Agentless Assessment Requirements for AWS

The following requirements must be met for performing Agentless Assessment:


Agentless Assessment of EC2 instances requires an IAM role that grants Tenable Cloud Security permission to read block data from Elastic Block Store (EBS) volumes. The role must provide Tenable Cloud Security the following EBS permissions:

  • ebs:ListSnapshotBlocks

  • ebs:ListChangedBlocks

  • ebs:GetSnapshotBlock

Follow the instructions on the Set Up Read-Only Access to the AWS Account page to configure your IAM role with the appropriate permissions for Agentless Assessments.

Snapshots encrypted with Key Management Service (KMS) must grant the IAM role with access to the KMS key(s) used to encrypt these snapshots. Modify the KMS key's resource policy to include the following permissions:

  • kms:Decrypt

  • kms:DescribeKey

For more information, see Required AWS KMS key policy for use with encrypted volumes in AWS documentation.

AWS Snapshots

Agentless Assessment utilizes Amazon EBS snapshots of your workload EC2 instances. Ensure snapshots have been created for the EC2 instances that you want to scan. For more information, see Create an AWS Snapshot. AMIs do not require any additional preparation to initiate Agentless Assessment.

Supported Operating Systems for AWS

  • Amazon Linux 2023

  • Amazon Linux 2

  • CentOS 7

  • Red Hat Enterprise Linux (RHEL)

  • SUSE Linux Enterprise Server (SLES) 11.4 to 15.2

  • Ubuntu

  • Debian

Supported File Systems

  • XFS

  • ext4

Supported Regions for AWS

You can perform Agentless scans on the following AWS regions:

  • us-east-1

  • us-west-1

  • us-east-2

  • us-west-2

  • ap-southeast-1

  • ap-southeast-2

  • ap-northeast-1

  • ap-northeast-2

  • ap-northeast-3

  • ap-south-1

  • eu-central-1

  • eu-north-1

  • ca-central-1

  • eu-west-1

  • eu-west-2

  • eu-west-3

  • sa-east-1