ankos accounts
Configure and validate multiple AWS accounts in .ankosaccounts so a single scan can sweep all of them in one run via STS AssumeRole.
ankos accounts configures and validates multiple AWS accounts so a
single ankos scan can sweep all of them in
one run. The configuration lives in .ankosaccounts (YAML) in your
project root and lists each account's name, account ID, the IAM role to
assume, the regions to scan, and whether the account is in PCI scope.
Multi-account scanning is AWS-only — it uses STS AssumeRole, an AWS
construct. GCP multi-project scanning is on the roadmap; for now run
ankos scan --provider gcp --gcp-project <id> per project.
Looking for the estate sweep?
ankos accounts discover is a read-only inventory that recommends which
accounts are likely in PCI scope. It has its own page:
ankos accounts discover.
Synopsis
ankos accounts <subcommand> [flags]Subcommands
| Subcommand | What it does |
|---|---|
init | Write a template .ankosaccounts file. |
list | List the configured accounts and which are in PCI scope. |
test | Verify STS AssumeRole works for each PCI-scoped account. |
discover | Read-only estate sweep that recommends which accounts are in PCI scope. |
Quick start
# Write a template configuration
ankos accounts init
# List the configured accounts
ankos accounts list
# Confirm AssumeRole works for every PCI-scoped account
ankos accounts testFlags
Flags are per-subcommand.
init
| Flag | Default | Description |
|---|---|---|
--output | .ankosaccounts | Output file path for the template. |
list and test
| Flag | Default | Description |
|---|---|---|
--accounts-file | .ankosaccounts | Path to the accounts configuration file. |
The .ankosaccounts file
ankos accounts init writes this template (it refuses to overwrite an
existing file):
# Ankos multi-account configuration
# Add one entry per AWS account you want to scan.
# Accounts with pci_scope: true will be included in PCI evidence collection.
#
# Required fields:
# name - friendly name for the account
# account_id - 12-digit AWS account ID
# role_arn - IAM role ARN that Ankos will assume via STS
# regions - list of AWS regions to scan
# pci_scope - whether this account is in PCI scope
accounts:
- name: production
account_id: "123456789012"
role_arn: arn:aws:iam::123456789012:role/AnkosReadOnly
regions:
- us-east-1
- us-west-2
pci_scope: trueEach account needs a read-only role (e.g. SecurityAudit +
ViewOnlyAccess) that your base credentials are allowed to assume.
Only accounts with pci_scope: true are swept by
ankos scan --all-accounts and tested by ankos accounts test.
Examples
List configured accounts
ankos accounts listNAME ACCOUNT ID ROLE ARN REGIONS PCI SCOPE
---- ---------- -------- ------- ---------
production 123456789012 arn:aws:iam::123456789012:role/AnkosReadOnly us-east-1,us-west-2 yes
1 account(s) configuredTest AssumeRole across PCI-scoped accounts
ankos accounts testTesting 1 PCI-scoped account(s)...
✓ production Account: 123456789012 ARN: arn:aws:sts::123456789012:assumed-role/AnkosReadOnly/ankos-test
✓ All 1 account(s) passedtest assumes each PCI-scoped account's role and calls
GetCallerIdentity to confirm the credentials resolve. It exits non-zero
if any account's role cannot be assumed — run it before a multi-account
scan so a broken role surfaces early.
Sweep every PCI-scoped account in one scan
ankos scan --all-accountsWith .ankosaccounts configured, ankos scan
can target every PCI-scoped account (--all-accounts) or a named subset
(--accounts production,staging) in a single run.
How accounts feed the scan
ankos scan reads the same file via its
--accounts-file flag (default .ankosaccounts) and assumes each
account's role through STS before collecting. The PCI-scope flag in the
file is what --all-accounts honors.
Exit codes
| Code | Meaning |
|---|---|
0 | The subcommand completed; for test, every PCI-scoped account's role was assumed |
1 | The accounts file could not be loaded, or one or more accounts failed the test AssumeRole check |
ankos accounts discover
A fast, read-only sweep across your AWS accounts that inventories resources, flags risks, and recommends which accounts are likely in PCI scope — the natural first step before a full scan.
ankos scope
Manage the .ankosscope file — the declarative definition of which resources are inside your PCI cardholder data environment (CDE). Applied at report time, not scan time.