Create Security Group to Permit Scanning

Caution: This version of the AWS pre-authorized scanner has been removed and is no longer available to new customers.

The following steps describe how to create a security group that allows all inbound access from the Tenable Nessus scanner. The Tenable Nessus scanner can scan any EC2 instance that this security group is applied to.

  1. In the left-hand menu, click Security Groups.
  2. Click Create Security Group.

  3. In the Security group name field, enter a name for the security group.

  4. In the Description field, enter a description for the security group.
  5. From the VPC drop-down box, select the appropriate network for the security group.
  6. Click Add Rule to create an inbound security group.
  7. From the Type drop-down box, select All TCP.
  8. In the CIDR, IP or Security Group box, enter the name of the previously created security group.
  9. Repeat steps 6-8 for All UDP and All ICMP types.

    Tip: The rules give the Tenable Nessus scanner's security group full access to the scan targets (any EC2 instances assigned to this security group).

  10. Click Create.

Note: If your organization requires allowlisting of outbound traffic for the Pre Authorized Scanner, you can specify the required API IP address ranges for Tenable and AWS in the Security Group section under EC2. Click the Pre-Authorized Security Group and edit the outbound rules. See the Tenable API IPs and AWS API IPs documentation for more information.