I recently had to set up quite a few AWS Connectors in Tenable.io for various AWS accounts.

This can become quite a cumbersome task so I decided to automate it.


  1. ~/.aws/config with multiple profiles
  2. trustpolicy.json (shown below)


This will be used by our script for the initial role creation. The account # referenced is the hard coded account # that tenable wants you to use.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012615275169:root"
      "Action": "sts:AssumeRole",
      "Condition": {}


This will do the heavy lifting. It will loop through the list of profiles it finds in your ~/.aws/config file and create the appropriate role and attach the right policies. NOTE: It will not touch your default account

You should replace “[email protected]” with your email address


aws_profiles=$( \
        grep '\[profile' ~/.aws/config \
        | awk '{sub(/]/, "", $2); print $2}' \

for profile in ${aws_profiles}
    echo "[*] - Processing profile [$profile]"
    aws iam list-role-policies --role-name tenableio-connector --profile $profile
if [ $? -ne 0 ]
    echo "[*] - Creating Role"

    aws iam create-role --role-name tenableio-connector \
--assume-role-policy-document file://trustpolicy.json \
--description 'Used by [email protected] to update assets in the vulnerability scanning tool tenable.io' --tags 'Key=Owner,[email protected]' 'Key=Description,Value=Tenble.io Nessus Vulnerability Scanning' \
--profile $profile

    echo "[*] - attaching policies"

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess \
--role-name tenableio-connector --profile ${profile}

      echo "Policy already exists for [$profile]... skipping"

Last modified: October 2, 2019



Write a Reply or Comment

Your email address will not be published.

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

This site uses Akismet to reduce spam. Learn how your comment data is processed.