Onboard an AWS Organization

Tenable Cloud Security can connect to your AWS organization's management account to discover all the member accounts under that account. This is the recommended method when you want to onboard all of your AWS accounts in Tenable Cloud Security Tenabfor security assessment. You must have the required permissions to deploy a CloudFormation stack for setting up access roles in each of the member accounts.

Tip: For more information about AWS organizations, see Amazon's AWS Organizations User Guide.

Before you begin:

You must have the following details for the read-only role in your AWS account:

  • Role ARN

  • External ID

For more information, see Set Up Read-Only Access to the AWS Account.

To connect to an AWS organization account:

  1. In the left navigation bar, click the Create new icon > Connection > AWS account.

  2. In the Choose a workflow to discover AWS account(s) section, select Onboard AWS organization.

  3. Click Continue.

    The Configure management account section appears.

  4. Type the appropriate Read Only Role ARN and External ID.

  5. Click Continue.

    The Configure member accounts section appears.

  6. Configure member accounts by performing the following actions:

    1. In the Configure member accounts section, in the first step, click here.

      Tenable Cloud Security redirects you to the Create StackSet wizard in the AWS Management Console. Follow these steps to deploy the stackset that creates the role for all member accounts.

    2. In the Tenable Cloud Security Console, paste the Stacksets ARN copied in the previous step in the Stacksets ARN box.

    3. Click Continue.

      The Discover and onboard member accounts section appears. Tenable Cloud Security deploys the StackSet used to create a Tenable Cloud Security role for each member account.

  7. Onboard member accounts.

    1. In the Discover and onboard member accounts section, in the list, select the cloud member accounts that you want to onboard.

      Tip: You can also search for specific cloud accounts and filter the list by organizations.

    2. (Optional) To create a new project automatically for the AWS organization, select the Map accounts automatically check box.

      Tenable Cloud Security creates a new project for the AWS organization and links all AWS member accounts with the project.

    3. Click Onboard accounts.

On the Projects & Connections page, the AWS project links to the connected AWS organization's account and the selected VPCs.