported. Defaults to csv--index-file
: Specifies the index file path to use in order to determine which risks are Vaulted--baseline, -b
: Specifies the file with previous scan results. Only new secrets will be reported.--limit, -l
: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached--parameter-limit
: Specifies the maximum number of parameters to be scanned. The scan will stop when the limit is reached--offline
: Specifies that the scan should be run in offline mode, without connecting to HCP--disable-ui
: Specifies that the scan summary should not be logged to stdout--skip-activeness
: If specified, skips activeness checks
Scan latest version of parameters
To scan latest version of all parameters within a region and write the results to a CSV file (default format).
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv \ --skip-history
Scan latest version of parameters and output in JSON
To scan latest version of all parameters within a region and write the results in JSON Lines format
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.jsonl \ --skip-history \ -f json
Scan all versions of parameters
To scan all the available versions of all parameters within a region
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv
Scanning using a baseline file
Perform a scan using a previous scan's result and write the new changes to an
outfile. With -b
option, only new risks, risks that were not found in the
previous scan will be reported.
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -b <PATH TO BASELINE>.csv \ -o <PATH TO OUTPUT>.csv
Note: it is expected that previous and current scans are "similar", e.g. both either latest version or history scans and same output format
Scanning using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv \ --index-file <PATH TO VAULT INDEX>.jsonl
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar scan aws-parameter-store --offline \ -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv
Scan and restrict the number of secrets found
To stop scanning when the defined number of secrets are found
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv \ -l <NUM OF SECRETS>
Scan and restrict the number of parameters scanned
To stop scanning when the defined number of parameters are scanned.
$ vault-radar scan aws-parameter-store -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv \ --parameter-limit <NUM OF PARAMETERS>