Troubleshooting Issues with Agentless Assessment

The following are some of the setup issues while configuring Agentless Assessment and their resolutions:

No Snapshot is Created


Agentless scanning requires a snapshot for AWS instances or Azure virtual machines. You can create snapshots manually or you can automate the process. Tenable recommends that you automate the process. For more information, see Create AWS Snapshot and Create an Azure Virtual Machine Snapshot.

Permission Errors


  • AWS: Agentless Assessment uses the same IAM role that you create when you onboard the Tenable Cloud Security connector. This role must have access to the ebs:GetSnapshotBlock and ebs:ListSnapshotBlocks APIs in its AWS IAM policy. For more information, see Create IAM Role.

  • Azure: Agentless Assessments requires a role that grants Tenable Cloud Security permissions to read data from Azure virtual machine snapshots with the following permissions:

    • Reader

    • Disk Snapshot Contributor

    For more information, see Create an Azure Service Principal Role.

IAM Permission Errors due to KMS


For snapshots encrypted with AWS KMS keys, the IAM role used by Tenable Cloud Security must be granted access to the KMS key used to encrypt the snapshot. To do this, modify the KMS key's resource policy to include the following permissions:

  • kms:Decrypt

  • kms:DescribeKey

For more information about the IAM requirements for encrypted volumes, see the AWS documentation.