Cloud Account Discovery FAQ
Why cloud account discovery and how is it different from the current cloud onboarding flow (via 
> Connection) in Tenable Cloud Security?
| Cloud Onboarding Flow via > Connection |
Cloud Account Discovery Flow |
|---|---|
| Primarily for onboarding single accounts, except for an AWS organization. This flow supports only single account onboarding for Azure and GCP. |
Supports multiple account discovery for all cloud providers — AWS, Azure, and GCP. Tenable Cloud Security can automatically discover the following:
|
| Tenable Cloud Security can onboard all accounts in an AWS organization. However, if you create a new account after onboarding, you must onboard that single account manually. | With cloud account discovery, Tenable Cloud Security schedules discovery every 24 hours and automatically discovers any new member accounts in the management account. The new account has the  icon next to it, indicating that it is newly discovered. All newly discovered accounts must be configured by providing the credentials and associated with projects before they can be assessed. |
What happens when you provide a single member account in the cloud account discovery flow?
Cloud discovery supports single account onboarding. To onboard a single account, select the account type as Single and provide the credentials of the account in the cloud discovery flow. Tenable Cloud Security onboards the account, but no further discovery happens.
What is the cloud account discovery schedule frequency? Can the schedule be configured?
The default schedule for the account discovery process is every 24 hours. The schedule cannot be configured.
How to delete a cloud account after it is onboarded?
You cannot delete a cloud account from Tenable Cloud Security; but, you can ignore the cloud account that you no longer want to scan. Ignoring an account results in the disassociation of the cloud account from the project and stops any future assessment. Tenable Cloud Security removes all findings related to the cloud account. The account still appears in the user interface with the Ignored status, but is not deleted. For more information, see Ignore a Cloud Account.
What happens to an Ignored account?
Tenable Cloud Security dissociates an ignored cloud account from the project and no longer includes the account in any future scans. All findings related to the cloud account are removed from Tenable Cloud Security.
How to onboard an Ignored cloud account again and make it available for discovery?
You can onboard an Ignored account again with the Configure option. Provide the credentials of the ignored cloud account and the associated project. After you save this configuration, the cloud account status changes to Discovered and the account is ready for assessment. For more information, see Edit the Configuration of a Cloud Account.
Will the cloud onboarding flow via > Connection to onboard cloud accounts be removed or replaced?
You can still use the existing cloud onboarding flow via > Connection to onboard cloud accounts. For onboarding multiple accounts automatically, Tenable recommends using the cloud account discovery flow.
If I have already onboarded a cloud account using the cloud onboarding flow via > Connection, can I set it up for cloud account discovery?
Yes. Any management account that is onboarded via the > Connection flow shows as a member account in the Cloud accounts tab. To enable cloud account discovery for that account, onboard the account again (with account type as Multiple) using the cloud discovery flow. This enables automatic discovery of all member accounts.
After you onboard an AWS organization via the > Connection flow, does Tenable Cloud Security discover any new member cloud accounts added to the organization?
Tenable Cloud Security does not discover any new member accounts created after the organization onboarding via the > Connection flow. Manually onboard those new member accounts.
Why is my new member cloud account not discovered and shown in the Cloud accounts tab?
Verify if cloud account discovery failed due to any of the following conditions:
-
The cloud account credentials used for the discovery have changed. Update the credentials of your cloud account in Tenable Cloud Security.
-
The cloud account expired or the cloud service provider deactivated the account. Activate your cloud account to enable cloud account discovery.
Why is there only the Ignore option and no way to delete a cloud account?
With the Ignore option, you can exclude an account from any future scan, but you can still view the account in Tenable Cloud Security as long as the account is active in the cloud. Tenable Cloud Security does not provide the option to delete a cloud account because of the potential security risk when an active cloud account is deleted from Tenable Cloud Security unintentionally. Another advantage of the Ignore option is that it is much easier to re-onboard an ignored cloud account and make it available for assessment.
What happens to the cloud accounts that are decommissioned, closed, canceled, shut, or terminated by the cloud service provider?
Any cloud account that is decommissioned, closed, canceled, shut, or terminated by the cloud provider appears with the Suspended state in Tenable Cloud Security. All such cloud accounts are deleted by the cloud provider after a certain waiting period or post-closure period, which varies for each cloud service provider. Tenable Cloud Security then automatically removes such deleted cloud accounts and they no longer appear in the user interface.