Audit the AWS Environment

You can use to audit the Amazon Web Services environment to detect misconfigurations in your cloud environment and account settings using Complete the following steps to configure AWS for successful Audit Cloud Infrastructure assessments

Note: Tenable recommends that you create a new read-only access AWS account just for If you experience issues, see AWS Audit Troubleshooting.

To audit the AWS environment, you must complete the following tasks:

Create a Read-Only Group in AWS

To create a read-only group in AWS:

  1. Log in to your AWS account.

  2. Click My Account > AWS Management Console.

    The AWS Management Console appears.

  3. Click Services.

    The Services page appears.

  4. In the Security, Identity, and Compliance section, click IAM.

    The IAM control panel appears.

  5. In the left panel, click Groups.

    The Groups page appears.

  6. Click Create New Group.

    The Create New Group Wizard appears.

  7. In the Group Name box, type a name for the read-only group.

  8. Click Next Step.

    The Attach Policy screen appears.

  9. Select the ReadOnlyAccess AWS managed policy.

  10. (Optional) On the Attach Policy screen, select the SecurityAudit AWS managed policy.
  11. Click Next Step.

    The Review page appears.

  12. Review the group information.
  13. Click Create Group.

    AWS creates the read-only group.

Create a Scanning User in AWS

To create a scanning user in AWS:

  1. Log in to your AWS account.

  2. Click UsersAdd Users.

    The Add User page appears.

  3. In the Set user details section, in the User name text box, type a name for the user.
  4. In the Select AWS access type section, select the Programmatic access check box.

  5. Click Next: Permissions.

    The Set permissions page appears.

  6. Click Add user to group.
  7. In the Add user to group section, select the read-only group you previously created.

  8. Click Next: Tags.

    The Tags page appears.

  9. (Optional) Configure any tags you want to add to the user profile.
  10. Click Next: Review.

    The Review page appears.

  11. Review the user profile.
  12. Click Create User.

    An Access key ID and Secret access key appear.

  13. Copy the Access key ID and Secret access key to use to configure the Audit Cloud Infrastructure in

Configure AWS Audit Cloud Infrastructure in

To configure AWS Audit Cloud Infrastructure in

  1. Log in to
  2. In the top navigation bar, click Scans.

    The My Scans page appears.

  3. In the upper-right corner, click the New Scan button.

    The Scan Templates page appears.

  4. Click Audit Cloud Infrastructure.

    The New Scan page appears.

  5. On the Settings tab, type a name for the scan.
  6. Click the Compliance tab.

    The Compliance options appear.

  7. Click AMAZON AWS.
  8. Select the appropriate audit files for the scan.

    When you select an audit file, adds the file to the list in the right pane.

  9. Click the Credentials tab.

    The Credentials options appear.

  10. In the ADD CREDENTIALS section, select Amazon AWS.
  11. In the AWS Access Key ID text box, type the key you copied in the Create a Scanning User in AWS section.
  12. In the AWS Secret Key text box, type the key you copied in the Create a Scanning User in AWS section.

  13. From the Regions to Access drop-down box, select the region to which you want to apply the scan.
  14. Do one of the following:
    • To save without launching the scan click Save.
    • To save and launch the scan immediately, click the drop-down arrow next to Save and select Launch.

Tip: If you experience aborted scans or are unable to find a matching scanner route, you may need to specify a dedicated scanner, and re-scan. For troubleshooting help, see AWS Audit Troubleshooting. For more information on scans, please refer to the User Guide.

View Audit Details in the Scan Results

After the scan completes, you can analyze the results in

To view audit details in the scan results:

  1. Log in to
  2. In the top navigation bar, click Scans.
  3. Click the AWS Cloud Infrastructure scan you previously created.
  4. Click the Audits tab.

  5. Click an audit in the table to view audit details, including the Description, Reference Information, and Solution.