AWS EC2 Virtual Machine Scanning Setup

Why should I scan my virtual machines?

With virtual machine scanning, Aikido can scan the hard drives of your virtual machines for vulnerable packages, outdated runtimes and risky licenses.

Getting started

To enable the scanning of your virtual machines on AWS EC2, you should first start by connecting your AWS Cloud to Aikido. To do this you can follow the steps outlined in this article.

Once your cloud is connected, you'll see a tab appear on the detail page called 'Virtual Machines'.

When you click on 'Set Up VM Scanning' we'll take you to the following page:

On this page, you can set up the virtual machine scanning via an AWS CloudFormation template that should be applied in the account of the virtual machines that you'd like to have scanned. The CloudFormation template will create a role with limited access to your AWS account. It's important to KEEP any permissions from the role as this is the absolute minimum that Aikido needs to perform the scans.

Once the CloudFormation resources have been created, you'll see the ARN of the role in AWS that was created. Copy it and add into the input field on the set up screen. Once you click 'save', Aikido will immediately start to discover any virtual machines in your account and scan them.

Managing which VM's are scanned

You have the possibility to decide which VM's are scanned in Aikido by assigning tags to the VM's in your AWS environment. To do this Aikido looks for these tags:

• AIKIDO_INCLUDE_VM: Once this tag has been assigned to a VM in a region, Aikido will only scan VM's which have this tag assigned to them. The tag should have the value true assigned to it to take effect. Please note that this is scoped per region

• AIKIDO_EXCLUDE_VM: Adding this tag to a VM will ensure that Aikido skips scanning this VM. This does not impact other VM's. The tag should have the value true assigned to it to take effect.