AWS Connector

The AWS Connector provides real-time visibility and inventory of EC2 assets in AWS accounts. The AWS connector refreshes every 30 minutes. The licensing implications are as follows:

  • Assets discovered through the connector do not count against the license until and unless the asset is scanned for vulnerabilities. Discovery through the connector is free.
  • Assets discovered through the connector that did become licensed fall off the license the day after Cloudtrail shows the asset was terminated. This is an event that can be observed via the AWS connector.

    Note: Because Tenable retains the asset vulnerability data for 15 months, the instance may still appear on your dashboard after termination.

Configure the AWS Connector

To configure AWS to support Tenable.io connectors via role delegation (keyless):

  1. In Tenable.io, record the External ID from the AWS connector pane.

    Note: The external ID is the same as the container ID.

  2. In your AWS account, create a role named tenableio-connector to delegate permissions to an IAM user, as described in the Amazon AWS documentation.
    1. In the navigation pane of the console, click Roles > Create role.

    2. For role type, click Another AWS account.

    3. For Account ID, type the ID 012615275169.
      Note:012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation (keyless authentication).
    4. Select the Require external ID checkbox, and type the External ID (Tenable container ID) that was recorded in Step 1.

    5. Click Next: Permissions.
    6. Create or reuse a policy with the following permissions:

      AWS ServicePermission
      Amazon EC2
      • DescribeInstances

      AWS CloudTrail

      • DescribeTrails
      • GetEventSelectors
      • GetTrailStatus
      • ListTags
      • LookupEvents

      Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.

    7. Click Next: Tagging.

    8. (Optional) Add any desired tags.
    9. Click Next: Review.

    10. In the Role name box, type tenableio-connector.
      Caution: The role must be named tenableio-connector for the connector to work.
    11. Review the role, ensuring that the role name is tenableio-connector, and then click Create role.

What to do next:

See the AWS Connector Configuration Instructions for more information on configuring the connector.

Note: It is recommended that the customer create a new account just for Nessus which is restricted to read only access when scanning AWS web services.