AWS workload discovery


Twigs supports agent less, cloud-native discovery for AWS EC2 workloads / instances.


AWS Systems Manager needs to be configured to report asset inventory which is subsequently ingested by twigs. This is a service provided by AWS to collect and record inventory from all AWS workloads. This service needs to be enabled for the AWS subscription in order to discover the latest packages / patches and other metadata required for vulnerability assessment. For more details on how to configure AWS Systems Manager, please refer to the links below:


After you have configured AWS Systems Manager to gather inventory, then you can run twigs to ingest this collected inventory into your ThreatWorx instance by following the below mentioned steps:

  • Open a new shell / terminal
  • Keep following AWS details handy to run the command:
    • AWS Account Identifier (AWS_ACCOUNT)
    • AWS Access Key (AWS_ACCESS_KEY)
    • AWS Secret Key (AWS_SECRET_KEY)
    • AWS Region (AWS_REGION)
    • AWS S3 Bucket (AWS_S3_BUCKET)
  • Run the command below:

twigs aws --aws_account AWS_ACCOUNT --aws_access_key AWS_ACCESS_KEY --aws_secret_key AWS_SECRET_KEY --aws_region AWS_REGION --aws_s3_bucket AWS_S3_BUCKET [--enable_tracking_tags]

  • It is suggested that you enable_tracking_tags, which allows you to easily identify AWS cloud instances in ThreatWorx
  • AWS cloud discovery may require some time depending on the number of EC2 instances in your AWS cloud setup.
  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.