diff --git a/README.md b/README.md index f02dd9c0cd9b..15a53e5310db 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,6 @@ Targets (what Trivy can scan): - Git Repository (remote) - Virtual Machine Image - Kubernetes -- AWS Scanners (what Trivy can find there): diff --git a/docs/docs/compliance/compliance.md b/docs/docs/compliance/compliance.md index 5ff9c6ac6652..29edff649f80 100644 --- a/docs/docs/compliance/compliance.md +++ b/docs/docs/compliance/compliance.md @@ -10,7 +10,6 @@ Trivy’s compliance flag lets you curate a specific set of checks into a report Compliance report is currently supported in the following targets (trivy sub-commands): - `trivy image` -- `trivy aws` - `trivy k8s` Add the `--compliance` flag to the command line, and set it's value to desired report. diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md index 39ecb6e5333c..a72689a410c5 100644 --- a/docs/docs/configuration/reporting.md +++ b/docs/docs/configuration/reporting.md @@ -428,7 +428,7 @@ $ trivy convert --format table --severity CRITICAL result.json ``` !!! note - JSON reports from "trivy aws" and "trivy k8s" are not yet supported. + JSON reports from "trivy k8s" are not yet supported. [cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/ [action]: https://github.com/aquasecurity/trivy-action diff --git a/docs/docs/plugin/user-guide.md b/docs/docs/plugin/user-guide.md index a02cd6643321..e809f0784735 100644 --- a/docs/docs/plugin/user-guide.md +++ b/docs/docs/plugin/user-guide.md @@ -103,7 +103,6 @@ VERSION: dev Scanning Commands - aws [EXPERIMENTAL] Scan AWS account config Scan config files for misconfigurations filesystem Scan local filesystem image Scan a container image diff --git a/docs/docs/target/aws.md b/docs/docs/target/aws.md deleted file mode 100644 index ef23825129f9..000000000000 --- a/docs/docs/target/aws.md +++ /dev/null @@ -1,109 +0,0 @@ -# Amazon Web Services - -!!! warning "EXPERIMENTAL" - This feature might change without preserving backwards compatibility. - -The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. -You can either run the CLI locally or integrate it into your CI/CD pipeline. - -Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too. - -The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks. - -Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform. - -You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` policy attached. - -Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - infrastructure information is cached locally per AWS account/region. - -Trivy currently supports the following scanning for AWS accounts. - -- Misconfigurations - -## CLI Commands - -Scan a full AWS account (all supported services): - -```shell -trivy aws --region us-east-1 -``` - -You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these. - -![AWS Summary Report](../../imgs/trivy-aws.png) - -The summary view is the default when scanning multiple services. - -Scan a specific service: - -```shell -trivy aws --service s3 -``` - -Scan multiple services: - -```shell -# --service s3,ec2 works too -trivy aws --service s3 --service ec2 -``` - -Show results for a specific AWS resource: - -```shell -trivy aws --service s3 --arn arn:aws:s3:::example-bucket -``` - -All ARNs with detected issues will be displayed when showing results for their associated service. - -## Compliance -This section describes AWS specific compliance reports. -For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md). - -### Built in reports - -the following reports are available out of the box: - -| Compliance | Name for command | More info | -|------------------------------------|------------------|------------------------------------------------------------------------------------------------------| -| AWS CIS Foundations Benchmark v1.2 | `aws-cis-1.2` | [link](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) | -| AWS CIS Foundations Benchmark v1.4 | `aws-cis-1.4` | [link](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls-1.4.0.html) | - -### Examples - -Scan a cloud account and generate a compliance summary report: - -``` -$ trivy aws --compliance= --report=summary -``` - -***Note*** : The `Issues` column represent the total number of failed checks for this control. - - -Get all of the detailed output for checks: - -``` -$ trivy aws --compliance= --report all -``` - -Report result in JSON format: - -``` -$ trivy aws --compliance= --report all --format json -``` - -## Cached Results - -By default, Trivy will cache a representation of each AWS service for 24 hours. -This means you can filter and view results for a service without having to wait for the entire scan to run again. -If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. -Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.). -Regardless of whether the cache is used or not, rules will be evaluated again with each run of `trivy aws`. - -## Custom Checks - -You can write custom checks for Trivy to evaluate against your AWS account. -These checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/), the same language used by [Open Policy Agent](https://www.openpolicyagent.org/). -See the [Custom Checks](../scanner/misconfiguration/custom/index.md) page for more information on how to write custom checks. - -Custom checks in cloud scanning also support passing in custom data. This can be useful when you want to selectively enable/disable certain aspects of your cloud checks. -See the [Custom Data](../scanner/misconfiguration/custom/data.md) page for more information on how to provide custom data to custom checks. diff --git a/docs/tutorials/shell/shell-completion.md b/docs/tutorials/shell/shell-completion.md index 1f9f3ecb154d..a9d21e3f2bc4 100644 --- a/docs/tutorials/shell/shell-completion.md +++ b/docs/tutorials/shell/shell-completion.md @@ -49,7 +49,6 @@ trivy completion zsh > "${fpath[1]}/_trivy" ```bash $ trivy [tab] -aws -- scan aws account completion -- Generate the autocompletion script for the specified shell config -- Scan config files for misconfigurations filesystem -- Scan local filesystem diff --git a/mkdocs.yml b/mkdocs.yml index b2f01adc28d2..540142122029 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -49,7 +49,6 @@ nav: - Code Repository: docs/target/repository.md - Virtual Machine Image: docs/target/vm.md - Kubernetes: docs/target/kubernetes.md - - AWS: docs/target/aws.md - SBOM: docs/target/sbom.md - Scanner: - Vulnerability: docs/scanner/vulnerability.md