Keyless Authentication with Auto Discovery Workflow
Tenable.io AWS connectors support keyless authentication via AWS role delegation. Keyless authentication via AWS role delegation allows the automatic discovery of your AWS assets. To use keyless authentication, you must establish a trust relationship between your AWS accounts and the Tenable AWS account. In this scenario, your AWS accounts communicate with a trusted Tenable AWS account that communicates with your AWS connector.
For more information about other AWS authentication options, see Amazon Web Services Connector.
If you want to use the Auto Discovery feature with keyless authentication, you must enable AWS Organizations and assign a ListAccounts policy. This policy allows the Tenable AWS Account to automatically find other AWS accounts in your organization, as shown in the diagram below.
To fully configure AWS keyless authentication with auto discovery in Tenable.io:
- In AWS, configure your AWS accounts to support keyless authentication and auto discovery for your connectors, as described in Configure AWS for Keyless Authentication and Auto Discovery. This documentation describes how to configure a role named tenableio-connector to delegate permissions for keyless authentication, and how to add an AWS Organizations policy with the ListAccounts permission to support auto discovery.
- In Tenable.io, create your AWS connector, as described in Create an AWS Connector.