Onboard an AWS Organization
Tenable Cloud Security can connect to your AWS organization's management account to discover all the member accounts under that account. This is the recommended method when you want to onboard all of your AWS accounts in Tenable Cloud Security for security assessment. You must have the required permissions to deploy a CloudFormation stack for setting up access roles in each of the member accounts.
Before you begin:
You must have the following details for the read-only role in your AWS account:
-
Role ARN
-
External ID
For more information, see Set Up Read-Only Access to the AWS Account.
To connect to an AWS organization account:
-
In the left navigation bar, click > Connection > AWS connection.
-
In the Choose a workflow to discover AWS account(s) section, select Onboard AWS organization.
-
Click Continue.
The Configure management account section appears.
-
Type the appropriate Read Only Role ARN and External ID.
-
Click Continue.
The Configure member accounts section appears.
-
Configure member accounts by performing the following actions:
-
In the Configure member accounts section, in the first step, click the click here link.
Tenable Cloud Security redirects you to the Create StackSet wizard in the AWS Management Console.
-
In the second step, copy the template URL to use when provisioning your stack set in step iii.
Complete the following steps in the AWS Management Console to deploy the stackset that creates the role for all member accounts.
To deploy the StackSet to create a read-only role for a member account:-
Sign in to the AWS management account of the target organization.
-
On the Choose a template page, do the following:
-
In the Prerequisite - Prepare template section, ensure that the Template is ready option is selected.
-
In the Template source section, click Amazon S3 URL.
-
In the Amazon S3 URL box, paste the template URL copied from the Configure member accounts section in the Tenable Cloud Security Console.
-
Click Next.
-
-
On the Specify StackSet details page, do the following:
-
In the StackSet name section, type a name for the StackSet.
Tip: Choose a meaningful name because the Tenable Cloud Security role name is used for all the member accounts of the organization. -
In the StackSet description section, type a description for the current StackSet.
-
Verify the values in the Parameters section.
-
Click Next.
-
-
On the Configure StackSet Options page, do the following:
-
(Optional) In the Tags section, click Add new tag and provide a Key and a Value to specify the tag.
Tags are arbitrary key-value pairs that can be used to identify your stack. Tags that you apply to stack sets are applied to all resources created by your stacks.
-
For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations. After conflicting operations finish, StackSets starts queued operations in request order.
-
Click Next.
-
-
On the Set deployment options page, do the following:
- In the Add stacks to stack set section, click one of the following:
- Deploy new stacks
- Import stacks to stack set
-
In the Deployment targets section, click one of the following:
-
Deploy to organization — Creates the role in all the member AWS accounts for the organization.
-
Deploy to organizational units (OUs) — Creates the role in all the member AWS accounts for selected organizations.
-
-
In Automatic deployment, click Enabled.
-
In Account removal behavior, click the required option.
- In the Add stacks to stack set section, click one of the following:
-
In the Specify regions section, add a region available across all member accounts.
Caution: Select only one region. If you specify multiple regions, stack deployment succeeds only for one region and fails for others and can cause issues.Note: If the selected region is not available under a particular member account, the stackset deployment fails. -
In the Deployment options section, do the following:
-
In the Maximum concurrent accounts - optional drop-down box, select Percentage, and set the value to 100.
-
In the Failure tolerance - optional drop-down box, select Percentage, and set the value to 100.
-
In the Regional Concurrency section, click Sequential.
-
Click Next.
-
-
In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names.check box to confirm.
-
Click Submit.
The StackSet details page appears. Wait for the status of the StackSet to change to Succeeded.
-
Click the StackSet Info tab and copy the StackSet ARN.
-
-
In the Tenable Cloud Security Console, paste the Stacksets ARN copied in the previous step in the Stacksets ARN box.
-
Click Continue.
The Discover and onboard member accounts section appears. Tenable Cloud Security deploys the StackSet used to create a Tenable Cloud Security role for each member account.
-
-
Onboard member accounts.
-
In the Discover and onboard member accounts section, in the list, select the cloud member accounts that you want to onboard.
Tip: You can also search for specific cloud accounts and filter the list by organizations.
-
(Optional) To create a new project automatically for the AWS organization, select the Map accounts automatically check box.
Tenable Cloud Security creates a new project for the AWS organization and links all AWS member accounts with the project.
-
-
In the Choose prerequisites section, select the check boxes:
-
Ensure that you have granted all permissions.
-
Ensure that you already have snapshots or or followed the provided instructions to create snapshots for the instances you wish to scan.
Click the links to view documentation for providing permissions to Tenable Cloud Security for scanning and creating snapshots for Agentless Assessment.
-
-
Click Onboard accounts.
On the Projects & Connections page, the AWS project links to the connected AWS organization's account and the selected VPCs.