Configure AWS for Keyless Authentication (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you create a discovery-only connector with keyless authentication, you must first configure AWS. For more information on linking AWS accounts and establishing trust relationships, see AWS Connector with Keyless Authentication (Discovery Only)

Before you begin:

1. On your AWS account, enable CloudTrail.
2. Create a trail if one does not already exist.

3. In the trail, turn on All or Write Only Management Events, as well as logging.

   Note: When an AWS connector is used to import assets, Tenable queries all the CloudTrails for that connector and determine the set of all regions that those CloudTrails receive events for. That set of regions is then used when making calls to the EC2 and CloudTrail APIs.
   

To manually configure AWS for a discovery-only connector with keyless authentication:

1. Obtain your Tenable Vulnerability Management container ID, as described in License Information.

2. In your AWS account, create a role named tenableio-connector to delegate permissions to an IAM user:

   Tip: For more information, see the Amazon AWS documentation.

   1. In the navigation pane of the AWS console, click Roles > Create role.
   2. For role type, click Another AWS account.
   3. For Account ID, type the ID 012615275169.

      Note: 012615275169 is the account ID of the Tenable AWS account that you will be establishing a trust relationship with to support AWS role delegation.

   4. Select the Require external ID check box, and type the Tenable Vulnerability Management container ID that you obtained in step 1.
   5. Click Next: Add Permissions.
   6. Create or reuse a policy with the following permissions:

      AWS Service	Permission
      Amazon EC2	DescribeInstances
      AWS CloudTrail	DescribeTrails GetEventSelectors GetTrailStatus ListTags LookupEvents
      AWS Organizations	ListAccounts Note: The ListAccounts permission is required for Tenable Vulnerability Management to automatically discover AWS accounts. If you do not use auto account discovery, you do not need this permission.

      Note: Tenable recommends that you set Amazon Resource Name to * (all resources) for each AWS Service.

      1. Click Next: Tags.
      2. (Optional) Add any desired tags.
      3. Create Policy.
   7. Click Next: Review.

   8. In the Role name box, type tenableio-connector.

      Caution: The role must be named tenableio-connector for the connector to work.

   9. Review the role, ensuring that the role name is tenableio-connector, and then click Create role.
   10. Viewing the new tenableio-connector role, click the Trust Relationship tab.

   11. Click Edit Trust Relationship.

       The policy document appears in a text box.

   12. At the AWS line of the text box, replace arn:aws:iam::012615275169:root with arn:aws:iam::012615275169:role/keyless_connector_role.
   13. Click Update Trust Policy.

What to do next:

• Create an AWS Connector with Keyless Authentication (Discovery Only)