Update: Nessus Enterprise for AWS is no longer available. For pre-authorized scanning for AWS from Tenable, please see Nessus Cloud.
Note: Nessus Cloud is now a part of Tenable.io Vulnerability Management. To learn more about this application and its latest capabilities, visit the Tenable.io Vulnerability Management web page.
Amazon Web Services (AWS) allows organizations to shift key compute, storage, and network resources from on-premises to the cloud, offering an on-demand delivery of IT resources with pay-as-you-go pricing. While organizations have deployed vulnerability and security solutions to protect their on-premises assets, they face challenges in monitoring and securing their AWS instances in the cloud.
If you operate your company's business critical applications in the AWS (Amazon Web Services) cloud, you’re likely facing challenges such as:
- Inability to perform integrated scan of vulnerabilities, compliance violations, and advanced threats for AWS instances
- Annoyance of having to submit an AWS Vulnerability / Penetration Testing Request Form each time to scan AWS instances
- Identifying and continually managing risk from AWS instances whose IPs can change over time
- Inconvenience of manually installing active scanning software in the AWS cloud
- Complexity in managing and administering individual scanners, policies, and users in the AWS cloud
To address security risks, Amazon recommends that all AWS developers scan their AWS instances while in development and operations, and before publishing to AWS users.
To address these, Tenable has worked with Amazon to offer two solutions for AWS environments: Nessus Enterprise for AWS and Nessus (BYOL). Both are available for purchase on the AWS Marketplace as annual subscriptions and pay-as-you-go pricing, when extra Cloudburst capacity is needed.
Nessus Enterprise for AWS: Purpose-built for and deployed in the AWS cloud, Nessus Enterprise for AWS is pre-authorized to scan AWS instances for vulnerabilities, advanced threats, web application security, and compliance violations – not possible with other solutions. Due to the dynamic nature of the cloud where IP addresses can change quickly and frequently, Nessus for AWS uses AWS instance IDs to identify scan targets and leverages specific AWS APIs. Designed for distributed teams or large enterprises, Nessus Enterprise for AWS facilitates team collaboration by centralizing multiple Nessus scanners and results, whether running in the AWS cloud or on-premises.
Nessus Enterprise for AWS is comprised of two components – Nessus Enterprise for AWS Manager and Nessus Enterprise for AWS Scanner. The Nessus Enterprise for AWS Manager provides the User Interface (UI) that controls the scanners, creates, configures, and runs Nessus scans, and manages user accounts and report viewing. Nessus Enterprise for AWS is priced annually at $5,000/year which includes the manager and scanner. Additional scanners can be purchased as needed.
Nessus (BYOL): Installed in the AWS cloud, Nessus (BYOL) is simply an AMI version of Nessus that leverages AWS compute resources to audit AWS infrastructure and scan assets outside of the AWS cloud. The scan results can be viewed directly via the Nessus scanner Web interface or be transmitted back to the Tenable SecurityCenter™ management console for a complete cloud and on-premises analysis, with passive and log analysis.
As organizations embrace new technologies and migrate to the AWS cloud, security and compliance requirements become pivotal considerations. Tenable solutions enable AWS developers and customers to confidently secure their AWS AMIs throughout the software development lifecycle. Regardless of whether you want to scan your AWS instances running in the AWS cloud or just want to use the AWS compute resources to deploy Nessus scanners, Tenable Nessus Enterprise for AWS and Nessus (BYOL) offer the flexibility to deploy Nessus within AWS and save money.