Tenable Data Stream Best Practices

When configuring Tenable Data Stream, Tenable recommends the following.

Configuring an IAM Role

To access your AWS bucket, the Tenable system assumes an AWS Identity and Access Management (IAM) role, for which it requires a trust relationship. When assuming the role, the system employs temporary session tokens which are regenerated once an hour. To learn more, see IAM roles in the AWS documentation.

Tip: Tenable recommends using least-privilege permissions when configuring the AWS bucket and role.

Configuring the S3 Bucket

When configuring the S3 bucket, follow these guidelines:

  • IAM policy — Apply a policy to define permissions for the Tenable system. To learn more, see Policies and permissions in AWS Identity and Access Management in the AWS documentation.

  • AWS region — For the fastest speeds, use an S3 bucket in the same AWS Region as your Tenable container.

  • Server-side encryption — By default, AWS uses server-side encryption with Amazon S3-managed keys. Tenable only supports the default encryption mode of SSE-S3, not other modes such as SSE-KMS. To learn more, see Protecting data with server-side encryption in the AWS documentation.

  • Writing to the bucket — The Tenable system can only write to your S3 bucket when sending data.

  • Deleting files — To delete files or free space, use object expiration. To learn more, see Expiring objects in the AWS documentation.

  • AWS storage — The more Tenable scans you run, the more data will be sent. This impacts your AWS storage costs.

  • Notification events — You must manually configure any notifications or triggers that start processes to ingest incoming data into your systems.

Troubleshooting Tenable Data Stream

Check the status of your streams in Settings > Tenable Data Stream.

Tip: To get emails about stream status, when configuring new streams, enable email notifications.

Streams have three states:

State Description
OK

Stream data is being successfully sent.
RETRY

The system has encountered configuration errors and will retry the stream for three days. If the errors are fixed, the stream resumes from the last checkpoint with no lost data.
FAILED

The stream is suspended and the system will not retry. Data has been lost. When you address any configuration errors, the system will treat the stream as a new stream.

About Stream Failures

Streams can fail for the following reasons:

  • Misconfigured IAM role — Deleting the role from your AWS account or changing the trust relationship.

  • S3 bucket issue — Changing the bucket policy (for example, by removing permissions), deleting the bucket, incorrect provisioning, or AWS storage issues.

Consuming Data from Tenable Data Stream

Tenable Data Stream writes data in the order that it's observed (for example, in the order of a series of scans). In AWS, you can sort files by name to put them in sequential order. You can also use the order from the manifest file sent when a stream completes successfully within 60 minutes.