Automated Pull from Cloud Storage (S3) in Tenable One Open Connector

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

You can use the Tenable One Open Connector to automate the discovery and import of assets and vulnerability data into Tenable Exposure Management. This capability replaces manual file uploads with continuous, scheduled syncs from remote storage environments.

By connecting directly to cloud providers, the Tenable One Open Connector ensures your data reflects the current state of your environment without manual intervention.

Configure Automated Pull from Cloud Storage (S3)

To configure the automated S3 ingestion:

  1. In the Data pulling configuration section, select Automated Pull from Cloud Storage (S3).
  2. In the Authentication method section, select the relevant authentication method: ARN & External ID or Access Key & Secret Key.
    • If you select the ARN & External ID method, complete the following configurations in your S3 console:

      1. Navigate to IAMPolicies > Create Policy > Visual Editor.

      2. From the Service drop-down, select S3.

      3. From the Actions allowed drop-down, select the following permissions:

        • ListBucket

        • GetObject

      4. In the Resources section:

        1. For ListBucket, add ARN for the bucket: arn:aws:s3:::YOUR_BUCKET_NAME

        2. For GetObject, add ARN for the objects: arn:aws:s3:::YOUR_BUCKET_NAME/*

      5. Click Next.

      6. On the Review policy page, type a Name (e.g., S3ConnectorReadAccess) and Description for the policy.

      7. Review the Summary.

      8. Click Create Policy.

      9. Navigate to IAM > RolesCreate Role > AWS account.

      10. In the Account ID field, paste the following Tenable account ID:

        012615275169

      11. Select the Require External ID check box.

      12. In the text box, type the value of your external ID.

        Important: External ID must follow AWS AssumeRole API constraints:

        • Length: 2–1224 characters

        • Allowed characters: alphanumeric (A-Z, a-z, 0-9) and the following: = , . @ : / - _

        Using unsupported characters may cause the AssumeRole call to fail.

      13. Paste this value into the Connector text box.

      14. Ensure the Require MFA check box is deselected.

      15. Click Next: Permissions.

      16. Attach the policy you created (e.g., S3ConnectorReadAccess).

      17. Continue through the wizard and review the settings.

      18. Create the role.

      19. Copy the ARN and External ID to a safe location. You need them to configure the connector.

    • If you select the Access Key & Secret Key method, complete the following configurations in your S3 console:

      1. Login with the target account credentials to the AWS platform.

      2. Navigate to IAM > Users.

      3. Select the user with the appropriate permissions.

      4. Navigate to the Security Credentials tab.

      5. In the Access Keys section, click Create access key.

        The Create access key wizard appears.

      6. In the Use case section, select the Third-party service radio button.

      7. Click Next.

      8. In the Description tag value text box, type a descriptive tag for the key.

      9. Click Create access key.

      10. Copy the Access Key and Secret Key to a safe location. You need them to configure the connector.

  3. After generating the required authentication values, complete the configuration of the connector in Tenable Exposure Management.
    • For the ARN & External ID method: Fill in the External ID, Role ARN, Region, and S3 URI path (e.g., s3://bucket-name/folder/).
      • (Optional): Fill in the File Pattern (e.g., *.csv or assets_*.xls).
    • For the Access Key & Secret Key method: Fill in the Access Key, Secret Key, Region, and S3 URI path (e.g., s3://bucket-name/folder/).
      • (Optional): Fill in the File Pattern (e.g., *.csv or assets_*.xls).

  4. In the Asset Retention box, type the number of days after which Tenable Exposure Management removes assets. The default is 460 days. Exposure Management determines the removal date based on the data available in your uploaded file.

    Tip: To learn more, see How Asset Retention works for the Tenable One Open Connector.

  5. In the Data Update Mode section, select how the connector should process future data syncs:

    • Override data (Full Fetch): Every new file sync fully overrides the data ingested from the previous sync. Use this mode to replace all existing asset records and findings for the connector on each sync.

    • Update data (Incremental Fetch): Every new file sync updates the existing set of data in Tenable Exposure Management after an initial full sync. This mode optimizes for bandwidth by processing only the assets and findings updated since the previous sync.

      For files containing both assets and findings, you must select one of the following reconciliation modes:

      • Additive Only Mode: Keeps all existing assets and findings active in the platform. Tenable Exposure Management only processes new or updated data; no records are removed or archived.
      • Strict Inventory Mode: Archives assets missing from the file to maintain a clean inventory. Existing findings for these missing assets remain until the asset is fully decommissioned.
      • Dynamic Remediation Mode: Automatically marks findings missing from the file as Resolved if the asset is still detected. Assets not mentioned in the file remain active to preserve historical context.

      Note: If your file contains only asset data (inventory-only), the platform defaults to Stable Inventory Mode. This mode keeps existing assets active even if they are missing from the new file, and the Incremental Sync Mode Selection window does not appear.

      Tip: You can switch between data update modes at any time by editing the connector configuration. For more information, see Manage Data Sources and Update Modes in Tenable One Open Connector.

  6. In the Test connectivity section, click Test Connectivity. Tenable Exposure Management validates the credentials and accessibility of the file path. You must pass this test before you can create the connector.

    If successful, Tenable Exposure Management displays the name of the file pulled by auto-discovery (for example, Recent File: abc.csv 2026-01-27).

    Important: If you change the credentials or remap a file, you must test the connectivity before you can save the connector.

  7. In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.

    Tip: For more information, see Connector Scheduling.
  8. Click File Preview to view the first 100 rows of the file.
  9. Click Next to proceed to asset type selection and field mapping.

  10. From the Asset type drop-down box, select the category that matches your data (e.g., Devices).

  11. Click Next.

    Note: This selection defines the tenable mapping attributes available in the next step.

    The mapping page appears.

  12. Define how the connector interprets and aligns your source data with Tenable Exposure Management standardized data model:

    Note: This mapping process ensures that Tenable Exposure Management normalizes and utilizes the asset and vulnerability data you import.

    1. Review the auto-suggested mappings and consider to manually adjust the mapping as needed. You must map the mandatory fields (like Asset Name or Finding ID) to continue.

    2. (Optional) Use the + button to add new mappings.

      TIP: To learn about the expected behavior and logic rules of how Tenable Exposure Management maps the source file columns, see .

    3. Click Save and continue.

      The Data Aggregation and Uniqueness page appears.

      Note: Tenable One Open Connector lets you define custom uniqueness criteria. You can tailor the Data Aggregation and Uniqueness settings to ensure Tenable Exposure Management correctly identifies your specific assets and findings as new records or updates.

  13. On the Data Aggregation and Uniqueness page, fill in the answers for the required questions:

    Question Description
    Which fields uniquely identify a single asset?

    Define what constitutes a unique device or resource in your file (e.g., using Asset ID alone, or a composite key like Asset Name + IP Address). This ensures that Tenable Exposure Management consolidates multiple rows referencing the same device into a single asset record for deduplication.

    Which fields uniquely define a weakness?

    Define which fields determines a unique security issue (the 'vulnerability'). This ensures a correct aggregation of all instances of that weakness across your entire asset inventory.

    Which fields uniquely define a finding?

    A finding is the combination of a unique asset and a unique weakness, plus any extra context. This key defines the single instance of a detection (e.g., CVE-123 on Server-A, Port 80).This field is automatically pre-populated with the unique key fields selected in Question 1 (Asset) and Question 2 (Weakness). You can then add fields like Port or Protocol to make the Finding more granular. If you want to change the foundational keys, you must change your answers to Question 1 or 2 first.
    Which Tenable Exposure Category best describes the data in this file?

    Tenable Exposure Management

    calculates the Asset Exposure Score (AES) using specialized risk models designed for Vulnerability Management (VM), Cloud Security Posture (CSP), Web Applications or Operational Technologies (OT). Select the category that best fits your data to ensure Tenable Exposure Management calculates risk accurately according to the established scoring methodology.

    Note: If your data does not align with one of the available categories,Tenable Exposure Management cannot calculate the specific AES for those assets.

  14. Click Save.

    The main setup page appears.

  15. If you selected Incremental Fetch and mapped findings, the Incremental Sync Mode Selection window appears. Select a mode for handling missing data:

    • Additive Only Mode: Keep all existing assets and findings active in the platform. Only new or updated data from your file will be processed. No data will be removed or archived.
    • Dynamic Remediation Mode: Findings missing from the file will be automatically marked as "Resolved." Assets not mentioned in the file will remain active to preserve their historical context.
    • Strict Inventory Mode: Assets missing from the file will be archived to keep your inventory clean. Existing findings for those assets will be retained until the asset is fully decommissioned.
    Note: If an asset-only file is used, Tenable Exposure Management defaults to Stable Inventory Mode and the pop-up does not appear.

  16. Click Create & Sync (or Save & Sync).

  17. (Optional) On the main connector setup page, view the Connector Logs to review any changes.

Remap Columns

The Remap Columns option allows you to revise field mappings or uniqueness criteria for your existing S3 data source. Modifying these settings while using Incremental Fetch may require a data baseline reset to ensure platform integrity.

To remap columns:

  1. On the Connectors page, click the Tenable One Open Connector instance you want to edit.
  2. At the bottom right of the screen, click Remap Columns.

    The Map Attributes page appears.

  3. Remap the source columns to the platform attributes as needed.
  4. Click Next.

    The Data Aggregation and Uniqueness page appears.

  5. On the Data Aggregation and Uniqueness page, identify and apply any required changes to your unique identifiers.
  6. Click Save & Sync.
  7. Identify if a Data Sync Conflict alert appears.

    Important: If you use Incremental Fetch and modify field mappings or unique identifiers, you must force a baseline reset. Changing these IDs prevents Tenable Exposure Management from recognizing existing records and can cause data duplication.

  8. To proceed, select the Run next upload as "Override File (Full Fetch)" check box. After this initial full fetch, Tenable Exposure Management automatically resumes incremental syncs using your selected mode for all future updates.
  9. Click Update & Sync.

Note: If you need to switch your data source from manual upload to automated pulling, see Manage Data Sources and Update Modes in Tenable One Open Connector.

Tenable One Open Connector Data in Tenable Exposure Management

Locate Connector Assets in Tenable Exposure Management

As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.

To view assets by connector:

  1. In Tenable Exposure Management, navigate to the Assets page.

  2. In the Filters section, under Custom, click the connector name for which you want to view assets.

    The asset list updates to show only assets from the selected connector.

  3. Click on any asset to view Asset Details.

Locate Connector Weaknesses in Tenable Exposure Management

As the connector discovers weaknesses, Tenable Exposure Management ingests those weaknesses for reporting.

To view weaknesses by connector: 

  1. In Tenable Exposure Management, navigate to the Weaknesses page.

  2. In the Filters section, under Custom, click the connector name for which you want to view weaknesses.

    The weaknesses list updates to show only weaknesses from the selected connector.

  3. Click on any weakness to view Weakness Details.

Locate Connector Findings in Tenable Exposure Management

As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.

To view findings by connector:

  1. In Tenable Exposure Management, navigate to the Findings page.

  2. In the Filters section, under Custom, click the connector name for which you want to view findings

    The findings list updates to show only assets from the selected connector.

  3. Click on any asset to view Finding Details.

Expected Post-Sync Behavior

After a successful synchronization, Tenable Exposure Management performs the following actions based on your selected sync mode:

  • Full fetch (override): Replaces all existing asset records and findings for the connector instance with the content of the new file. Tenable Exposure Management archives assets and marks findings as Fixed if they are missing from the latest upload.

  • Incremental fetch (update): Updates the existing baseline with only the new or changed data found in the file. Tenable Exposure Management reconciles missing assets or findings based on your selected delta mode (Additive Only, Strict Inventory, or Dynamic Remediation). If you upload an asset-only inventory file, the platform defaults to Stable Inventory Mode automatically.

  • Uniqueness and mapping changes: Applies updated uniqueness criteria or field mappings only after a mandatory Full Fetch baseline reset. Tenable Exposure Management does not retroactively modify data already ingested with previous uniqueness logic.

  • Data cleanup: Disregards previous values for any non-mandatory fields removed from the latest mapping.

Manual vs. Automated Data Validation and Synchronization

Tenable Exposure Management uses a combination of scheduled tasks and real-time triggers to ensure your ingested data remains current. Tenable Exposure Management applies the following logic to manage your S3 data pipeline:

  • Automated daily synchronization: Tenable Exposure Management performs an automated synchronization according to the Connector Scheduling setup.

  • Manual validation: To bypass the daily schedule and identify changes immediately, use the Test Connectivity feature to validate data manually.

Validate Data Manually

If you update a file in your S3 bucket and require an immediate synchronization, perform the following steps:

  1. On the Connectors page, click the Tenable One Open Connector you want to update.

  2. On the Connector Details page, click Test Connectivity.

    Tenable Exposure Management runs a validation check against the source file in your S3 bucket. Tenable Exposure Management identifies any structural or content changes made on the vendor side.

  3. Click Next.

    If the Tenable One Open Connector detects a change, a notification appears in the interface to alert you that the file has changed.

  4. Proceed with the process as usual. Tenable Exposure Management automatically ingests the updated file with the most recent data.

Detailed Data Flow Logic

If the file in your S3 bucket changes between auto-discovery and the final synchronization, Tenable Exposure Management applies the following logic:

  • New file detected: If a newer file exists, Tenable Exposure Management continues the current sync with the original file. The log alerts you that Tenable Exposure Management will pull the new file during the next sync.

  • File updated with non-mandatory columns changes: If the file is updated with new or removed non-mandatory columns, Tenable Exposure Management continues the sync and alerts you in the log.

  • File updated with mandatory columns removed: If the update removes mandatory columns, the sync fails. You must update the mapping to proceed.

  • File deleted: If the file is removed from S3, the sync fails with a "File not found" message.

Synchronization Logic

The Tenable One Open Connector applies the following logic during automated cloud syncs:

  • File selection: If multiple files match the file pattern, Tenable Exposure Management selects the single file with the latest time stamp.

  • File override: In every successful pull, Tenable Exposure Management replaces the previous file for the specific connector ID.

  • No new file detected: Tenable Exposure Management compares the timestamp of available files against the last processed file. If no new file is found, Tenable Exposure Management skips the synchronization and displays the message "No new file detected".

  • Finding status: Tenable Exposure Management moves findings not included in the new file to the Fixed state.

  • Credentials or setup modification: If you change the credentials or remap a file, you must test the connectivity before you can save and sync the connector.

  • Full sync: In Full Fetch mode, Tenable Exposure Management archives assets and marks findings as Fixed if not present in the new file.
  • Incremental sync: Tenable Exposure Management reconciles missing data against the baseline based on your selected Delta mode.
  • Baseline Sync: Switching from Full to Incremental mode requires the next synchronization to run as a Full Fetch.

File Size and Log Requirements

Tenable Exposure Management enforces a 2 GB file size limit. If a file exceeds this limit, Tenable Exposure Management behaves as follows:

  • Initial setup: The error message “The file size exceeds the 2 GB limit” appears on the setup page and in the connector logs.

  • Secondary syncs: The error message appears in the connector logs only.

Connectivity Errors

If a sync or connectivity test fails, review the error messages to troubleshoot configuration issues.

Scenario Message
Authentication failure "Failed test 1 out of 2: the credentials are not correct."
Missing mandatory columns "File is missing mandatory columns and the data cannot be synced."
Empty file detected "Sync Failed: No Records Found."
File too large "The file size exceeds the 2 GB limit."