Frictionless Assessment for AWS

Frictionless Assessment is now End of Provisioning (starting May 15, 2023), and new users will not be able to deploy Frictionless Assessment connectors. Frictionless Assessment will reach End-of-Support on December 31, 2023, and will no longer receive support or updates. However, existing Frictionless Assessment connectors will continue to function until the feature is End-of-Life on December 31, 2024. Tenable recommends that you transition to Tenable Cloud Security with Agentless Assessment for scanning your cloud resources. For more information, see the Tenable Vulnerability Management Release Notes.

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

With Frictionless Assessment, Tenable Vulnerability Management discovers and collects an inventory of data points on your Amazon Web Services (AWS) EC2 instances. Then, for EC2 instances with an AWS tag that you specify for Frictionless Assessment, Tenable Vulnerability Management assesses the hosts for vulnerabilities in the cloud, rather than running plugins locally on the hosts.

Note: Frictionless Assessment reports on Asset information even if it is in a "stopped" state. The AWS Systems Manager Agent (SSM Agent), which Frictionless Assessment leverages to collect data from a host and create an inventory of data points on your AWS EC2 instances, also collects data even in "stopped" state.

Frictionless Assessment uses the AWS Systems Manager Inventory and AWS Systems Manager Agent (SSM Agent) to collect the required data. For more information on AWS configuration requirements, see Configure AWS for Frictionless Assessment.

You do not need to configure scanners, Tenable Nessus Agents, scans, or scan schedules to assess hosts with Frictionless Assessment.

Operating System Coverage

Frictionless Assessment has vulnerability coverage for EC2 instances created from the following Amazon Machine Images:

  • Amazon Linux 1 / 2

  • CentOS 6 / 7 / 8

  • Red Hat 6 / 7 / 8

  • SUSE Linux Enterprise Server (SLES) 11.4-15.2

  • SUSE Linux Enterprise Desktop (SLED) 12-15.2

  • Ubuntu 16.04 / 18.04 / 20.04 / 22.04

  • Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022

  • Windows 7, Windows 8, Windows 10, Windows 11

Licensing Considerations

In general in Tenable Vulnerability Management, assets count towards your license when they are assessed for vulnerabilities. Therefore, EC2 hosts that are assessed by Frictionless Assessment count against your license. For more information, see Tenable Vulnerability Management Licenses.

When you select AWS tags for hosts to be assessed by Frictionless Assessment, note that all hosts with any of those tags count towards your license. Hosts that are only discovered by the connector, and not assessed by Frictionless Assessment (for example, hosts that do not have a tag you selected for Frictionless Assessment), do not count towards your license.

Supported Regions

The following regions are supported for AWS Frictionless Assessment:

  • us-east-1, US East (N. Virginia)

  • us-east-2, US East (Ohio)

  • us-west-1, US West (N. California)

  • us-west-2, US West (Oregon)

  • ca-central-1, Canada (Central)

  • ap-south-1, Asia Pacific (Mumbai)

  • ap-northeast-1, Asia Pacific (Tokyo)

  • ap-northeast-2, Asia Pacific (Seoul)

  • ap-southeast-1, Asia Pacific (Singapore)

  • ap-southeast-2, Asia Pacific (Sydney)

  • eu-central-1, EU (Frankfurt)

  • eu-west-1, EU (Ireland)

  • eu-west-2, EU (London)

  • eu-west-3, EU (Paris)

  • sa-east-1, South America (Sao Paulo)

Limitations

  • Frictionless Assessment does not run informational plugins, run remote vulnerability plugins, or gather compliance data.
  • A connector configured with Frictionless Assessment only supports one AWS account. If you want to assess hosts across multiple AWS accounts, you must configure a separate connector for each AWS account.

  • You must use a single AWS tag key to identify the assets you want Frictionless Assessment to access.

  • Tenable Vulnerability Management creates an AWS Systems Manager inventory association on your instance to collect inventory for Frictionless Assessment. However, AWS Systems Manager has a restriction that only one inventory association can be applied to an instance at a time, as described in the AWS Documentation. If you have an existing inventory association applied to your instance, remove it before configuring Frictionless Assessment. For more information, see the AWS Documentation.

  • The limit for Frictionless Assessment scans is one per day, whereas existing Frictionless Assessment connectors created before May 1, 2023 transmit inventory data more frequently. Frictionless Assessment drops data exceeding the frequency limit and does not scan it.

    Note: The limitation does not apply to Tenable Container Security, Agentless Assessment, or Tenable Nessus Agent-based inventory scans.

Get Started

  1. Determine who in your organization has the appropriate AWS credentials to access the AWS console.

  2. Depending on who has the AWS credentials, do one of the following:

    • If you are setting up the Tenable Vulnerability Management cloud connector, but someone other than you in your organization has the necessary AWS credentials:

      1. The person with AWS credentials must ensure the AWS configuration meets the requirements for Frictionless Assessment, as described in Configure AWS for Frictionless Assessment.

      2. The person with AWS credentials must manually configure AWS roles and policies for use with Frictionless Assessment.

      3. Create your AWS connector, as described in Create an AWS Connector with Keyless Authentication for Frictionless Assessment.

  3. To delete an AWS cloud connector, see Delete a Connector.

  4. If you delete a connector, manually delete the CloudFormation stack in AWS, as described in Manually Delete Connector Artifacts in AWS.

For more information, see the following topics: