Link a BYOL Scanner to Tenable.io with Pre-Authorized Scanner Features

You can retain your pre-authorized AMI installation features when linking BYOL scanners to Tenable.io by using the following procedure.

Note: This feature is only available for Nessus versions 10.2.0 and later.
Caution: If you plan to downgrade a 10.2 Nessus scanner that was linked with the AWS scanner flag (see the following steps) to version 10.1.x or earlier, you need to manually unlink and relink the scanner after downgrading. Otherwise, Tenable.io will not recognize the scanner.

Before you begin:

Assign an IAM role to the Nessus instance you are deploying. For more information, see step 16 of Launch Pre-Authorized Nessus Scanner.

To link a BYOL scanner to Tenable.io with pre-authorized scanner features:

  • Do one of the following:

    • When you link the scanner to Tenable.io using the command line, as described in the Link to Tenable.io topic in the Nessus User Guide, use the optional --aws-scanner flag. For example:

      > nessuscli managed link --key=<LINKING KEY> --cloud --aws-scanner

    • When you deploy the scanner to Tenable.io using a JSON file, as described in the Deploy Nessus using JSON topic in the Nessus User Guide, set the aws_scanner flag to true. For example:

      # cat config.json { "link": { "name": "NAME", "host": "cloud.tenable.com", "port": 443, "key": "LINKING KEY", "retry": 1, "groups": ["group1"], "aws_scanner": true

      }

      }

Note: The scanner must already be running on an AWS instance for the flag to take effect.