Configure AWS for Keyless Authentication (Manual)
Required User Role: Administrator
Before you begin:
- Enable CloudTrail and create a trail if one does not already exist.
Note: You must turn on All or Write Only Management Events, as well as logging for the trail.
To configure AWS to support Tenable.io connectors via role delegation (keyless):
- In Tenable.io, record the External ID from the AWS connector pane.Note: The external ID is the same as the container ID.
- In your AWS account, create a role named tenableio-connector to delegate permissions to an IAM user, as described in the Amazon AWS documentation.
In the navigation pane of the console, click Roles > Create role.
For role type, click Another AWS account.
- For Account ID, type the ID 012615275169.Note: 012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation (keyless authentication).
Select the Require external ID checkbox, and type the External ID (Tenable container ID) that was recorded in Step 1.
- Click Next: Permissions.
- Create or reuse a policy with the following permissions:
AWS Service Permission Amazon EC2
Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.
Click Next: Tagging.
- (Optional) Add any desired tags.
Click Next: Review.
- In the Role name box, type tenableio-connector.Caution: The role must be named tenableio-connector for the connector to work.
Review the role, ensuring that the role name is tenableio-connector, and then click Create role.
What to do next: