Tenable Cloud Security

Environment Sizing Guide

1
Table of contents
Welcome​ 3

AWS​ 3

Azure​ 8

GCP​ 10

OCI​ 13

Additional Resources​ 15

Appendix​ 16

Tenable Cloud Security: Environment Sizing Guide 2

Welcome
The following document provides instructions for running sizing scripts to detect the number of
billable resources across your multi-cloud environments (for AWS, Azure, GCP, and OCI).

Important

The following guide can be used to evaluate the number of billable resources for Tenable Cloud
Security. Please refer to the documentation to get more details about billable resource ratios and
how to evaluate the number of Tenable One assets based on a given billable resource count.

AWS
This section includes instructions for executing a script for collecting sizing data for your AWS
environment. It’s important to emphasize that the script takes a snapshot at a specific point in
time and doesn’t calculate the average number of resources over time. Once your accounts are
on-boarded to Tenable CIEM or Tenable Cloud Security Standard, the number of resources is
evaluated for licensing purposes based on a daily snapshot of your environment. In addition, you
should consider the organic growth of your cloud estate when looking at billable resources.

Billable Resources

Category Resource

VMs EC2 Instances

Container hosts EC2 Instances running EKS/ECS

Serverless functions Lambda Functions

Serverless containers ECS Services

Container repositories** (Workload ECR Repositories

Protection)

Object storage** (Data Protection) S3 Buckets

Managed databases** (Data Protection) DynamoDB Tables

Managed databases** (Data Protection) RDS Instances

Managed databases** (Data Protection) RDS Clusters (Aurora)

** Only scanned repositories and data resources are considered for billing purposes.

Tenable Cloud Security: Environment Sizing Guide 3

Prerequisites
Recommended setup

The sizing script assumes the following architecture for scanning multiple accounts in a single
AWS Organization.

In the above diagram:

●​ The IAM Role used to run the sizing script belongs to the management account.
●​ That IAM Role needs permissions to sts:AssumeRole in all member accounts, as well as
permissions to query resources in the management account (ECS / EKS / EC2 / Lambda /
Organizations).
●​ List of minimum permissions is granted according to Appendix A

In the example architecture, we use an IAM Role to query resources and assume roles in member
accounts. However, the sizing script also supports using an IAM User that assumes roles in
member accounts. That is achieved by using the --user-access-key-id and
--user-secret-access-key, or the --profile-name flags.

In addition, you can use a different role name than OrganizationAccessRole in the member
accounts. That can be achieved by using the --organization-account-access-role-name flag.

Important note

Tenable Cloud Security: Environment Sizing Guide 4

Please note that you can still run the sizing script in every individual AWS account and share the
results if you are not using AWS Organizations or don’t have an organization role set up in all
member accounts.

CLI
To run the sizing script, install the following tools:

●​ Python 3 - ​ Installation instructions

●​ pip - ​ Installation instructions

​
Permissions
Running the script requires an identity (IAM User or IAM Role) with the following permissions:

●​ sts:assumeRole permissions to an OrganizationAccountAccessRole IAM Role

(or similar).

●​ Permission to read all resources in the management account.

Assuming you don’t have an IAM Role accessible by a centralized account, you can run the script
on individual accounts instead.

Download

Download the AWS sizing script from the following URL and extract the .zip contents -

https://www.tenable.com/downloads/cloud-security

Tenable Cloud Security: Environment Sizing Guide 5

Instructions
To collect the number of billable resources for your AWS environment, install the required
packages and then choose one of the following options:

Install required packages using pip

To install the required packages with pip, run the following command:
pip3 install -r requirements.txt

Optional execution flags

Category Flag Description

Data Protection --exclude-data-resources Optional. Exclude data

resources

Run the sizing script using default credentials (option 1)

To run the script with the default AWS CLI credentials, run the following command:

python3 sizing.py -o <outputDir>

Run the sizing script using IAM User access key and secret (option 2)

Run the following command:

python3 sizing.py -i <keyId> -k <keySecret> -o <outputDir>

Where:

keyId is the AWS Access Key ID for an IAM User in the management account of the AWS

Organization. keySecret is the secret for the same Access Key.

Run the sizing script using a named profile (option 3)

If you are using named profiles to execute AWS CLI scripts, run the following command, using the
--profile-name (or -p) parameter:
python3 sizing.py -p <profileName> -o <outputDir>

Review errors and warnings

Review the script output for errors and warnings. Please make sure the number of resources
matches your expectations. Some resources may be inaccessible due to permission errors or
other issues.

Results

Tenable Cloud Security: Environment Sizing Guide 6

After reviewing for errors/warnings, share the result output file(s) with your Tenable
representative to receive details about pricing estimates for your organization and to discuss any
other issues you may have.

Tenable Cloud Security: Environment Sizing Guide 7

Azure
This section includes instructions for executing a sizing script to count billable resources in your
Azure environment. It’s important to emphasize that the script takes a snapshot at a specific
point in time, and doesn’t calculate the average number of resources over time. Once your
accounts are on-boarded to Tenable CIEM or Tenable Cloud Security Standard, the number of
resources is evaluated for licensing purposes based on a rolling 3-month average. In addition, you
should consider the organic growth of your cloud estate when looking at billable resources.

Billable Resources

Category Resource

VMs Virtual Machines, Virtual Machine

Scale Set instances

Container hosts Virtual Machine Scale Set

instances running AKS​

Serverless functions App Services

Serverless containers Container Instances

Container repositories** Container Repositories

(Workload Protection)

Object storage** (Data Protection) Storage Account Blob Containers

Managed databases** (Data SQL Server

Protection)

** Only scanned repositories and data resources are considered for billing purposes.
​
Prerequisites
CLI

Ensure that you have installed the following tools before executing the sizing script:

●​ Python 3 - ​ Installation instructions

●​ pip - ​ Installation instructions

Permissions

●​ The identity used to run the sizing script is required to have the Reader and Storage Blob
Data Reader built-in roles
●​ The roles must be assigned to the root management group (to collect data from all
subscriptions). Alternatively, you may execute the script multiple times for every subset of

Tenable Cloud Security: Environment Sizing Guide 8

 the organization for which you would like to get sizing information.

Download
Download the Azure sizing script from the following URL and extract the .zip contents -

https://www.tenable.com/downloads/cloud-security

Instructions
To collect the number of billable resources for your Azure environment, perform the following
steps:

Install required packages using pip

To install the required packages with pip, run the following command:
pip3 install -r requirements.txt

Optional execution flags

Category Flag Description

Data Protection --exclude-data-resources Optional. Exclude data

resources

Run the sizing script

To execute the sizing script, run the following command:
python3 sizing.py -t %TenantId% -o %OutputDir%

Where:

%OutputDir% is the output path for the script.

%TenantId% is the required Azure AD Tenant ID for sizing.

Review errors and warnings

Review the script output for errors and warnings. Please make sure the number of subscriptions
matches your expectations. Some resources may be inaccessible due to permission errors or
other issues.

Results
After reviewing for errors/warnings, share the result output file(s) with your Tenable
representative to receive details about pricing estimates for your organization and to discuss any

Tenable Cloud Security: Environment Sizing Guide 9

other issues you may have.

Tenable Cloud Security: Environment Sizing Guide 10

GCP
This section includes instructions for executing a sizing script to count billable resources in your
GCP environment. It’s important to emphasize that the script takes a snapshot at a specific point
in time, and doesn’t calculate the average number of resources over time. Once your accounts are
on-boarded to Tenable CIEM or Tenable Cloud Security Standard, the number of resources is
evaluated for licensing purposes based on a rolling 3-month average. In addition, you should
consider organic growth of your cloud estate when looking at billable resources.

Billable Resources

Category Resource

VMs VM Instances

Container hosts VM Instances running GKE

Serverless functions Cloud Functions

Cloud Run Services, GKE clusters

Serverless containers
running in Autopilot mode

Artifact Container Image

Container repositories** (Workload Protection)
Repositories

Object storage** (Data Protection) Storage Buckets

Managed databases** (Data Protection) BigQuery Datasets

Managed databases** (Data Protection) SQL Instances

** Only scanned repositories and data resources are considered for billing purposes

Tenable Cloud Security: Environment Sizing Guide 11

Prerequisites
To perform the steps below, you need to be a user with Viewer permissions to all projects within
the organization.

CLI

To run the sizing script, install the following tools:

●​ Python 3 - ​ Installation instructions

●​ pip - ​ Installation instructions
●​ gcloud - Installation instructions

Permissions
●​ The identity you use to run the sizing script should have the following role bindings
on the organization scope:

○​ Browser
○​ Cloud Asset Viewer
○​ Service Usage Consumer

●​ You should enable Cloud Asset API in the quota project used for running the script

Download
Download the GCP sizing script from the following URL and extract the .zip contents -

https://www.tenable.com/downloads/cloud-security

Tenable Cloud Security: Environment Sizing Guide 12

Instructions
To collect the number of billable resources for your GCP environment:

Install required packages using pip

To install the required packages with pip, run the following command:
pip3 install -r requirements.txt

Optional execution flags

Category Flag Description

Data Protection --exclude-data-resources Optional. Exclude data

resources

Run the sizing script

To execute the sizing script, run the following command:

python3 sizing.py -oid <organization_id> -qpid <project_id> -o <output_dir>

Where:

<organization_id> is the required GCP organization ID for sizing.

<project_id> is the quota project ID (API quota will be consumed by this project).

<output_dir> is the output path for the script.

Optional parameters:

​ -pid <project_id> is the individual project id you would like to size.

​ -fid <folder_id> is the id of the folder you would like to size (cannot be used with -pid).

Review errors and warnings

Review the script output for errors and warnings. Please make sure the number of subscriptions
matches your expectations. Some resources may be inaccessible due to permission errors or
other issues.

Results
After reviewing for errors/warnings, share the result output file(s) with your Tenable
representative to receive details about pricing estimates for your organization and to discuss any
other issues you may have.

Tenable Cloud Security: Environment Sizing Guide 13

OCI (Oracle Cloud Infrastructure)
This section includes instructions for executing a sizing script to count billable resources in your
OCI environment. It’s important to emphasize that the script takes a snapshot at a specific point
in time, and doesn’t calculate the average number of resources over time. Once your accounts are
on-boarded to Tenable CIEM or Tenable Cloud Security Standard, the number of resources is
evaluated for licensing purposes based on a rolling 3-month average. In addition, you should
consider the organic growth of your cloud estate when looking at billable resources.

Billable Resources

Category Resource

VMs Compute Instances

Container hosts Compute Instances

running OKE

Serverless functions Functions

Object storage** (Data Protection) Object Storage Buckets

** Only scanned data resources are considered for billing purposes

Permissions

Running the script requires an identity with the following permissions:

●​ read all-resources

Download
Download the Azure sizing script from the following URL and extract the .zip contents -

https://www.tenable.com/downloads/cloud-security

Instructions
You can run the script either in OCI CloudShell or locally on your machine using the required
credentials, as outlined below. Follow these steps to determine the number of billable resources
in your OCI environment.

Optional execution flags

Category Flag Description

Data Protection --exclude-data-resources Optional. Exclude data

resources

Tenable Cloud Security: Environment Sizing Guide 14

Run the sizing script on OCI Cloud Shell (option 1)

1.​ Log in to the OCI console and open the OCI Cloud Shell
2.​ Upload the sizing and utilities scripts by clicking the settings icon, and click Upload
3.​ Run the following command:
python3 sizing.py –out-dir .
4.​ To download the output file, click the settings icon, select Download, and specify the
output path. For example: oci_sizing_2024-05-02-19-20-32/summary.csv. Alternatively,
access the home directory.
Run the sizing script on your local machine (option 2)

In order to execute the sizing script on your local machine you’ll need to obtain the relevant
credentials first. See OCI documentation on how to create a configuration file.
1.​ Ensure that you have installed the following tools before executing the sizing script
a.​ Python 3
b.​ pip
2.​ Install the required packages using pip using the following command:
pip3 install -r requirements.txt

3.​ To execute the sizing script, run the following command:

python3 sizing.py --user-ocid <UserOCID> --fingerprint <Fingerprint> --tenancy-ocid
<TenancyOCID> --private-key-file-path <PrivateKeyFilePath> --region <Region> -o
%OutputDir%

Review errors and warnings

Review the script output for errors and warnings. Please make sure the number of resources
matches your expectations. Some resources may be inaccessible due to permission errors or
other issues.

Results
After reviewing for errors/warnings, share the result output file(s) with your Tenable
representative to receive details about pricing estimates for your organization and to discuss any
other issues you may have.

Tenable Cloud Security: Environment Sizing Guide 15

Additional resources
The following billable resources are outside the scope of this sizing guide; please make sure you have an
estimate available or hold until you have fully onboarded your environment to get a complete estimate.

Category Resource

VMs* Kubernetes Nodes

VMs running containers* Kubernetes Nodes

VMs running containers* Self-managed Kubernetes Nodes

(on AWS/Azure/GCP)

Container Repositories** Container Repositories

Container Repositories*** Container Repositories detected via

CI/CD

* Only applies to scanned resources

** Please note that only scanned repositories are being considered for billing.
*** If the same container repository is being scanned via CI/CD and as part of the registry, it will be
considered as two billable resources.

Tenable Cloud Security: Environment Sizing Guide 16

Appendix A - Minimum permissions for AWS
Management account
The following permissions are required for the identity used to run the script from the
management account -

[
"ec2:DescribeInstances",
"lambda:ListFunctions",
"ecs:ListServices",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"ecs:ListClusters" ,
"ecr:DescribeRepositories"
"s3:ListBucket"
"dynamodb:ListTables"
]

Member accounts
The following permissions are required for the IAM Roles assumed in the member accounts -

[
"ec2:DescribeInstances",
"lambda:ListFunctions",
"ecs:ListServices",
"ecs:ListClusters",
"ecr:DescribeRepositories"
"s3:ListBucket"
"dynamodb:ListTables"
]​
​
​
COPYRIGHT 2024 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, NESSUS, LUMIN, ASSURE, AND THE TENABLE LOGO ARE
REGISTERED TRADEMARKS OF TENABLE, INC. OR ITS AFFILIATES. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF
THEIR RESPECTIVE OWNERS.

Tenable Cloud Security: Environment Sizing Guide 17