Create an AWS Connector for Frictionless Assessment

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on December 31, 2023, and will no longer receive support or updates. However, existing Frictionless Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024. Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following feature is not supported in Tenable Vulnerability Management Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Required User Role: Administrator

When you configure an Amazon Web Services (AWS) cloud connector with keyless authentication for Frictionless Assessment, Tenable Vulnerability Management uses a Cloud Formation template (CFT) to configure the required roles and policies for your AWS account automatically. This configuration sets up the regular cloud connector and Frictionless Assessment.

To use Frictionless Assessment with your AWS connector, you must enter an AWS tag key to identify hosts to be assessed by Frictionless Assessment. If you do not enter a tag key, the connector functions as discovery-only and assets are not assessed for vulnerabilities.

Note: Create a separate cloud connector for each AWS account that owns hosts you want to evaluate for Frictionless Assessment.

Before you begin:

  • Ensure that your AWS configuration meets the requirements for Frictionless Assessment, as described in Configure AWS for Frictionless Assessment.

  • For best results, ensure that this is a new AWS cloud connector setup. If you have existing AWS cloud connectors configured, delete the existing tenableio-connector IAM role before creating the new AWS cloud connector.

    Note: To use Tenable Cloud Security Preview or Tenable Cloud Security, you must update or create new roles that support Tenable Cloud Security. Tenable Vulnerability Management cloud connector roles do not support Agentless Assessment.

  • In another window or tab of the same browser with which you are accessing Tenable Vulnerability Management, log in to the AWS console with the AWS account that you want to target with Frictionless Assessment.

Create the AWS Frictionless Assessment connector and CFT:

  1. Log in to your Tenable Vulnerability Management user interface and go to Settings > Cloud Connectors.

  2. Click Create Cloud Connector.

    The Select a Cloud Connector panel appears.

  3. In the Cloud Connectors list, select Frictionless Assessment.

    The Connector Setup pop-up appears.

  4. In the Cloud Provider step, select AWS and enter a Connector Name.

    Click Next.

  5. In the Enable Features step, ensure the check box to Identify vulnerabilities using frictionless assessment is selected.

    Click Next.

  6. In the Configuration step, select the target parameters:

    1. Enter the Account ID to target.

    2. Select a tag by providing the Tag key and value:

      1. In the Tag Key box, type the AWS tag key.

        For example, in the AWS tag Tenable:FA, the tag key is Tenable.

      2. In the Tag Value box, do one of the following:

        For example, in the AWS tag Tenable:FA, the tag value is FA.

      Tip: You can only specify one tag for AWSFrictionless Assessment.

      Note: The tag key and value are case sensitive and must match what is in AWS exactly.

      Note: To use Frictionless Assessment with your AWS connector, you must enter an AWS tag key to identify hosts to be assessed by Frictionless Assessment. If you do not enter a tag key, the connector functions as discovery-only and assets are not assessed for vulnerabilities.

    3. Select the Network to target. You can select an existing network or create a new network using the Network drop-down menu. If you do not specify a network, your default network is selected.

    Click Next.

  7. In the Apply Choices step, click Download and Finish.

    The CFT downloads in .yml format, and the new connector shows on the Cloud Connectors page.

Deploy the connector using the CFT:

Deploy the CFT you downloaded in the previous section to your AWS accounts (for more information, see the AWS documentation).

If you need to deploy to more than one region, Tenable recommends deploying the template as a stack set (for more information, see the AWS stack set documentation).

What to do next:

  • Create an AWS Connector with Keyless Authentication (Discovery Only) for your AWS account if you do not already have one. Your AWS account needs a keyless connector for Tenable Vulnerability Management to track asset states and asset terminations.

    Note: The keyless connector needs to be set up for the same account that AWS Frictionless Assessment is set up for.

  • Edit the AWS Frictionless Assessment connector's tags when needed. For more information, see Edit an AWS Frictionless Assessment Connector.

  • View assets to see hosts discovered by the connector. Hosts found by an AWS connector using Frictionless Assessment appear with the source SSM.

  • View vulnerabilities to see vulnerabilities identified by Frictionless Assessment.