AWS IAM Role for Agentless Assessment

Agentless Assessment of EC2 instances requires an IAM Role that grants the Tenable Cloud Security role access to the AWS-Managed Policy ReadOnlyAccess as well as permissions to read block data from Elastic Block Store (EBS) volumes.

The role must provide Tenable Cloud Security the following permissions:

• ReadOnlyAccess (AWS-Managed Policy)

• ebs:ListSnapshotBlocks

• ebs:ListChangedBlocks

• ebs:GetSnapshotBlock

For the EBS requirement with Agentless Assessment, create an inline policy with the following JSON to provide EBS permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ebs:List*",
                "ebs:Get*"
            ],
            "Resource": "*"
        }
    ]
  }

For additional instructions on configuring the AWS IAM Role, see Set Up Read-Only Access to the AWS Account.

Snapshots encrypted with Key Management Service (KMS) must grant the IAM role access to the KMS key(s) used to encrypt these snapshots. Modify the KMS key's resource policy to include the following permissions:

• kms:Decrypt

• kms:DescribeKey

The following example shows a custom inline policy that is assigned to the Tenable Cloud Security IAM Role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:[REGION]:[ACCOUNT-ID]:key/[KEY]"
    }
  ]
}

If preferred, you can add the Tenable Cloud Security IAM Role as a Key User instead of creating a custom KMS inline IAM policy. Navigate to the AWS KMS Service, find the KMS key used to encrypt the EBS Volumes and Snapshots, and add the Tenable Cloud Security IAM Role as a Key User.