Configure Vulnerability Scan using Agentless Assessment for AWS

Workload vulnerability scans are triggered as part of the cloud scan process in Tenable Cloud Security. Tenable Cloud Security supports agentless workload scanning for AWS EC2 instances.

Before you Begin:

  • Onboard cloud accounts in Tenable Cloud Security. For more information about onboarding your AWS accounts, see Onboard AWS Accounts.

  • Create an IAM role that provides Tenable Cloud Security the following permissions:

    • Elastic Block Store:

      • ebs:ListSnapshotBlocks

      • ebs:ListChangedBlocks

      • ebs:GetSnapshotBlock

    • Key Management Service (KMS):

      For snapshots encrypted with KMS, you must grant the IAM role used by Tenable Cloud Security with access to the KMS key used to encrypt the snapshot. To do this, modify the KMS key's resource policy to include the following permissions:

      • kms:Decrypt

      • kms:DescribeKey

  • Create snapshots in AWS console.

To set up Agentless Assessment:

  1. In Tenable Cloud Security, initiate a cloud scan:

    1. On the home page, click Projects & Connections.

      Tenable Cloud Security displays the list of projects in the Projects tab.

    2. In the row for the project that you want to scan, click > Manage cloud scan profiles.

      The Manage scan profiles window appears.

    3. Click New Scan Profile.

      The Create new scan profile for cloud window appears.

      Note: You can also use the default scan profile. Vulnerability scan with agentless assessment is enabled by default for the default scan profile.

    4. In the Scan profile name box, type a name for the scan profile or retain the default name.

    5. In Step 1 Cloud config assessment options, retain the default selections or do one of the following:

      • Select the check box next to the option to select all the options within a category.

      • Click the drop-down arrow to show all the available options in the category. Select the check boxes as needed.

        Note: The count next to the drop-down arrowshows: Number of options available / Number of options selected.

    6. In Step 2, click the Enable Vulnerability Scan (optional) toggle to enable vulnerability scan.
      Note: Tenable Cloud Security scans EC2 instances for vulnerabilities after it completes the Misconfiguration Scan. The EC2 resources are available under the Compute category.
    7. (Optional) Click Preview to view all the selected assessment options.
    8. Click Create Scan Profile.

      Tenable Cloud Security creates the scan profile and the newly created scan profile appears on the Configure cloud scan window.

    9. In the row of the scan profile that you created for a vulnerability scan, click Run Scan.

      Tenable Cloud Security runs the vulnerability scan and you can view the vulnerability scan results on the Tenable Cloud Security Vulnerabilities page and also on the Tenable Vulnerability Management Findings page.