TOC & Recently Viewed

Recently Viewed Topics

Launch Pre-Authorized Nessus Scanner

Note: You do not need SSH access or a key pair to launch the instance.

Note: You must use an Elastic IP address for the scanner to work properly.

  1. In the top-menu bar, click Services.
  2. In the Compute section, click EC2 to begin launching the pre-authorized scanner instance.

    The EC2 Dashboard appears.

  3. Click Launch Instance to create an Amazon EC2 instance (virtual server).

    The Choose an Amazon Machine Image (AMI) page appears.

  4. In the left panel, click AWS Marketplace.

  5. In the Search box, type Tenable.
  6. On your keyboard, press Enter.
  7. Select Nessus Scanner (Pre-Authorized).

  8. Click Continue.

    The Step 2: Choose an Instance Type page appears.

  9. Select the instance type for the scanner.

    Note: The available instances meet the minimum product requirements, however, Tenable recommends selecting the instance that best suits your customer-specific needs. For more information, see Nessus General Requirements.

    Tip: The instances offer various combinations of CPU, memory, storage and network performance. Refer to Amazon EC2 Pricing for more details on Amazon’s pricing structure.

  10. Click Next: Configure Instance Details.

    The Step 3: Configure Instance Details page appears.

  11. In the Number of Instances field, type the number of AMI instances to deploy.

  12. In the Purchasing Option section, select the Request Spot Instances check box to launch an instance at spot prices rather than on-demand prices. Refer to Spot Instances for details.

    Note: By default, this option is disabled.

  13. From the Network drop-down box, select the Amazon VPC in which to launch the instance.

    Tip: To create a new VPC, click Create new VPC.

  14. From the Subnet drop-down box, select the subnet within the previously chosen VPC.

    Tip: To create a new subnet, click Create new subnet.

  15. Choose an IP address/subnet that permits the scanner to access https://cloud.tenable.com and AWS APIs.

    Note: (Optional) To request a public IP address from Amazon’s public pool, enable the Auto-assign Public IP option.

  16. From the IAM Role drop-down box, select the required IAM role.

    Tip: To create a new role, click the Create new IAM role and follow the Create AWS IAM Role instructions in this document. For more information on IAM roles, refer to IAM Roles for Amazon EC2.

  17. From the Shutdown Behavior drop-down box, select either Stop or Terminate to determine the instance behavior when an OS-level shutdown is performed.
  18. (Optional) To prevent an instance from accidentally being terminated, select the Enable termination protection check box.
  19. (Optional) To monitor, collect, and analyze metrics about the instances, select the Monitoring check box.

  20. (Optional) To allow for improved performance for Amazon EBS volumes through the use of dedicated throughput between Amazon EC2 and Amazon EBS, ensure the EBS-optimized instance check box is selected.
  21. From the Tenancy drop-down box, select whether you want the instance to run on a dedicated or shared host. For more information on dedicated hosts, refer to Amazon EC2 Dedicated Hosts.

    Note: By default, the Shared option is selected.

  22. Click Advanced Details.

  23. In the User Data section, select the As Text radio button.
  24. In the text field, enter the scanner name, the Linking Key previously copied from Tenable.io, and the previously created IAM role in JSON format:
    {
    "name": "AWS_Scanner",
    "key": "d92a78e1177ff9ead79176b34c5de936ce00f0a7.......",
    "iam_role": "TenableIO",
    "proxy": "10.11.12.13",
    "proxy_port": "8080"
    }

    Note: After copying and pasting the above code block, be sure to add 4 spaces to the beginning of each line within the curly brackets. This ensures the JSON is translated correctly.

    Note: The Linking Key and IAM role are both required entries in the User Data field. Other acceptable entries include:

    ParameterDescription
    nameName of the scanner shown in the Nessus UI (recommended). If a name is not specified, it defaults to the instance ID.
    keyLinking key used to register scanner with Tenable.io. Only used during initial registration (required).
    iam_roleName of the IAM role assigned to the scanner instance (required).
    proxyFQDN/IP address of proxy, if required.
    proxy_portPort used to connect to proxy, if required.

  25. Click Next: Add Storage.

    The Step 4: Add Storage page appears.

  26. In the Size field, enter a value of 30 or higher.

    Note:(Undefined variable: PVS_4_4.Company_Name) requires the pre-authorized Nessus scanners to have a minimum of 30GB of storage.

  27. Select the Delete on Termination check box.
  28. Click Next: Add Tags.

    The Step 5: Add Tags page appears.

  29. Click Add another tag for as many tags as you want to create to help manage and categorize your AWS EC2 resources.

    Note: Each tag requires both a Key and a Value, and each resource can have a maximum of 10 tags. For more information on tags, refer to Tagging Your Amazon EC2 Resources.

  30. Click Next: Configure Security Group.

    The Step 6: Configure Security Group page appears.

    Tip: Here, you are creating a security group to which only the Nessus Scanner belongs. You create this to assign it as the source to scan target security groups.

  31. In the Assign a security group section, select the Create a new security group radio button.

  32. In the Security group name field, enter a descriptive name for the security group.
  33. In the Description field, enter a description of the security group.
  34. In the Rules section below, click the X to the right of the Security Group rule to delete it.

    Note: There is no way to directly access the AMI, so removing this rule prevents any inbound traffic and is essentially a deny-all firewall rule.

  35. Click Review and Launch.

    The Step 7: Review Instance Launch page appears.

  36. Once you have reviewed the instance, click Launch.

    A key pair page appears.

  37. In the Select an existing key pair or create a new pair dialog box, from the drop-down box, select Proceed without a key pair.

    Tip: No key pair is needed since the instance is not listening on any ports and there are no available connections to it.

  38. Check the Acknowledge check box.
  39. Click Launch Instances. The new instance displays in your instance list. Once the newly created instance finishes initializing, the Instance State appears as running.

    Note: If any configuration information is incorrect, the scanner does not link. Stop the launch, edit the configuration information, and restart the launch.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.