Configure AWS for Keyless Authentication

Before you integrate AWS with keyless authentication, you must first configure AWS.

Before you begin

Make sure that you have the following:

AWS access to manage IAM.
Tenable Vulnerability Management Container UUID, which you can copy from the Integrations > Add AWS-Keyless Integration dialog box. For more information, see Integrate with AWS Using Keyless Authentication.

To configure AWS for keyless authentication:

Via CLI

Create the IAM role with the trust relation policy.

Copy

aws iam create-role --role-name TenableASMCloudConnector --assume-role-policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TenableCloudConnectorAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::939095807864:role/tenable-data-aws-connector"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<CONTAINER_UUID>"
                }
            }
        }
    ]
}' \

Where:

939095807864 is the Tenable's AWS account ID.
CONTAINER_UUID is the Tenable Vulnerability Management container ID.
TenableASMCloudConnector is the name of the IAM role. Replace it with a name of your choice.

Assign read-only permission to the role.
Copy
```
aws iam attach-role-policy --role-name TenableASMCloudConnector --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
```
Note: You can use your own read-only access role if you don't want to use the default role.

Where:

Replace TenableASMCloudConnector with the name of the IAM role you created in Step 1.

Copy the ARN value.

Copy

aws iam get-role --role-name TenableASMCloudConnector

Where:

TenableASMCloudConnector is the name of the IAM role you created in Step 1.

Via AWS UI

On the AWS Management Console, go to IAM > Roles > Create role.

The Create role page appears.
In the Select trusted entity page, select Custom trust policy.

In the Custom trust policy box, enter or paste the following policy.

Copy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TenableCloudConnectorAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::939095807864:role/tenable-data-aws-connector"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<CONTAINER_UUID>"
                }
            }
        }
    ]
}

Where:

939095807864 is the Tenable AWS account_id.
CONTAINER_UUID is the Tenable Vulnerability Management container ID.

Click Next.
The Add Permissions page appears.
Select the ReadOnlyAccess permission policy to assign to the role.
Click Next.

The Name, review, and create page appears.
In the Role name box, type the name of the role. For example: TenableASMCloudConnector.
Review the configuration details.
Click Create role.

AWS creates the IAM role.
Copy the ARN value to use in the AWS integration within Tenable Attack Surface Management.

What to do next

Integrate with AWS Using Keyless Authentication