Onboard an AWS Organization

Tenable Cloud Security can connect to your AWS organization's management account to discover all the member accounts under that account. This is the recommended method when you want to onboard all of your AWS accounts in Tenable Cloud Security Tenabfor security assessment. You must have the required permissions to deploy a CloudFormation stack for setting up access roles in each of the member accounts.

Tip: For more information about AWS organizations, see Amazon's AWS Organizations User Guide.

Before you begin:

You must have the following details for the read-only role in your AWS account:

  • Role ARN

  • External ID

For more information, see Set Up Read-Only Access to the AWS Account.

To connect to an AWS organization account:

  1. In the left navigation bar, click the Create new icon > Connection > AWS account.

  2. In the Choose a workflow to discover AWS account(s) section, select Onboard AWS organization.

  3. Click Continue.

    The Configure management account section appears.

  4. Type the appropriate Read Only Role ARN and External ID.

  5. Click Continue.

    The Configure member accounts section appears.

  6. Configure member accounts by performing the following actions:

    1. In the Configure member accounts section, in the first step, click here.

      Tenable Cloud Security redirects you to the Create StackSet wizard in the AWS Management Console. Follow these steps to deploy the stackset that creates the role for all member accounts.

      To deploy the StackSet to create a read-only role for a member account:

      1. Sign in to the AWS management account of the target organization.

      2. Copy the appropriate URL from the Configure member accounts section.

      3. On the Choose a template page, do the following:

        1. In the Permissions section, ensure that the Service-managed permissions option is selected.

        2. In the Prerequisite - Prepare template section, ensure that the Template is ready option is selected.

        3. In the Template source section, click Amazon S3 URL.

        4. In the Amazon S3 URL box, copy the template URL from the Tenable Cloud Security Console and paste it.

        5. Click Next.

      4. On the Specify StackSet details page, do the following:

        1. In the StackSet name section, type a name for the StackSet.

          Tip: Choose a meaningful name because the Tenable Cloud Security role name is used for all the member accounts of the organization.

        2. In the StackSet description section, type a description for the current StackSet.

        3. In the Parameters section, type the appropriate management account ID.

        4. Click Next.

      5. On the Configure StackSet Options page, do the following:

        1. (Optional) In the Tags section, click Add new tag and provide a Key and a Value to specify the tag.

          Tags are arbitrary key-value pairs that can be used to identify your stack. Tags that you apply to stack sets are applied to all resources created by your stacks.

        2. For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.

        3. Click Next.

      6. On the Set deployment options page, do the following:

        1. In the Deployment targets section, click one of the following:

          • Deploy to organization — Creates the role in all the member AWS accounts for the organization.

          • Deploy to organizational units (OUs) — Creates the role in all the member AWS accounts for selected organizations.

        2. In Automatic deployment, click Enabled.

        3. In Account removal behavior, click the required option.

      7. In the Specify regions section, add a region available across all member accounts.

        Caution: Select only one region. If you specify multiple regions, stack deployment succeeds only for one region and fails for others and can cause issues.
        Note: If the selected region is not available under a particular member account, the stackset deployment fails.

      8. In the Deployment options section, do the following:

        1. In the Maximum concurrent accounts - optional drop-down box, select Percentage, and set the value to 100.

        2. In the Failure tolerance - optional drop-down box, select Percentage, and set the value to 100.

        3. In the Regional Concurrency section, click Sequential.

        4. Click Next.

      9. In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names.check box to confirm.

      10. Click Submit.

        The StackSet details page appears. Wait for the status of the StackSet to change to Succeeded.

      11. Click the StackSet Info tab and copy the StackSet ARN.

    2. In the Tenable Cloud Security Console, paste the Stacksets ARN copied in the previous step in the Stacksets ARN box.

    3. Click Continue.

      The Discover and onboard member accounts section appears. Tenable Cloud Security deploys the StackSet used to create a Tenable Cloud Security role for each member account.

  7. Onboard member accounts.

    1. In the Discover and onboard member accounts section, in the list, select the cloud member accounts that you want to onboard.

      Tip: You can also search for specific cloud accounts and filter the list by organizations.

    2. (Optional) To create a new project automatically for the AWS organization, select the Map accounts automatically check box.

      Tenable Cloud Security creates a new project for the AWS organization and links all AWS member accounts with the project.

    3. Click Onboard accounts.

On the Projects & Connections page, the AWS project links to the connected AWS organization's account and the selected VPCs.