Agentless Assessment Requirements for AWS

The following requirements must be met for performing Agentless Assessment:


This is a prerequisite before setting up Agentless Assessment. Agentless Assessments of EC2 instances require an IAM role that grants Tenable Cloud Security permissions to read block data from EBS volumes. The role must provide Tenable Cloud Security the following Elastic Block Store permissions:

  • ebs:ListSnapshotBlocks

  • ebs:ListChangedBlocks

  • ebs:GetSnapshotBlock

Follow the instructions on the Set Up Read-Only Access to the AWS Account page to configure your IAM role with the appropriate permissions for Agentless Assessments.

For snapshots encrypted with Key Management Service (KMS), you must grant the IAM role with access to the KMS key. For snapshots encrypted with KMS, you must grant the IAM role used by Tenable Cloud Security with access to the KMS key used to encrypt the snapshot. To do this, modify the KMS key's resource policy to include the following permissions:

  • kms:Decrypt

  • kms:DescribeKey

For more information, see Required AWS KMS key policy for use with encrypted volumes in AWS documentation.

AWS Snapshots

Agentless Assessment is based on Amazon EBS snapshots of your workload EC2 instances. To configure an Agentless Assessment, you must first create a snapshot. For more information, see Create AWS Snapshot.

Supported Operating Systems for AWS

  • Amazon Linux 2

  • CentOS 7

  • Red Hat Enterprise Linux (RHEL)

  • SUSE Linux Enterprise Server (SLES) 11.4 to 15.2

  • Ubuntu

  • Debian

Supported File Systems

  • XFS

  • ext4

Supported Regions for AWS

You can perform Agentless scans on the following AWS regions:

  • us-east-1

  • us-west-1

  • us-east-2

  • us-west-2

  • ap-southeast-1

  • ap-southeast-2

  • ap-northeast-1

  • ap-northeast-2

  • ap-northeast-3

  • ap-south-1

  • eu-central-1

  • eu-north-1

  • ca-central-1

  • eu-west-1

  • eu-west-2

  • eu-west-3

  • sa-east-1