AWS Connector with Keyless Authentication (Discovery Only)
The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.
The Amazon Web Services (AWS) Connector provides real-time visibility and inventory of EC2 assets in AWS accounts.
You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability Management. Assets discovered through the connectors do not count against the license until and unless the asset is scanned for vulnerabilities.
Tip: To configure an AWS connector with Frictionless Assessment, which allows you to assess EC2 instances for vulnerabilities without configuring agents or scans, see Frictionless Assessment for AWS.
Keyless Authentication
Tenable Vulnerability Management AWS connectors support keyless authentication via AWS role delegation. Keyless authentication via AWS role delegation allows the automatic discovery of your AWS assets. To use keyless authentication, you must establish a trust relationship between your AWS accounts and the Tenable AWS account. In this scenario, your AWS accounts communicate with a trusted Tenable AWS account that communicates with your AWS connector.
Automatic Discovery of AWS Accounts
If you want to allow the Tenable AWS Account to automatically find other AWS accounts in your organization, use keyless authentication with auto account discovery. You must enable AWS Organizations and assign a ListAccounts policy, which then discovers other AWS accounts and establishes trust relationships as shown in the following diagram.
For more information about setting up AWS Organizations, see the AWS documentation.
Manual Linking of AWS Accounts
If you do not want to use auto account discovery or if you are not using AWS Organizations, you can manually configure linked AWS accounts, as shown in the following diagram.
To configure and create an AWS connector with keyless authentication: