Set Up Read-Only Access to the AWS Account

To read the resources in the Amazon Web Services (AWS) cloud account, Tenable Cloud Security requires appropriate permissions. Tenable Cloud Security recommends provisioning an IAM (Identity and Access Management) role in the target AWS cloud account and configuring it for Tenable Cloud Security to read the resources in the same account. When onboarding an AWS organization account, create an IAM role for the management account.

You can create the role in the following ways:

• Create a read-only role manually

• Create a read-only role using a script

• Create a read-only role using a CloudFormation Template

Create a read-only role manually

You can create a read-only role manually from the AWS management console.

Before you begin:

• Log in to the AWS web console with a user account with permission to create IAM roles.

  For more information about IAM roles, see Amazon's AWS Identity and Access Management User Guide.

To create a read-only role manually:

1. In the AWS web console, go to Identity and Access Management (IAM).

2. On the left navigation pane, click Roles.

   The Roles page appears.

3. Click Create Role.

   The Create Role wizard appears.

4. In the Select trusted entity page, do the following:

   1. In the Trusted entity type section, select AWS Account.

   2. In the An AWS Account section, select Another AWS Account.

   3. In the Account ID box, type 012615275169.

      Note: 012615275169 is the account ID of the Tenable AWS account that you are establishing a trust relationship with to support AWS role delegation.

   4. Under Options, click the Require External ID check box and type your Tenable Vulnerability Management Container UUID in the External ID box.

      Note: In Tenable Vulnerability Management, navigate to Settings > License to get your container UUID. For more information, see View Information about Your Tenable Vulnerability ManagementInstance.

   5. Click Next.



5. On the Add permissions page, perform the following:

   1. Search for ReadOnlyAccess in the search box.

      Tip: Filtering for “ReadOnlyAccess” by role name might return many entries. Apply the ”Used as: Used as permissions policy" filter along with the role name “ReadOnlyAccess" to narrow down the search results.

   2. Select the ReadOnlyAccess check box.

      

      For the list of permissions and AWS resources scanned by Tenable Cloud Security with this policy, see Permissions and Supported Resources for AWS ReadOnlyAccess Policy.

   3. For vulnerability scanning with Agentless Assessment, create an inline policy with the following JSON to provide Elastic Block Store permissions:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                      "ebs:List*",
                      "ebs:Get*"
                  ],
                  "Resource": "*"
              }
          ]
        }

   4. Select the required policies for the IAM role and click Next.

      Note:The new policy might take some time to get created. Refresh your browser if you do not see the policy in the list of policies.

   For information about creating IAM policies, see the AWS documentation.

6. In the Name, review, and create page, do the following:

   1. In the Role Details section, type a Role Name for the role.

   2. (Optional) Add a role description in the Description box.

   3. (Optional) Click Add Tags to add key-value pairs to AWS resources.

   4. Click Create Role.

   

   Tenable Cloud Security now has read-only access to your AWS account.

7. To get the Role ARN and External ID of this new role for Tenable Cloud Security, do the following:

   1. On the left navigation pane, click Roles.

   2. Search for the role that you created.

   3. In the Summary section, note the Role ARN value.

   4. Click the Trust Relationships tab and note the value of the ExternalId field.

   

8. Note down the following values:

   • Role ARN

   • External ID

   You need these values when onboarding AWS accounts in Tenable Cloud Security.

Create a Read-Only Role Using a Script

You can run the script provided by Tenable Cloud Security to create an AWS read-only role.

Before you begin:

• You must have the following:

  • Terraform version 12 or higher

  • AWS access key

  • AWS secret key

To create a read-only role using a script:

1. Run the following command:

   Copy

   /bin/bash -c "$(curl https://downloads.accurics.com/downloads/io/create_tcs_aws_readonly_role.sh)"

2. Provide values for the following parameters, when prompted:

   • (Required) AWS_ACCESS_KEY_ID: Access key of the AWS account.

   • (Required) AWS_SECRET_ACCESS_KEY: Secret key of the AWS account.

   • (Optional) Role name suffix: By default, Tenable Cloud Security creates a role with the name TenableReadOnlyTrustRole. Provide an optional suffix to append to this role name. For example, if you provide ACME, the role name is TenableReadOnlyTrustRoleACME.

   • (Required) ExternalId: Provide an alphanumeric string to be used as the External ID of the role. The External ID can contain a minimum of 4 chars and a maximum of 1224 characters. Tenable recommends providing your Tenable Vulnerability Management Container UUID for the External ID.

3. When prompted "Do you want to perform these actions?", type yes to continue.

   Tenable Cloud Security executes the script and creates the read-only role.

   

4. Note down the following values:
   • Role ARN
   • External ID

   You need these values when onboarding accounts in AWS.

Create a read-only role using a CloudFormation Template

You can deploy the Tenable Cloud Security stackset to create a read-only role.

Before you begin:

• Log in to the AWS web console.

To create a read-only role using a CloudFormation Template:

1. Click here to open the CloudFormation template to deploy a read-only role in AWS.

   Tenable Cloud Security redirects you to the Quick create stack page in AWS.

2. Review the parameters in the stack template and update, if required.

3. In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names. check box to confirm creating the IAM resources with required permissions.

4. Click Create stack.

   Wait for the stack to get created and its status to become CREATE_COMPLETE.

5. Note down the following values:

   • Role ARN: Copy the stack ARN of the deployed stack from the Outputs tab.

     

   • External ID: Copy the ExternalID from the Parameters tab.

     

   You need these values when onboarding AWS accounts in Tenable Cloud Security.

What to do next:

Onboard AWS Accounts

You must have the following values for onboarding the AWS account in Tenable Cloud Security:

• Role ARN
• External ID