Frictionless Assessment for AWS

The following feature is not supported in Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

With Frictionless Assessment, discovers and collects an inventory of data points on your Amazon Web Services (AWS) EC2 instances. Then, for EC2 instances with an AWS tag that you specify for Frictionless Assessment, assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally on the hosts.

Frictionless Assessment uses the AWS Systems Manager Inventory and AWS Systems Manager Agent (SSM Agent) to collect the required data. For more information on AWS configuration requirements, see Configure AWS for Frictionless Assessment.

You do not need to configure scanners, Nessus Agents, scans, or scan schedules to assess hosts with Frictionless Assessment.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for EC2 instances created from the following Amazon Machine Images:

  • Amazon Linux 1 / 2

  • CentOS 6 / 7 / 8

  • Red Hat 6 / 7 / 8

  • SUSE Linux Enterprise Server (SLES) 11.4-15.2

  • SUSE Linux Enterprise Desktop (SLED) 12-15.2

  • Ubuntu 16.04 / 18.04 / 20.04

  • Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

  • Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations

In general in, assets count towards your license when they are assessed for vulnerabilities. Therefore, EC2 hosts that are assessed by Frictionless Assessment count against your license. For more information, see Vulnerability Management Licenses.

When you select AWS tags for hosts to be assessed by Frictionless Assessment, note that all hosts with any of those tags count towards your license. Hosts that are only discovered by the connector, and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you selected for Frictionless Assessment), do not count towards your license.


  • Frictionless Assessment does not run informational plugins, run remote vulnerability plugins, or gather compliance data.
  • A connector configured with Frictionless Assessment only supports one AWS account. If you want to assess hosts across multiple AWS accounts, you must configure a separate connector for each AWS account.
  • You must use a single AWS tag key to identify the assets you want Frictionless Assessment to access.

  • creates an AWS Systems Manager inventory association on your instance to collect inventory for Frictionless Assessment. However, AWS Systems Manager has a restriction that only one inventory association can be applied to an instance at a time, as described in the AWS Documentation. If you have an existing inventory association applied to your instance, remove it before configuring Frictionless Assessment. For more information, see the AWS Documentation.

Get Started

  1. Determine who in your organization has the appropriate AWS credentials to access the AWS console.

  2. Depending on who has the AWS credentials, do one of the following:

    • If you are setting up the cloud connector, but someone other than you in your organization has the necessary AWS credentials:

      1. The person with AWS credentials must ensure the AWS configuration meets the requirements for Frictionless Assessment, as described in Configure AWS for Frictionless Assessment.

      2. The person with AWS credentials must manually configure AWS roles and policies for use with Frictionless Assessment.

      3. Create your AWS connector, as described in Create an AWS Connector with Keyless Authentication for Frictionless Assessment.

  3. To delete an AWS cloud connector, see Delete a Connector.

  4. If you delete a connector, manually delete the CloudFormation stack in AWS, as described in Manually Delete Connector Artifacts in AWS.

For more information, see the following topics: