To begin the Pre-Authorized Scanner AWS configuration, you must first create an Identity and Access Management (IAM) role. This role eliminates the need to store AWS access keys by providing the scanner instance with temporary AWS credentials. Once created, the IAM role is assigned to the Nessus instance(s) as seen in the Launch Nessus Scanner Instance section below. Additionally, this role must also have the Describe VPC Peering Connections role. The VPC peering relationship must be from the VPC containing the pre-authorized Nessus scanner (requestor) to the VPC(s) you want to scan.
Note: Pre-Authorized Scanner scans by instance ID and cannot be used in scans to target hosts by IP address. Configuring Pre-Authorized Scanner scans to target hosts by IP address will return an error.