added

API Access Security

A new feature has been added to Tenable's cloud platform that enables users to restrict access to the API by specifying an allowlist of IPv4 or IPv6 addresses. The list of allowed addresses can include discrete IP addresses, IP address ranges, and IP subnets. For example, for IPv4 you could specify "192.0.2.0, 198.51.100.4-198.51.100.10, 203.0.113.0/24" and for IPv6 you could specify "2001:db8:2e92:75f2:d40a:e290:10b3:c0f, 2001:db8:1e1f:46a1:e3cb:2110:22c6:0000-2001:db8:1e1f:46a1:e3cb:2110:22c6:ffff, 2001:0DB8::/32". If an empty string is provided then the API can be accessed from all IP addresses.

The new endpoints are described in the following table:

EndpointNameDescription
GET /access-control/v1/api-security-settingsList allowed IP addressesReturns a list of IPv4 and IPv6 addresses that are allowed to access the Tenable Vulnerability Management API.
PUT /access-control/v1/api-security-settingsUpdate allowed IP addressesAdds IP addresses or updates the existing list of IP addresses allowed to access the Tenable Vulnerability Management API.

🛑

Caution

Ensure that you have reviewed the list of allowed IP addresses before submission since inappropriate IP address restrictions can result in users being locked out from API access. If this occurs, an administrator can log in to the Vulnerability Management user interface and update the list of allowed IP addresses in the access control settings. Additionally, unless your network assignments are restricted to only IPv4 addresses or only IPv6 addresses, you must specify allowed ranges for both IPv4 and IPv6 in order to avoid blocking some API traffic. It is not always predictable whether a client will connect via IPv4 or IPv6.

For more information, see API Access Security in the Tenable Vulnerability Management User Guide.

Examples

Add a list of allowed IPv4 and IPv6 addresses

To allow the IPv4 address 192.0.2.0, the IPv4 address range 198.51.100.4-198.51.100.10, the IPv4 subnet 203.0.113.0/24, and the IPv6 subnet 2001:0DB8::/32, you could use the following cURL request:

curl --request PUT \
     --url https://cloud.tenable.com/access-control/v1/api-security-settings \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "allowed_ipv4_addresses": "192.0.2.0, 198.51.100.4-198.51.100.10, 203.0.113.0/24",
  "allowed_ipv6_addresses": "2001:0DB8::/32"
}
'

Allow all IP addresses

To allow all IPv4 and IPv6 addresses (no restrictions) to access the Tenable Vulnerability Management API, you could use the following cURL request:

curl --request PUT \
     --url https://cloud.tenable.com/access-control/v1/api-security-settings \
     --header 'X-ApiKeys: accessKey=<YOURKEY>;secretKey=<YOURKEY>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "allowed_ipv4_addresses": "",
  "allowed_ipv6_addresses": ""
}
'