Discover and Onboard AWS Accounts

Cloud discovery in Tenable Cloud Security supports onboarding a single AWS account and an AWS organization. To onboard an AWS organization, provide the role details of the management account and Tenable Cloud Security automatically discovers the member accounts. After Tenable Cloud Security discovers the member accounts, you must configure the member accounts by providing the credentials before you can run a cloud scan for detecting vulnerabilities and misconfigurations in the cloud account. To onboard AWS accounts, perform the following tasks:

1. Discover AWS Accounts.

2. Configure AWS Member Accounts.

Discover AWS Accounts

Before you begin:

• Create an IAM role with read access to the AWS account that you are onboarding. For more information, see Set Up Read-Only Access to the AWS Account.

To discover an AWS cloud account:

1. Click Projects and Connections.

2. Click Cloud Accounts.

   The Cloud Accounts page lists all onboarded cloud accounts.

3. Click Discover accounts > AWS.

   The Configure AWS Management Account(s) window appears.

4. Onboard a single AWS account or an AWS organization.

   1. In the Account type section, select one of the following:

      • Single for onboarding a single AWS account.

      • Multiple for onboarding an AWS organization.

   2. Enter the Read-only Role ARN and External ID of the AWS account.

      If you selected Multiple account type, provide the credentials of the AWS management account.

   3. (Optional) Click to add more accounts.

   4. Click Discover.

      For multiple accounts, Tenable Cloud Security discovers and shows all member accounts under the management account with the status as Discovered. The management account appears with the icon next to it.

      For AWS management account, Tenable Cloud Security schedules discovery every 24 hours and automatically discovers any new member accounts in the AWS organization. All accounts discovered in the last 7 days show the label until they are configured or ignored.

Configure AWS Accounts

Configure the discovered accounts before you can run a cloud scan to assess the resources in the account for misconfigurations and vulnerabilities. To configure an AWS account, provide the read-only role ARN and external ID of the AWS account and assign the account to a project.

Before you begin:

• For multiple account type, you must have the credentials (Role ARN and External ID) of the member accounts.

To configure an AWS member account:

1. Click > Configure in the row for the account that you want to configure.

   The Configure AWS Account window appears.

2. Provide the Read-only Role ARN and External ID for the AWS account.

3. Click Next.

4. In the Assign a Project or Create a New Project section, do one of the following:

   • Select a project from the list of AWS projects.

     You can search for a project in the Search projects box.

   • Click New Project to create a new AWS project.

     1. Type a Project name for your new project.

     2. Select AWS for the provider.

     3. Click Create New Project.

     Tenable Cloud Security creates the new project and Tenable Cloud Security automatically selects this project for onboarding the AWS account.

5. Click Save.

   The Cloud Accounts page appears and shows the project assigned to the account.

6. Repeat these steps for all the discovered GCP projects you want to configure.

What to do next:

• Go to the Projects tab and run a cloud scan for the project. For more information, see Run a Cloud Scan.