Ankos
CLI Reference

ankos accounts discover

A fast, read-only sweep across your AWS accounts that inventories resources, flags risks, and recommends which accounts are likely in PCI scope — the natural first step before a full scan.

ankos accounts discover is a lightweight, read-only sweep across one or more AWS accounts. In a few seconds it inventories resources, flags obvious risks (public S3, users without MFA, missing audit logging), and recommends which accounts are likely in PCI scope — so you know where to point a full ankos scan before you spend time collecting evidence.

It's the natural first command: answer "which of my accounts even touch cardholder data?" first, then scan only those.

This is a scope-prioritization aid, not a compliance determination and not a substitute for your QSA-agreed scope. It counts resources and surfaces risk signals; it does not collect evidence. Use it to decide what to assess — the QSA defines the actual scope boundary.

Synopsis

ankos accounts discover [flags]

Quick start

# Current account (uses your default credentials, or set a profile)
ankos accounts discover

# A specific profile
AWS_PROFILE=production ankos accounts discover

# Every account in .ankosaccounts
ankos accounts discover --all-accounts

# Discover, then write a starter .ankosscope from the results
ankos accounts discover --all-accounts --generate-scope

# Machine-readable
ankos accounts discover --format json -o estate.json

What it looks at

Per account, across every active region, discover counts the resources that matter for PCI scoping and checks the account-level security posture. It is deliberately shallow — counts and flags, not the full per-resource evidence that ankos scan gathers.

  • Resource inventory — EC2, RDS, DynamoDB, Lambda, ECS, EKS, KMS, S3, CloudFront, IAM users (and more), counted per service.
  • Risk flags — quick signals such as public S3 buckets or IAM users without MFA.
  • Security posture — whether CloudTrail, GuardDuty, and AWS Config are enabled.

Example output

═══════════════════════════════════════════════════════════
  Ankos Discovery — Estate Overview
═══════════════════════════════════════════════════════════

  Accounts scanned:  1
  Total regions:     17 active
  Scan time:         4s

═══════════════════════════════════════════════════════════
  Account: current (874463401644)
═══════════════════════════════════════════════════════════

  Service       Count      Region      Risk Flags
  ─────────────────────────────────────────────────
  CloudFront    11         global
  IAM Users     1          global      1 no MFA
  S3            19         global      4 public

  Security Posture:
    ✗ CloudTrail:  not enabled
    ✗ GuardDuty:   not enabled
    ✗ Config:      not enabled

  PCI Risk Score:  HIGH
  Recommendation:  LIKELY OUT OF SCOPE

  Next steps:
    1. Review scope and confirm in-scope accounts
    2. Run: ankos scan --all-accounts
    3. Run: ankos report <evidence-dir>

Active regions are detected automatically; the full list is shown per account in the real output.

Flags

FlagDefaultDescription
--all-accountsfalseDiscover every account in the accounts file.
--accounts(none)Comma-separated account names from the accounts file to discover.
--accounts-file.ankosaccountsPath to the multi-account configuration file.
--profile(none)AWS profile for single-account discovery.
--regionus-east-1Region used for the initial API calls (active regions are then detected automatically).
--generate-scopefalseWrite a starter .ankosscope from the results.
--formattextOutput format: text or json.
--output / -o(stdout)Write the report to a file instead of stdout.

PCI Risk Score

Each account gets a HIGH / MEDIUM / LOW risk score — a quick read on posture, not a compliance grade:

ScoreWhen
HIGHA high-impact risk flag is present (public storage, unencrypted data, an IAM user without MFA) or CloudTrail is not enabled.
MEDIUMGuardDuty or AWS Config is not enabled.
LOWNone of the above.

Scope recommendation

discover also recommends whether each account is worth a full assessment, based on what it found:

RecommendationMeaning
LIKELY IN PCI SCOPEHas both data services (RDS / DynamoDB) and compute (EC2 / ECS / EKS / Lambda) — almost certainly runs in-scope workloads.
NEEDS REVIEWHas data or compute, but not both — confirm manually.
LIKELY OUT OF SCOPENo resources, or no data/compute services — probably nothing to assess.

This is a prioritization heuristic. The QSA-agreed cardholder data environment (CDE) is the source of truth; discover just helps you get there faster.

Generating a scope file

--generate-scope writes a starter .ankosscope — the same YAML format ankos scope and ankos report read — seeded from the discovery results: in-scope accounts listed, out-of-scope ones noted as excluded, with empty collector/tag filters you can refine.

ankos accounts discover --all-accounts --generate-scope
# writes ./.ankosscope

Edit the file to lock in your real CDE boundary; every later command (scan, report, remediate) then honors it.

Single vs. multi-account

By default discover looks at the current account (your default credentials, or --profile). To sweep many accounts at once, list them in .ankosaccounts and use --all-accounts (or --accounts a,b,c) — each account is assumed via its configured role. See ankos accounts for the accounts file format.

Exit codes

CodeMeaning
0Discovery completed
1Could not load credentials or the accounts file

CLI Reference

All Ankos CLI commands, flags, and behaviors — for engineers who want to drive the CLI from a terminal or pipeline.

ankos accounts

Configure and validate multiple AWS accounts in .ankosaccounts so a single scan can sweep all of them in one run via STS AssumeRole.

On this page

SynopsisQuick startWhat it looks atExample outputFlagsPCI Risk ScoreScope recommendationGenerating a scope fileSingle vs. multi-accountExit codes