Create Security Group to Permit Scanning

The following steps describe how to create a security group that allows all inbound access from the Nessus scanner. Any EC2 instance that this security group is applied to can be scanned by Nessus scanner.

  1. In the left-hand menu, click Security Groups.
  2. Click Create Security Group.

  3. In the Security group name field, enter a name for the security group.

  4. In the Description field, enter a description for the security group.
  5. From the VPC drop-down box, select the appropriate network for the security group.
  6. Click Add Rule to create an inbound security group.
  7. From the Type drop-down box, select All TCP.
  8. In the CIDR, IP or Security Group box, enter the name of the previously created security group.
  9. Repeat steps 6-8 for All UDP and All ICMP types.

    Tip: The rules give the Nessus scanner's security group full access to the scan targets (any EC2 instances assigned to this security group).

  10. Click Create.

Note: If your organization requires whitelisting of outbound traffic for the Pre Authorized Scanner, you can specify the required API IP address ranges for Tenable and AWS in the Security Group section under EC2. Click the Pre-Authorized Security Group and edit the outbound rules. See the Tenable API IPs and AWS API IPs documentation for more information.