Configure AWS for Keyless Authentication and Auto Discovery

Required User Role: Administrator

Before you begin:

  • Enable CloudTrail and create a trail if one does not already exist.

    Note: You must turn on All or Write Only Management Events, as well as logging for the trail.

    Note: When an AWS connector is used to import assets, we query all the CloudTrails for that connector and determine the set of all regions that those CloudTrails receive events for. That set of regions is then used when making calls to the EC2 and CloudTrail APIs.

To configure AWS to support connectors via keyless authentication and auto discovery:

  1. In, record the External ID from the AWS connector pane.

    Note: The external ID is the same as the container ID.

  2. In each AWS account that you want to configure for auto discovery, create a role named tenableio-connector to delegate permissions to an IAM user, as described in the Amazon AWS documentation.
    1. In the navigation pane of the console, click Roles > Create role.

    2. For role type, click Another AWS account.

    3. For Account ID, type the ID 012615275169.
      Note: 012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation (keyless authentication).
    4. Select the Require external ID checkbox, and type the External ID (Tenable container ID) that was recorded in Step 1.

    5. Click Next: Permissions.
    6. Create or reuse a policy with the appropriate permissions.

      AWS ServicePermission
      Amazon EC2
      • DescribeInstances

      AWS CloudTrail

      • DescribeTrails
      • GetEventSelectors
      • GetTrailStatus
      • ListTags
      • LookupEvents
      AWS Organizations
      • ListAccounts
      • Note: The ListAccounts permission is required for auto discovery.

      Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.

    7. Click Next: Tagging.

    8. (Optional) Add any desired tags.
    9. Click Next: Review.

    10. In the Role name box, type tenableio-connector.
      Caution: The role must be named tenableio-connector for the connector to work.
    11. Review the role, ensuring that the role name is tenableio-connector, and then click Create role.

What to do next: