Snapshot Your Account
Capture a point-in-time configuration snapshot of your AWS account and evaluate it. Stave only ever reads a local snapshot; it never connects to or writes to AWS.
Time: ~30 minutes. Real AWS, read-only.
Prerequisites
A read-only AWS profile (e.g. the AWS-managed SecurityAudit or ReadOnlyAccess policy). Do NOT use admin/write credentials.
aws sts get-caller-identity --profile <your-readonly-profile>
Steps
1. Confirm read-only access
Verify the caller's attached policies are read/audit only before proceeding.
2. Capture a snapshot
Pull configuration with read-only AWS CLI calls and save the raw JSON:
mkdir -p ~/my-snapshot/raw
aws iam list-users --profile <profile> > ~/my-snapshot/raw/list-users.json
aws iam list-attached-user-policies --user-name <user> --profile <profile> \
> ~/my-snapshot/raw/policies-<user>.json
aws s3api get-bucket-policy --bucket <bucket> --profile <profile> \
> ~/my-snapshot/raw/bucket-policy-<bucket>.json
Adapt the resource list to what you want to evaluate.
3. Build observations
Transform the captured config into obs.v0.1 observation files:
- One or more snapshot files (2+ timestamps for duration-based controls)
schema_version: obs.v0.1,source: deployed- Per-asset
propertiespopulated with the fields the relevant controls read
Find field names with:
./stave search "<your concern>"
find controls -name '<CONTROL_ID>*' -exec grep observation_fields {} \;
Validate:
jq . ~/my-snapshot/obs/*.json > /dev/null && echo "valid JSON"
4. Evaluate
./stave apply --observations ~/my-snapshot/obs/ --eval-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
5. Review findings
Each finding is a property of your environment with evidence and remediation. Triage by severity; the remediation field says what to change.
Important
- Stave evaluates a local snapshot — it never calls AWS. Capture is the only AWS step, and it's read-only.
- A snapshot is point-in-time: findings reflect the captured moment, not live state.
- Deterministic: same snapshot + same
--eval-time= identical findings.
Done
You've evaluated your real environment. Findings are specific to your infrastructure, each with evidence and remediation guidance.