Configure Amazon Web Services (AWS)

The Amazon Web Services (AWS) Connector provides real-time visibility and inventory of Elastic Compute Cloud (EC2) assets in AWS accounts. The AWS connector refreshes every 30 minutes.

Before you can use AWS connectors to analyze your assets, you must configure your AWS account to communicate with AWS connectors support two authentication methods in order to access your EC2 assets in your AWS accounts, keyless authentication or key-based authentication.

Keyless Authentication

Keyless authentication via AWS role delegation is the default authentication method. To use keyless authentication, you must establish a trust relationship between your AWS accounts and Tenable's AWS account. In this scenario, your AWS accounts communicate with a trusted Tenable AWS account that communicates with your AWS connector. Keyless authentication supports two methods to link additional AWS accounts.

  • Your AWS Root Organizations Account can be configured to support the Auto Discovery feature to automatically discover your linked AWS accounts.
  • You can configure linked AWS accounts manually when creating the AWS Connector.

Auto Discovery

If you want to use the Auto Discovery feature with keyless authentication, you must enable AWS Organizations and assign a ListAccounts policy. This policy allows the Tenable AWS Account to automatically find other AWS accounts in your organization, as shown in the diagram below.

To configure keyless authentication with auto discovery, see Keyless Authentication with Auto Discovery Workflow.


If you do not want to use the Auto Discovery feature or if you are not using AWS Organizations, you can manually configure linked AWS accounts as shown in the diagram below.

To configure keyless authentication without auto discovery (manual), see Keyless Authentication with Manual Linked Accounts Workflow.

Key-based Authentication

The key-based authentication method uses an IAM user with permissions and a secret key and access key. In this scenario, the AWS connector authenticates with your primary AWS account via a secret key and an access key. Additionally, you can manually configure secondary linked AWS accounts with trust relationships to your primary AWS account, as shown in the diagram below.

Note: AWS connectors configured with key-based authentication do not support the automatic discovery of AWS accounts. Additionally, key-based authentication is not recommended.

To configure key-based authentication, see Key-based Authentication Workflow.