Tenable.cs Quick Reference Guide: Onboarding AWS Accounts

This Quick Reference Guide provides the sequence of tasks required to onboard AWS cloud accounts to Tenable.cs and to perform a cloud scan. Tenable.cs assesses your cloud infrastructure at runtime and identifies security and compliance violations.

Before you begin:

You must have the following:

  • Credentials for your Tenable.io user account.

  • AWS user account with permissions to create Identity and Access Management (IAM) roles.


You can onboard your Amazon Web Services (AWS) accounts in Tenable.cs in the following two ways:

  • Onboard an AWS organization: Use this recommended method to secure multiple AWS accounts and start the security assessment. Tenable.cs can connect to your AWS organization's management account (root account) to discover all the member accounts that are under that account. Provide a Role ARN and an optional External ID for the management account. You must also have root account permission to deploy a CloudFormation stack to set up access roles in each of the member accounts.

  • Onboard a single AWS account: Use this method if you want to onboard each AWS account manually without deploying a CloudFormation Stack. Provide a Role ARN and an optional External ID for the AWS account.

To onboard AWS accounts in Tenable.cs, you must configure an Identity and Access Management (IAM) role so that Tenable.cs can read the resources in the connected AWS accounts. When onboarding an AWS organization account, create an IAM role for the management or root account.

After connecting your cloud accounts, configure your cloud resources and then scan these cloud resources for any violations.


The following workflow provides the high-level tasks required for onboarding AWS accounts.

Tip: Click a box to view the relevant task.


For a demonstration on onboarding AWS accounts, see the following video:

Other Resources