TOC & Recently Viewed

Recently Viewed Topics

Configure Amazon Web Services (AWS)

Required User Role: Administrator

Before you can use Tenable.io AWS connectors, you must configure AWS to work with Tenable.io. Additionally, Tenable.io AWS connectors support two authentication methods in order to access your EC2 assets in your AWS account.

The default authentication method is keyless authentication and utilizes AWS role delegation. Keyless authentication supports the automatic discovery of your AWS assets. The second authentication method uses an IAM user with permissions and is key-based with a secret key and access key.

Note: AWS connectors configured with key-based authentication do not support the automatic discovery of AWS accounts.

Before you begin:

(Default) To configure AWS to support Tenable.io connectors via role delegation (keyless):

  1. In Tenable.io, record the External ID from the AWS connector pane.

    Note: The external ID is the same as the container ID.

  2. In your AWS account, create a role named tenableio-connector to delegate permissions to an IAM user, as described in the Amazon AWS documentation.
  3. In the navigation pane of the console, click Roles > Create role.

  4. For role type, click Another AWS account.

  5. For Account ID, type the ID 012615275169.
    Note: 012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation (keyless authentication).
  6. Select the Require external ID checkbox, and type the External ID (Tenable container ID) that was recorded in Step 1.

  7. Click Next: Permissions.
  8. Create or reuse a policy with the following permissions:

    AWS ServicePermission
    Amazon EC2
    • DescribeInstances

    AWS CloudTrail

    • DescribeTrails
    • GetEventSelectors
    • GetTrailStatus
    • ListTags
    • LookupEvents

    Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.

  9. Click Next: Tagging.

  10. (Optional) Add any desired tags.
  11. Click Next: Review.

  12. In the Role name box, type tenableio-connector.
    Caution: The role must be named tenableio-connector for the connector to work.
  13. Review the role, ensuring that the role name is tenableio-connector, and then click Create role.

  14. Record the Role ARN for the created role. You need the Role ARN if you choose to configure linked AWS accounts.

(Alternative) To configure AWS to support Tenable.io connectors via an IAM user with permissions (key-based authentication):

  1. Use the Policy Generator to create an IAM permission policy for integration with Tenable.io.

  2. Add the following permissions to the policy:
    AWS ServicePermission
    Amazon EC2
    • DescribeInstances

    AWS CloudTrail

    • DescribeTrails
    • GetEventSelectors
    • GetTrailStatus
    • ListTags
    • LookupEvents

    Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.

  3. Create an IAM user with programmatic access.

  4. Assign the policy you created in Step 2 to the IAM user.

  5. Obtain Access and Secret keys.

(Optional) To configure linked AWS accounts:

What to do next:

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.