Agentless Assessment Requirements for AWS
The following requirements must be met for performing Agentless Assessment:
Agentless Assessment of EC2 instances requires an IAM role that grants Tenable Cloud Security permission to read block data from Elastic Block Store (EBS) volumes. The role must provide Tenable Cloud Security the following EBS permissions:
-
ebs:ListSnapshotBlocks
-
ebs:ListChangedBlocks
-
ebs:GetSnapshotBlock
Follow the instructions on the Set Up Read-Only Access to the AWS Account page to configure your IAM role with the appropriate permissions for Agentless Assessments.
Snapshots encrypted with Key Management Service (KMS) must grant the IAM role with access to the KMS key(s) used to encrypt these snapshots. Modify the KMS key's resource policy to include the following permissions:
-
kms:Decrypt
-
kms:DescribeKey
For more information, see Required AWS KMS key policy for use with encrypted volumes in AWS documentation.
Agentless Assessment utilizes Amazon EBS snapshots of your workload EC2 instances. Ensure snapshots have been created for the EC2 instances that you want to scan. For more information, see Create an AWS Snapshot.
Supported Operating Systems for AWS
-
Amazon Linux 2023
-
Amazon Linux 2
-
CentOS 7
-
Red Hat Enterprise Linux (RHEL)
-
SUSE Linux Enterprise Server (SLES) 11.4 to 15.2
-
Ubuntu
-
Debian
-
XFS
-
ext4
You can perform Agentless scans on the following AWS regions:
-
us-east-1
-
us-west-1
-
us-east-2
-
us-west-2
-
ap-southeast-1
-
ap-southeast-2
-
ap-northeast-1
-
ap-northeast-2
-
ap-northeast-3
-
ap-south-1
-
eu-central-1
-
eu-north-1
-
ca-central-1
-
eu-west-1
-
eu-west-2
-
eu-west-3
-
sa-east-1