AWS Scanner

The AWS Scanner queries AWS cryptographic services to inventory certificates, encryption keys, and signing credentials managed by AWS.

What It Scans

AWS managed cryptographic services:

• ACM (AWS Certificate Manager) — TLS certificates for AWS services
• KMS (Key Management Service) — Encryption keys (symmetric and asymmetric)
• IAM — Server certificates and user signing certificates

How It Works

1. Authenticates to AWS using provided credentials or IAM role
2. Queries each configured service in the specified region
3. ACM: Lists and describes all certificates, including domain names, status, and key algorithm
4. KMS: Lists keys and retrieves metadata — key spec, usage, state, rotation status
5. IAM: Lists server certificates and user signing certificates
6. Maps AWS-specific metadata to normalized CBOM asset format

Configuration

scanners:
  aws:
    - region: us-east-1
      services:
        - acm
        - kms
        - iam
      accessKeyId: AKIA...
      secretAccessKey: "..."
      # Or use IAM role (no credentials needed if running on EC2/ECS)

Parameter	Required	Default	Description
region	Yes	—	AWS region to scan
services	Yes	—	List of services: acm, kms, iam
accessKeyId	No	—	AWS access key (omit if using IAM role)
secretAccessKey	No	—	AWS secret key (omit if using IAM role)

Authentication options:

1. Explicit credentials (accessKeyId + secretAccessKey)
2. IAM instance role (when running on EC2/ECS — no credentials needed)
3. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Assets Produced

Asset Type	What’s Captured
certificate	ARN, domain names, issuer, expiry, key algorithm, status, type (imported/issued)
symmetric-key	Key ID, key spec (SYMMETRIC_DEFAULT), key usage, key state, rotation status
public-key	Key ID, key spec (RSA_2048, ECC_NIST_P256), key usage, key state

ACM Details

Field	Description
Certificate ARN	Unique AWS resource identifier
Domain names	Primary + SANs
Issuer	Amazon or imported CA
Key algorithm	RSA-2048, ECDSA-P256, etc.
Status	ISSUED, PENDING_VALIDATION, EXPIRED, REVOKED
In use by	Associated AWS resources (ELB, CloudFront, etc.)

KMS Details

Field	Description
Key ID	Unique key identifier
Key spec	RSA_2048, ECC_NIST_P256, SYMMETRIC_DEFAULT, etc.
Key usage	ENCRYPT_DECRYPT, SIGN_VERIFY
Key state	Enabled, Disabled, PendingDeletion
Rotation	Whether automatic rotation is enabled

IAM Details

Field	Description
Server certificates	Certificates uploaded for ELB/CloudFront
Signing certificates	X.509 certificates associated with IAM users
Associated user	IAM user the certificate belongs to

Deduplication

• ACM certificates: SHA-256 of certificate ARN (unique per region)
• KMS keys: Key ID (globally unique)
• IAM certificates: Certificate ID

Use Cases

• Inventory all AWS-managed cryptographic material across regions
• Find expiring ACM certificates before they affect production load balancers
• Audit KMS key rotation — identify keys without automatic rotation enabled
• Discover orphaned IAM certificates that are no longer in use

Example Output

{
  "type": "certificate",
  "fingerprint": "sha256:a7b8c9d0e1f2...",
  "subject": "CN=*.example.com",
  "issuer": "CN=Amazon, O=Amazon, C=US",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidAfter": "2025-06-15T00:00:00Z",
  "status": "ISSUED",
  "san": ["*.example.com", "example.com"],
  "source": {
    "scanner": "aws",
    "service": "acm",
    "region": "us-east-1",
    "arn": "arn:aws:acm:us-east-1:123456789:certificate/abc-123",
    "inUseBy": ["arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/app/prod-alb/abc123"]
  }
}

{
  "type": "symmetric-key",
  "fingerprint": "sha256:kms-key-id-hash...",
  "algorithm": "AES",
  "keySize": 256,
  "keySpec": "SYMMETRIC_DEFAULT",
  "keyUsage": "ENCRYPT_DECRYPT",
  "keyState": "Enabled",
  "rotationEnabled": true,
  "source": {
    "scanner": "aws",
    "service": "kms",
    "region": "us-east-1",
    "keyId": "mrk-1234abcd5678efgh"
  }
}

---

← Back to Scanners Overview | Sensor Setup Guide