Configure Vulnerability Scan using Agentless Assessment for AWS

Tenable Cloud Security triggers vulnerability scans on AMIs and EC2 instances as part of the cloud scanning process.

Before you Begin:

  • Onboard cloud accounts in Tenable Cloud Security. For more information about onboarding your AWS accounts, see Onboard AWS Accounts.

  • Create an IAM role that provides Tenable Cloud Security the following permissions:

    • Elastic Block Store:

      • ebs:ListSnapshotBlocks

      • ebs:ListChangedBlocks

      • ebs:GetSnapshotBlock

    • Key Management Service (KMS):

      Snapshots encrypted with KMS must grant the IAM role used by Tenable Cloud Security with access to the KMS key used to encrypt the snapshot. Modify the KMS key's resource policy to include the following permissions:

      • kms:Decrypt

      • kms:DescribeKey

  • Create snapshots in AWS console.

To set up Agentless Assessment:

  1. In Tenable Cloud Security, initiate a cloud scan:

    1. On the home page, click Projects & Connections.

      Tenable Cloud Security displays the list of projects in the Projects tab.

    2. In the row for the project that you want to scan, click > Manage cloud scan profiles.

      The Manage scan profiles window appears.

    3. Click New Scan Profile.

      The Create new scan profile for cloud window appears.

      Note: You can also use the default scan profile. Vulnerability scan with agentless assessment is enabled by default for the default scan profile.

    4. In the Scan profile name box, type a name for the scan profile or retain the default name.

    5. In Step 1 Cloud config assessment options, retain the default selections or do one of the following:

      • Select the check box next to the option to select all the options within a category.

      • Click the drop-down arrow to show all the available options in the category. Select the check boxes as needed.

        Note: The count next to the drop-down arrowshows: Number of options available / Number of options selected.

      Tip: Ensure EC2 Instance resources are selected to take full advantage of AWS Agentless Assessment scans.
    6. In Step 2, click the Enable Vulnerability Scan (optional) toggle to enable vulnerability scan.
      Note: Tenable Cloud Security scans EC2 instances for vulnerabilities after it completes the Misconfiguration Scan. The EC2 resources are available under the Compute category.
    7. (Optional) Click Preview to view all the selected assessment options.
    8. Click Create Scan Profile.

      Tenable Cloud Security creates the scan profile and the newly created scan profile appears on the Configure cloud scan window.

    9. In the row of the scan profile that you created for a vulnerability scan, click Run Scan.

      Tenable Cloud Security runs the vulnerability scan and you can view the vulnerability scan results on the Tenable Cloud Security Vulnerabilities page and also on the Tenable Vulnerability Management Findings page.