Onboard an AWS Organization

Tenable Cloud Security can connect to your AWS organization's management account to discover all the member accounts under that account. This is the recommended method when you want to onboard all of your AWS accounts in Tenable Cloud Security for security assessment. You must have the required permissions to deploy a CloudFormation stack for setting up access roles in each of the member accounts.

Tip: For more information about AWS organizations, see Amazon's AWS Organizations User Guide.

Before you begin:

You must have the following details for the read-only role in your AWS account:

  • Role ARN

  • External ID

For more information, see Set Up Read-Only Access to the AWS Account.

To connect to an AWS organization account:

  1. In the left navigation bar, click the Create new icon > Connection > AWS connection.

  2. In the Choose a workflow to discover AWS account(s) section, select Onboard AWS organization.

  3. Click Continue.

    The Configure management account section appears.

  4. Type the appropriate Read Only Role ARN and External ID.

  5. Click Continue.

    The Configure member accounts section appears.

  6. Configure member accounts by performing the following actions:

    1. In the Configure member accounts section, in the first step, click the click here link.

      Tenable Cloud Security redirects you to the Create StackSet wizard in the AWS Management Console.

    2. In the second step, copy the template URL to use when provisioning your stack set in step iii.

      Complete the following steps in the AWS Management Console to deploy the stackset that creates the role for all member accounts.

    3. In the Tenable Cloud Security Console, paste the Stacksets ARN copied in the previous step in the Stacksets ARN box.

    4. Click Continue.

      The Discover and onboard member accounts section appears. Tenable Cloud Security deploys the StackSet used to create a Tenable Cloud Security role for each member account.

  7. Onboard member accounts.

    1. In the Discover and onboard member accounts section, in the list, select the cloud member accounts that you want to onboard.

      Tip: You can also search for specific cloud accounts and filter the list by organizations.

    2. (Optional) To create a new project automatically for the AWS organization, select the Map accounts automatically check box.

      Tenable Cloud Security creates a new project for the AWS organization and links all AWS member accounts with the project.

  8. In the Choose prerequisites section, select the check boxes:

    • Ensure that you have granted all permissions.

    • Ensure that you already have snapshots or or followed the provided instructions to create snapshots for the instances you wish to scan.

      Click the links to view documentation for providing permissions to Tenable Cloud Security for scanning and creating snapshots for Agentless Assessment.

  9. Click Onboard accounts.

On the Projects & Connections page, the AWS project links to the connected AWS organization's account and the selected VPCs.