Set Up Write Access for AWS CodeCommit

To onboard your AWS CodeCommit repositories, you must provision an IAM (Identity and Access Management) role in the target AWS cloud account and configure it for Tenable Cloud Security to access the resources in that AWS account. Attach the following AWS policy to provide sufficient permissions to Tenable Cloud Security:

  • AWSCodeCommitFullAccess: Provides full access to AWS CodeCommit via the AWS Management Console.

Before you begin:

To create a read-only role:

  1. In the AWS web console, go to Identity and Access Management (IAM).

  2. On the left navigation pane, click Roles.

    The Roles page appears.

  3. Click Create Role.

    The Create Role wizard appears.

  4. In the Select trusted entity page, do the following:

    1. In the Trusted entity type section, select AWS Account.

    2. In the An AWS Account section, select Another AWS Account.

    3. In the Account ID box, type 012615275169.

      Note: 012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation.
    4. Under Options, click the Require External ID check box and type your Tenable Vulnerability Management Container UUID in the External ID box.

      Note: In Tenable Vulnerability Management, navigate to Settings > License to get your container UUID. For more information, see View your License Information in Tenable Vulnerability Management.
    5. Click Next.

  5. On the Add permission policies page, perform the following:

    1. Search for and select the AWSCodeCommitFullAccess policy.

    2. Click Next.

  6. In the Name, review, and create page, do the following:

    1. In the Role Details section, type a Role Name for the role.

    2. (Optional) Add a role description in the Description box.

    3. (Optional) Click Add Tags to add key-value pairs to AWS resources.

    4. Click Create Role.

    The role is created and the role summary appears. In the Summary section, note the Role ARN value. You need the role ARN when onboarding AWS CodeCommit repositories.