Tenable Cloud Security Quick Reference Guide: Onboarding AWS Accounts

This Quick Reference Guide provides the sequence of tasks required to onboard AWS cloud accounts to Tenable Cloud Security and to perform a cloud scan. Tenable Cloud Security assesses your cloud infrastructure at runtime and identifies security and compliance violations.

Before you begin:

You must have the following:

  • Credentials for your Tenable.io user account.

  • AWS user account with permissions to create Identity and Access Management (IAM) roles.


You can onboard your Amazon Web Services (AWS) accounts in Tenable Cloud Security in the following two ways:

  • Onboard an AWS organization: Use this recommended method to secure multiple AWS accounts and start the security assessment. Tenable Cloud Security can connect to your AWS organization's management account to discover all the member accounts that are under that account. Provide a Role ARN and an optional External ID for the management account. Ensure that you have read-only permission to deploy a CloudFormation stack to set up access roles in each of the member accounts.

  • Onboard a single AWS account: Use this method if you want to onboard each AWS account manually without deploying a CloudFormation Stack. Provide a Role ARN and an optional External ID for the AWS account.

To onboard AWS accounts in Tenable Cloud Security, you must configure an Identity and Access Management (IAM) role so that Tenable Cloud Security can read the resources in the connected AWS accounts. When onboarding an AWS organization account, create an IAM role for the management account.

After connecting your cloud accounts, configure your cloud resources and then scan these cloud resources for any violations.


The following workflow provides the high-level tasks required for onboarding AWS accounts.

Tip: Click a box to view the relevant task.


For a demonstration on onboarding AWS accounts, see the following video:

Other Resources