AWS Inspector V2 Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

The AWS Inspector Connector enumerates vulnerabilities from AWS Inspector, ECR, and ECS.

Tip: For more information on how third-party integrations work, see Connectors.

Connector Details

Details	Description
Supported products	AWS Inspector
Category	Asset Inventory Network Scanner
Ingested data	Assets and Findings
Ingested Asset Classes	Device Container Resource
Integration type	UNI directional (data is transferred from the Connector to Tenable Exposure Management in one direction)
Supported version and type	SaaS (latest)

Prerequisites and User Permissions

Before you begin configuring the connector, make sure to:

Have a cross-account user with the permission: inspector2:ListFindings
Complete one of the following configurations based on your use case:
- Generate AWS Inspector V2 Access and Secret Keys (for Access and Secret Key authentication method):
  1. Sign in to the AWS Management Console as an IAM user with administrative privileges (not the root account).
  2. Navigate to the IAM Console: https://console.aws.amazon.com/iam
  3. In the left navigation pane, select Users.
  4. Select the cross-account user with the inspector2:ListFindings permission.
  5. Choose the Security credentials tab.
  6. In the Access keys section, click Create access key.
  7. In the Access key best practices and alternatives, select Third-party service as the use case.
  8. Click Next.
  9. In the Set description tag, add a description tag (e.g., Exposure Management Intergation).
  10. Click Create access key.
  11. On the confirmation page, copy the:
    
    Access Key ID
    
    Secret Access Key
    
    You won’t be able to view the Secret Access Key again after this screen, so save it securely.
- Create AWS Inspector V2 External ID and ARNs (for ARN and External ID authentication method):
  1. Sign in to the AWS Management Console with an account that has permissions to create IAM policies.
  2. Navigate to the IAM service.
  3. In the left-hand menu, click on Policies, then click Create policy.
  4. In the Create Policy page, select the Visual editor tab.
  5. Under Service, search for and select Inspector2.
  6. Under Actions, select the inspector2:ListFindings permission.
  7. Click Next: Review.
  8. On the Review policy page, enter a Name and (optionally) a Description for the policy.
  9. Review the Summary to ensure the correct permissions are included.
  10. Click Create policy to save.
  11. Navigate to IAM > Roles > Create Role > Another AWS account.
  12. In the Account ID field, paste the following Tenable account ID:012615275169
  13. Check the "Require External ID" box.
  14. Enter your External ID value (maximum 12 characters).
  15. Copy the value and save in a safe place so you can use it later in the connector setup page.
  16. Make sure "Require MFA" is unchecked.
  17. Click Next: Permissions.
  18. Attach the policy created in steps 2–8.
  19. Continue through the wizard, review the role settings, and create the role.
  20. Copy the generated ARN.
  Important: If you're creating roles for multiple AWS accounts, repeat the steps above for each account. Make sure you use the same External ID for all roles and copy the generated ARN of each role/account.

Add a Connector

To add a new connector:

In the left navigation menu, click Connectors.

The Connectors page appears.
In the upper-right corner, click Add new connector.

The Connector Library appears.
In the search box, type the name of the connector.
On the tile for the connector, click Connect.

The connector configuration options appear.

Configure the Connector

(Optional) In the Connector's Name text box, type a descriptive name for the connector.
(Optional) To use a preconfigured on-prem connector to connect to this connector, from the Gateway drop-down, select the on-prem connector you want to use for the connector. Otherwise, select Don't use gateway.

Note: For information about configuring a gateway, see Tenable On-Prem Connector.
From the Authentication method drop-down, select the authentication method to use for the connector.
- If you select the Access Key & Secret Key method, enter the credentials you generated earlier.
- If you select the ARN & External ID method, enter the credentials you generated earlier.
In the Data pulling configuration section, you can configure dynamic settings specific to the connector.
- (Optional) In the Regions drop-down, select the AWS regions to include for data ingestion.
- In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.
  
  Tip: For more information, see Asset Retention.
In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.
- A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
- If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.
In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

Tip: For more information, see Connector Scheduling.
Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.
To confirm the sync is complete, do the following:
- Navigate to the Connectors page and monitor the connector's status. Sync is complete once the connector status is Connected.
- View the sync logs for the connector to monitor the logs for a successful connection.

AWS in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

In Tenable Exposure Management, navigate to the Assets page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.

The asset list updates to show only assets from the selected connector.
Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector:

In Tenable Exposure Management, navigate to the Weaknesses page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view weaknesses.

The weaknesses list updates to show only weaknesses from the selected connector.
Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

In Tenable Exposure Management, navigate to the Findings page.
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings

The findings list updates to show only assets from the selected connector.
Click on any asset to view Finding Details.

Data Mapping

Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.

Device Mapping

Tenable Exposure Management UI Field	AWS Inspector V2 Field
Unique Identifier	id
Asset - External Identifier Asset - Provider Identifier	id
Asset - Name	tags.Name
Asset - Operating Systems	Platform
Asset - IPv4 Adresses Asset - IPv6 Adresses	ipV4Addresses ipV6Addresses
Asset - First Observation Date	launchedAt
Asset - External Tags	Tags
Asset Custom Attributes	region type keyName

Container Mapping

Tenable Exposure Management UI Field	AWS Inspector V2 Field
Unique Identifier	id
Asset - Name	tags.Name
Asset - Operating Systems	Platform
Asset - Container Image Tags	imageTags
Asset - Image Digest	imageHash
Asset - External Tags	Tags
Asset Custom Attributes	region repositoryName

Resource Mapping

Tenable Exposure Management UI Field	AWS Inspector V2 Field
Unique Identifier	id
Asset - External Identifier Asset - Provider Identifier	id
Asset - Name	functionName
Provider Names	AWS
Cloud Resource Type	AWS::Lambda::Function
Asset - External Tags	Tags
Asset Custom Attributes	region

Finding Mapping

Tenable Exposure Management UI Field	AWS Inspector V2 Field
Unique Identifier	finding_arn
Finding Name	title
CVEs	vulnerabilityId
Severity Driver	inspectorScore
Description	description
First Seen	firstObservedAt
Last seen (Observed)	lastObservedAt
Port	openPortRange.begin
Protocol	protocol
Finding Custom Attributes	networkPath (only for Device and Resource) severity type vulnerablePackages.name vulnerablePackages.version source sourceUrl remediation scoringVector

Finding Status Mapping

Tenable Exposure Management Status	AWS Inspector Status
Active	All other statuses
Fixed	CLOSED SUPPRESSED

Tenable Exposure Management Status

AWS Inspector Status

Active

All other statuses

Fixed

CLOSED

SUPPRESSED

Note:For AWS Inspector, Exposure Management uses the status field to determine finding status.

Finding Severity Mapping

Tenable Exposure Management Severity	AWS Inspector Score
Critical	CVSS: 9.0 - 10.0 Severity: Critical
High	CVSS: 7.0 - 8.9 Severity: High
Medium	CVSS: 4.0 - 6.9 Severity: Medium
Low	CVSS: 1-3.9 Severity:Low
None	CVSS:0 Severtity: empty

Note:For AWS Inspector, Exposure Management uses the inspectorScore field to determine severity.

Status Update Mechanisms

Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).

The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.

Update Type in Exposure Management	Mechanism (When?)
Archiving Assets	Asset that appears in Exposure Management and is not returned on the next connector sync Asset not seen for X days according to "Last Seen". See Asset Retention
Change a Finding status from "Active" to "Fixed"	Finding no longer appears in the scan findings Finding status changes to Status = SUPPRESSED or CLOSED on the vendor side

Note: Updates on the vendor side are reflected in Tenable Exposure Management only when the next scheduled connector sync time is complete (once a day).

Uniqueness Criteria

Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.

Tip: Read all about Third-Party Data Deduplication in Tenable Exposure Management

The uniqueness criteria for this connector are as follows:

Data	Uniqueness Criteria
Asset	id
Finding	finding_arn
Detection	title

API Endpoints in Use

API version: 11.3.0 aioboto3

API	Use in Tenable Exposure Management	Requested Permissions
list_findings	generating Devices generating Resources generating Containers generating Findings	Inspector2 ListFindings

API

Use in Tenable Exposure Management

Requested Permissions

list_findings

generating Devices

generating Resources

generating Containers

generating Findings

Inspector2 ListFindings

Data Validation

This section shows how to validate and compare data between Tenable Exposure Management and the AWS Inspector platform.

Asset Data Validation

Objective: Ensure that the number of assets in AWS Inspector aligns with the number of assets displayed in Exposure Management.

In AWS Inspector:

Navigate to the AWS Console > Amazon Inspector.
In the left menu, click Dashboard.
Review the number of resources currently scanned and covered:
- EC2 instances
- ECR container images
- Lambda functions
Each resource type is displayed in its own tile on the dashboard.

In Tenable Exposure Management:

Locate your connector assets.
Compare the total number of assets between AWS Inspector and Tenable Exposure Management.

Expected outcome: The total numbers returned in AWS Inspector and Exposure Management should match.

Exposure Management displays assets from AWS Inspector if they are actively scanned.

If an asset is not visible in Exposure Management, check the following conditions:

The asset was archived based on the last observed date (last seen).
The asset was archived because it did not return in the connector's next sync.

Tip: To learn more on how assets and findings change status, see Status Update Mechanisms.

Finding Data Validation

Objective: Ensure that the number of findings in AWS Inspector aligns with the number of findings in Exposure Management.

In AWS Inspector:

Navigate to the AWS Console > Amazon Inspector.
On the Dashboard, review the Findings tile.
Focus on findings that:
- Have an available exploit.
- Have a recommended fix.
These represent the active vulnerabilities identified by AWS Inspector.

In Tenable Exposure Management:

Locate your connector findings.
Compare the total number of findings between AWS Inspector and Tenable Exposure Management.

Expected outcome: Exposure Management ingests only findings with a defined exploitability and remediation. Counts may differ if some findings are informational or do not meet the ingest criteria.

If a finding is missing from Exposure Management or no longer active, check the following conditions:

The finding is marked as Fixed and appears under the Fixed state on the Findings screen
The finding no longer appears because its related asset was archived.

Tip: To learn more on how assets and findings are archived or change status, see Status Update Mechanisms.