Configure Amazon Web Services (AWS)
The Amazon Web Services (AWS) Connector provides real-time visibility and inventory of Elastic Compute Cloud (EC2) assets in AWS accounts.
Before you can use Tenable.io AWS connectors to analyze your assets, you must configure your AWS account to communicate with Tenable.io. Tenable.io AWS connectors support two authentication methods in order to access your EC2 assets in your AWS accounts, keyless authentication or key-based authentication.
Keyless authentication via AWS role delegation is the default authentication method. To use keyless authentication, you must establish a trust relationship between your AWS accounts and Tenable's AWS account. In this scenario, your AWS accounts communicate with a trusted Tenable AWS account that communicates with your AWS connector. Keyless authentication supports two methods to link additional AWS accounts.
- Your AWS Root Organizations Account can be configured to support the Auto Discovery feature to automatically discover your linked AWS accounts.
- You can configure linked AWS accounts manually when creating the AWS Connector.
If you want to use the Auto Discovery feature with keyless authentication, you must enable AWS Organizations and assign a ListAccounts policy. This policy allows the Tenable AWS Account to automatically find other AWS accounts in your organization, as shown in the diagram below.
To configure keyless authentication with auto discovery, see Keyless Authentication with Auto Discovery Workflow.
If you do not want to use the Auto Discovery feature or if you are not using AWS Organizations, you can manually configure linked AWS accounts as shown in the diagram below.
To configure keyless authentication without auto discovery (manual), see Keyless Authentication with Manual Linked Accounts Workflow.
The key-based authentication method uses an IAM user with permissions and a secret key and access key. In this scenario, the Tenable.io AWS connector authenticates with your primary AWS account via a secret key and an access key. Additionally, you can manually configure secondary linked AWS accounts with trust relationships to your primary AWS account, as shown in the diagram below.
To configure key-based authentication, see Key-based Authentication Workflow.