Scannerless Amazon Web Services (AWS) Scanning with Nessus Agents
The new Nessus® Agents are a really great fit for organizations that have deployments in AWS environments and want a simple, flexible means to scan them for vulnerabilities. Agents effectively let you scan your AWS assets without having to actually install scanners, and with recently announced support for Amazon Linux and Ubuntu, agents now run on the most popular operating systems in AWS.
Agents effectively let you scan your AWS assets without having to actually install scanners
Tenable and AWS
First, let’s review Tenable’s approach towards AWS:
- The Nessus Bring Your Own License (BYOL) model allows customers the ability to scan AWS instances with a pre-built AWS appliance and a Nessus license purchased from Tenable. This can be used with Nessus Cloud, Nessus Manager or SecurityCenter™. The BYOL requires pre-authorization from Amazon before a scan can be done.
- A Nessus Cloud license includes a scanner for AWS. Simply install the scanner in your AWS environment, point it at the targets you’d like to scan, and then view and manage the scan results in Nessus Cloud. This scanner is pre-authorized by Amazon to run scans in AWS.
- Nessus Agents are another option for vulnerability scanning in your AWS environment. Install agents on assets in AWS and those agents will look to Nessus Cloud or Nessus Manager for instructions on what scans to run and when to send results back to the manager. Agent data can also be imported into SecurityCenter if you want to view the information there. Nessus Agents provide the equivalent of a full credentialed scan for the target, without requiring a scanner and without requiring the credentials for the asset of interest.
With so many options, our approach to AWS is by far the most flexible in the industry.
Nessus Agent benefits
While both the BYOL and Nessus scanner for AWS provide excellent vulnerability scanning functionality, Nessus Agents provide many unique benefits when used within AWS:
- A Nessus Agent does not need any additional AWS resources, since it’s installed within the actual AWS asset that you want to scan.
- Since no actual “scanning” between AWS instances is taking place, there is no need to get authorization from Amazon to do a scan.
- No credentials are required for the AWS instance that needs to be scanned.
- The Nessus Agents are fully managed by Nessus Cloud or Nessus Manager, which can interface with SecurityCenter.
- The Nessus Agent can be managed by Nessus Cloud or Nessus Manager independent of where the manager is; in other words, the manager can be located inside or outside the AWS Cloud.
- Nessus Agent deployment can be fully scripted. For example, include it in your Chef recipes to automatically spin up agents on new AWS assets.
Nessus Agent technology uniquely enables simplified vulnerability assessment of AWS assets, both large and small. It’s easy to deploy and maintain, and provides the same extensive results obtained from a traditional Nessus scanner – without the complications of running an actual scanner.
Nessus Agent technology uniquely enables simplified vulnerability assessment of AWS assets, both large and small
For more information about Nessus Agents and the Nessus Scanner for AWS, check out what’s New in Nessus 6.5.