Automating Setting up AWS Connector Role

October 2, 2019

I recently had to set up quite a few AWS Connectors in for various AWS accounts.

This can become quite a cumbersome task so I decided to automate it.


  1. ~/.aws/config with multiple profiles
  2. trustpolicy.json (shown below)


This will be used by our script for the initial role creation. The account # referenced is the hard coded account # that tenable wants you to use.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012615275169:root"
      "Action": "sts:AssumeRole",
      "Condition": {}

This will do the heavy lifting. It will loop through the list of profiles it finds in your ~/.aws/config file and create the appropriate role and attach the right policies. NOTE: It will not touch your default account

You should replace “” with your email address


aws_profiles=$( \
        grep '\[profile' ~/.aws/config \
        | awk '{sub(/]/, "", $2); print $2}' \

for profile in ${aws_profiles}
    echo "[*] - Processing profile [$profile]"
    aws iam list-role-policies --role-name tenableio-connector --profile $profile
if [ $? -ne 0 ]
    echo "[*] - Creating Role"

    aws iam create-role --role-name tenableio-connector \
--assume-role-policy-document file://trustpolicy.json \
--description 'Used by to update assets in the vulnerability scanning tool' --tags 'Key=Owner,' 'Key=Description, Nessus Vulnerability Scanning' \
--profile $profile

    echo "[*] - attaching policies"

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

      echo "Policy already exists for [$profile]... skipping"