Configure Linked AWS Accounts for Key-based Authentication

Required User Role: Administrator

This section assumes that access keys have already been generated for the primary account, and explains how to configure linked AWS accounts as depicted in the diagram below.

Before you begin:

Configure the primary AWS account.
Record the Account ID for the primary AWS account.

To configure linked AWS accounts:

Obtain your Tenable Vulnerability Management container ID, as described in License Information.
In your AWS account, create a role named tenableio-connector to delegate permissions to an IAM user, as described in the Amazon AWS documentation.
1. In the navigation pane of the console, click Roles > Create role.
2. For role type, click Another AWS account.
3. For Account ID, type the AWS account ID of the primary AWS account.
4. Select the Require external ID check box, and type the Tenable container ID that you obtained in Step 1.
5. Click Next: Permissions.
6. Create or reuse a policy with the following permissions:
  AWS Service Permission
  Amazon EC2
  DescribeInstances
  AWS CloudTrail
  DescribeTrails
  GetEventSelectors
  GetTrailStatus
  ListTags
  LookupEvents
  Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.
7. Click Next: Tagging.
8. (Optional) Add any desired tags.
9. Click Next: Review.
10. In the Role name box, type tenableio-connector.
  Caution: The role must be named tenableio-connector for the connector to work.
11. Review the role, ensuring that the role name is tenableio-connector, and then click Create role.
12. Record the Role ARN for the created role. You need the Role ARN for the next section of the configuration.

AWS Service	Permission
Amazon EC2	DescribeInstances
AWS CloudTrail	DescribeTrails GetEventSelectors GetTrailStatus ListTags LookupEvents

To configure the primary AWS account:

Note: For more detailed steps, see the Amazon documentation: Accessing and Administering the Member Accounts in Your Organization.

Create a policy that has permission to use the AWS Security Token Service (AWS STS) AssumeRole API (sts:AssumeRole) action.
1. Navigate to Policies and then click Create Policy.
2. For Service, choose STS.
3. For Actions, type AssumeRole in the Filter box and then select the check box next to it when it appears.
4. Click You chose actions that require the role resource type.
5. Click Add ARN.
6. In the Specify ARN for role field, paste the ARN recorded for the role created in the linked account(s).
7. Click Add.
8. Click Review policy.
9. In the Name field, type a unique name for your policy.
10. Click Create Policy.
Add the policy created in step 1 to a user or group associated with the access keys used when you created your connector.
1. Click the Add Permissions button.
2. Select the Attach existing policies directly check box.
3. Find the policy with sts:AssumeRole that was created in step 1.
4. Click Next: Review.
5. Click Add permissions.