AWS EC2 Virtual Machine Scanning Setup

Why should I scan my virtual machines?

With virtual machine scanning, Aikido scans the disks of your virtual machines for vulnerable packages, outdated runtimes and risky licenses.

Getting started

To enable the scanning of your Amazon EC2 instances, you should first start by connecting your AWS account to Aikido. To do this you can follow the steps outlined in this article.

Once your cloud is connected, you'll see a tab appear on the detail page called 'Virtual Machines'.

When you click on 'Set Up VM Scanning' we'll take you to the following page:

On this page, you can set up the virtual machine scanning via an AWS CloudFormation template that should be applied in the account of the virtual machines that you'd like to have scanned. The CloudFormation template will create a role with limited access to your AWS account. It's important to KEEP any permissions from the role as this is the absolute minimum that Aikido needs to perform the scans.

Once the CloudFormation resources have been created, you'll see the ARN of the role in AWS that was created. Copy it and add into the input field on the set up screen. Once you click 'save', Aikido will immediately start to discover any virtual machines in your account and scan them.

VM Grouping

To optimize scanning efficiency, Aikido groups certain EC2 instances and scans only one instance from each group. Grouping works as follows:

• Auto Scaling Groups (ASG): All EC2 instances in the same AWS Auto Scaling Group are shown as a single VM group in Aikido. The VM group’s name matches the ASG name.

• Karpenter Node Pools: All EC2 instances that belong to the same Karpenter node pool within an EKS cluster are grouped together. The VM group’s name matches the instance name pattern used by Karpenter.

• No grouping: EC2 instances that are not part of an ASG or Karpenter node pool are treated as standalone VMs and scanned individually.

Managing which VM's are scanned

Aikido supports inclusion and exclusion model for VM scanning.