AWS IAM Role for Agentless Assessment

This is a prerequisite before setting up Agentless Assessment. Agentless Assessments of EC2 instances require an IAM role that grants Tenable Cloud Security permissions to read block data from EBS volumes. The role must provide Tenable Cloud Security the following Elastic Block Store permissions:

ebs:ListSnapshotBlocks
ebs:ListChangedBlocks
ebs:GetSnapshotBlock

For vulnerability scanning with Agentless Assessment, create a policy with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ebs:List*",
                "ebs:Get*"
            ],
            "Resource": "*"
        }
    ]
  }
                                                    

Follow the instructions on the Set Up Read-Only Access to the AWS Account page to configure your IAM role with the appropriate permissions for Agentless Assessments.

For snapshots encrypted with Key Management Service (KMS), you must grant the IAM role with access to the KMS key. For snapshots encrypted with KMS, you must grant the IAM role used by Tenable Cloud Security with access to the KMS key used to encrypt the snapshot. To do this, modify the KMS key's resource policy to include the following permissions:

kms:Decrypt
kms:DescribeKey

For volumes or snapshots encrypted with KMS key, create the following custom policy:

Copy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:[REGION]:[ACCOUNT-ID]:key/[KEY]"
}
]
}

Note: In the JSON, replace the Resource: value with either * or with a list of the KMS keys used to encrypt volumes or snapshots for each region in the AWS account.

For more information, see Required AWS KMS key policy for use with encrypted volumes in AWS documentation.