Configure Tenable Data Stream

Required Tenable Vulnerability Management User Role: Administrator

To set up Tenable Data Stream, connect your AWS bucket to Tenable Vulnerability Management. When connecting to your AWS bucket, Tenable uses an AWS Identity Access Management (IAM) role with a trust relationship and least privilege access.

To configure Tenable Data Stream:

  1. In the left navigation, click Settings.

    The Settings page appears.

  2. Click Tenable Data Stream.

    The Tenable Data Stream page appears.

  3. In the top-left corner, click Add an Integration.

  4. In the Add Integration window, enter the following:

    Option Description
    Integration Name The name of the integration.
    Integration Type The type of the integration. AWS S3 is the only selectable option.
    Integration Data

    Determines the type or types of data that Tenable Vulnerability Management streams to your AWS bucket.

    You can select any combination of the following options:

    • Tenable Vulnerability Management

      • Assets

      • Vulnerabilities

      • Host Audit

    • Tenable Web App Scanning

      • Assets

      • Findings

      Note: Selecting either asset type configures Tenable Vulnerability Management to stream tag data in addition to the asset data. For example, if you select Tenable Web App Scanning Assets, Tenable Vulnerability Management streams Web App Scanning asset and tag data.
    Email Notification

    (Optional) An email address where notifications will be sent if the stream state changes (for example, when a stream fails).

  5. Click Next.

  6. In Configure an IAM Role, enter the following:

    Option Description
    AWS Account ID. Your organization's AWS account ID, as described in AWS Account Management in the AWS documentation.
    IAM Role Name

    The IAM role to use, as described in IAM roles in the AWS documentation.

    Tip: Tenable recommends creating a new IAM role. In the IAM Role Guidelines panel, select Copy Trust Policy or Copy Trust Policy Statement and add the policy to your AWS settings as described in Creating a role using custom trust policies in the AWS documentation. If you are not creating a new role, copy the Trust Policy into the existing role instead.
    Note: If your S3 bucket uses SSE-KMS encryption, grant this IAM role kms:GenerateDataKey permissions on the KMS key. See Tenable Data Stream Best Practices for details.
    External ID A secret alphanumeric identifier that Tenable uses to assume the IAM role, as described in Access to AWS accounts owned by third parties in the AWS documentation.

  7. Click Next.

  8. In Configure an AWS Bucket, add the following:

    Option Description
    S3 Bucket Name

    The name you want to use for the S3 bucket.

    Tip: Tenable recommends creating a new AWS bucket. In the Bucket Guidelines panel, select Copy Bucket Policy and add it to your S3 bucket permissions. If you are not creating a new bucket, copy the Bucket Policy to your existing bucket instead.
    Path Prefix

    The path prefix for the AWS path where your data will be saved.

  9. Click Save.

    Tenable Vulnerability Management begins processing the AWS integration.