Create an AWS Connector with Keyless Authentication (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

You can create an AWS connector to discover AWS assets and import them to Tenable Vulnerability Management. Assets discovered through the connectors do not count against the license until and unless the asset is scanned for vulnerabilities.

Before you begin:

Note: To use Legacy Tenable Cloud Security Preview or Legacy Tenable Cloud Security, you must update or create new roles that support Legacy Tenable Cloud Security. Tenable Vulnerability Management cloud connector roles do not support Agentless Assessment.

To create an AWS connector with keyless authentication for discovery only:

  1. In the left navigation, click Settings.

    The Settings page appears.

  2. Click the Cloud Connectors tile.

    The Cloud Connectors page appears and displays the configured connectors table.

  3. In the upper-right corner of the page, click the Create Cloud Connector button.

    The cloud connector selection plane appears.

  4. In the Cloud Connectors section, click Amazon Web Services.

    The connector creation plane appears.

  5. In the Connector Name box, type a name to identify the connector.
  6. In the Account ID box, type your primary AWS account ID.

  7. (Optional) Click Create Stack to deploy a Cloud Formation Template (CFT) to your AWS account.

    Note: For discovery-only connectors, skip the stack creation steps in the user interface only if you have manually configured tenableio-connector role in your AWS account. The stack configures parameters, policies, and roles required for using the Tenable Vulnerability Management connector.

  8. (Optional) To expand more cloud connector settings, click Cloud Connector Advanced Settings.
    1. (Optional) Use the Auto Account Discovery toggle to enable or disable automatic discovery of linked accounts and CloudTrails.
      Note: Make sure that you create a tenableio-connector role either manually or via CFT for each linked account.
    2. (Optional) If you disabled Auto Account Discovery, do any of the following:
      • To manually add AWS accounts, next to Accounts for Cloud Assessment, click .
      • To manually add AWS CloudTrails, next to AWS CloudTrails for Cloud Assessment, click .
    3. (Optional) In the Select or Create Network drop-down box, select an existing network to which the connector should be added.

      When the connector discovers an asset, the associated network is added to the asset's details. For more information, see Networks.

    4. (Optional) Use the Cloud Connector Schedule toggle to enable or disable scheduled imports.

      By default, Tenable Vulnerability Management requests new and updated asset records every 1 day.

      If enabled:

      1. In the text box, type the frequency with which Tenable Vulnerability Management sends data requests to the AWS server.
      2. In the drop-down box select Minutes, Hours, or Days.

        Note: When you schedule a connector configuration to sync every 30 minutes, a discovery job is placed in a queue every 30 minutes. The results of the discovery job become available in the Tenable Vulnerability Management interface and logs depending on the workload for the connector services. So, the results of the discovery job can take more than 30 minutes depending on the queue.

  9. Do one of the following:
    • To save the connector, click Save.
    • To save the connector and import your assets from AWS, click Save & Import.

    Tenable Vulnerability Management imports your assets from AWS. There may be a short delay before your assets appear.

What to do next:

  • View assets to see assets that were discovered by the connector.