Automating Setting up Tenable.io AWS Connector Role

October 2, 2019

I recently had to set up quite a few AWS Connectors in Tenable.io for various AWS accounts.

This can become quite a cumbersome task so I decided to automate it.

Prerequisites

  1. ~/.aws/config with multiple profiles
  2. trustpolicy.json (shown below)

trustpolicy.json

This will be used by our script for the initial role creation. The account # referenced is the hard coded account # that tenable wants you to use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012615275169:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

aws_tenable_connector_setup.sh

This will do the heavy lifting. It will loop through the list of profiles it finds in your ~/.aws/config file and create the appropriate role and attach the right policies. NOTE: It will not touch your default account

You should replace “[email protected]” with your email address

#!/bin/bash

aws_profiles=$( \
        grep '\[profile' ~/.aws/config \
        | awk '{sub(/]/, "", $2); print $2}' \
)

for profile in ${aws_profiles}
do
    echo "[*] - Processing profile [$profile]"
    aws iam list-role-policies --role-name tenableio-connector --profile $profile
if [ $? -ne 0 ]
   then
    echo "[*] - Creating Role"

    aws iam create-role --role-name tenableio-connector \
--assume-role-policy-document file://trustpolicy.json \
--description 'Used by [email protected] to update assets in the vulnerability scanning tool tenable.io' --tags 'Key=Owner,[email protected]' 'Key=Description,Value=Tenble.io Nessus Vulnerability Scanning' \
--profile $profile

    echo "[*] - attaching policies"

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}


aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}


   else
      echo "Policy already exists for [$profile]... skipping"
   fi


done