Configure AWS for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on December 31, 2023, and will no longer receive support or updates. However, existing Frictionless Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024. Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following feature is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Frictionless Assessment leverages the AWS Systems Manager Inventory and AWS Systems Manager Agent (SSM Agent) to collect data from a host and create an inventory of data points on your AWS EC2 instances. You do not need to configure scanners, Tenable Nessus Agents, scans, or scan schedules to assess hosts with Frictionless Assessment.

If you have access to your organization's AWS console, ensure your AWS configuration meets the following requirements before creating the Tenable Vulnerability Management cloud connector.

If someone other than you has access to your organization's AWS console, ensure they configure AWS to meet the following requirements before you create the Tenable Vulnerability Management cloud connector.

To configure your AWS environment for use with Frictionless Assessment:

Set up AWS Systems Manager for your account, as described in the AWS Systems Manager documentation.
Ensure that you have access to AWS Systems Manager Inventory. For more information, see AWS Systems Manager Inventory in the AWS Systems Manager documentation.
Ensure your EC2 instances have the SSM Agent installed.
- Most EC2 instance distributions come with SSM Agent preinstalled. For more information, see About SSM Agent in the AWS Systems Manager documentation.
- If your distribution does not have SSM installed, manually install the SSM Agent as described in the AWS Systems Manager documentation.
Ensure the target EC2 instances you want to assess with Frictionless Assessment are tagged with a single AWS tag key. For example, you can use the tag key Tenable.
Later, you will select this AWS tag key to identify instances you want to assess with Frictionless Assessment.
Tenable Vulnerability Management creates an AWS Systems Manager inventory association on your instance to collect inventory for Frictionless Assessment. However, AWS Systems Manager has a restriction that only one inventory association can be applied to an instance at a time, as described in the AWS Documentation. If you have an existing inventory association applied to your instance, remove it before configuring Frictionless Assessment. For more information, see the AWS Documentation.

What to do next:

Depending on who has the AWS credentials for your organization, do the following:
- If you are setting up the Tenable Vulnerability Management cloud connector and also have the appropriate AWS credentials for your organization:
  - Create your AWS connector, as described in Create an AWS Connector for Frictionless Assessment.