Security Hub

Through the use and configuration of the Tenable Vulnerability Management to AWS Security Hub Transformer, Tenable Vulnerability Management can send vulnerabilities to AWS Security Hub. This tool consumes Tenable Vulnerability Management asset and vulnerability data, transforms that data into the AWS Security Hub Finding format, and then uploads the resulting data into AWS Security Hub.

Note: The script does not need to be run in AWS.

The tool can be run either as a one-shot docker container or as a command-line tool:

  • To run as a docker image, you must build the image and then pass the necessary secrets on to the container.
  • To run as a command-line tool, you must install the required python modules and then run the tool using either environment variables or by passing the required parameters as run-time parameters.


  • Tenable Vulnerability Management account
  • Tenable Vulnerability Management AWS connector enabled and configured
  • AWS Security Hub
  • Tenable Vulnerability Management Provider enabled and configured in Security Hub


To build the Docker image, run the following script:

docker build -t tio2sechub:latest .

To install python requirements, run the following script:

pip install -r requirements.txt

Enable Script in Security Hub

To enable the script in Security Hub:

  1. Log in to Security Hub.
  2. If you have not yet enabled Security Hub, click Enable Security Hub.
  3. Navigate to Settings > Providers.
  4. In the Search box, type Tenable.
  5. Click Configure.

    Your account subscribes to accept events from the script.


The following lists the command-line arguments as well as the equivalent environment variables:

usage: [-h] [--tio-access-key TIO_ACCESS_KEY]

[--tio-secret-key TIO_SECRET_KEY]

[--batch-size BATCH_SIZE] [--aws-region AWS_REGION]

[--aws-account-id AWS_ACCOUNT_ID]

[--aws-access-id AWS_ACCESS_ID]

[--aws-secret-key AWS_SECRET_KEY]

[--log-level LOG_LEVEL] [--since OBSERVED_SINCE]

[--run-every RUN_EVERY]


optional arguments:

-h, --help show this help message and exit

--tio-access-key TIO_ACCESS_KEY Access Key

--tio-secret-key TIO_SECRET_KEY Secret Key

--batch-size BATCH_SIZE

Size of the batches to populate into Security Hub

--aws-region AWS_REGION

AWS region for Security Hub

--aws-account-id AWS_ACCOUNT_ID

AWS Account ID

--aws-access-id AWS_ACCESS_ID

AWS Access ID

--aws-secret-key AWS_SECRET_KEY

AWS Secret Key

--log-level LOG_LEVEL

Log level: available levels are debug, info, warn,

error, crit


The unix timestamp of the age threshold

--run-every RUN_EVERY

How many hours between recurring imports

To run the import once, run the following script:

./ \

--tio-access-key {TIO_ACCESS_KEY} \

--tio-secret-key {TIO_SECRET_KEY} \

--aws-region us-east-1 \

--aws-account-id {AWS_ACCOUNT_ID} \

--aws-access-id {AWS_ACCESS_ID} \

--aws-secret-key {AWS_SECRET_KEY} \

To run the import once an hour, run the following script:

./ \

--tio-access-key {TIO_ACCESS_KEY} \

--tio-secret-key {TIO_SECRET_KEY} \

--aws-region us-east-1 \

--aws-account-id {AWS_ACCOUNT_ID} \

--aws-access-id {AWS_ACCESS_ID} \

--aws-secret-key {AWS_SECRET_KEY} \

--run-every 1

To run the same import using environment vars, run the following script:



export AWS_REGION="us-east-1"




export RUN_EVERY=1