The AWS connectors with cross-account role uses Qualys accounts. If you do not wish to use Qualys account, you can use the base account feature to set up the AWS connectors. You can configure to use your own AWS account as a base account while setting up the AWS Connectors instead of using Qualys account. You need to configure your AWS account ID with the base account you create.
For example, you have 3 AWS accounts: A1, A2, A3. All the three accounts belong to Global region. If you create a base account for Global region. All the connectors associated with A1, A2, and A3 accounts will use base account.
Before you create a new connector, create a base account for the same account type (region). If you do not create a base account, you can still create a connector.
Go to Connectors > Connectors and then click Configure Base Account. Provide name, AWS account ID, access and secret keys and then select the account type. Show me
You can create only one base account per account type. Ensure that the AWS account ID for which you configure that base account has policies associated in the AWS console. Learn more
Select the base account you want to edit and click the quick action menu, then select Edit. You can edit name, AWS account ID, access keys and secret keys. You cannot edit the account type.
Updating Existing Connectors to Base Account
To update the existing AWS connectors with cross-account role to base account usage, you need to
-create a base account using AWS account ID Show me
-update the Trust Entities for your IAM Roles Show me
On AWS console, go to IAM role > Trust relationships and then Edit trust relationship. Ensure that the AWS account ID for which you configure that base account matches the account number in trusted relationships of the AWS console. Click Update Trust Policy.
Once you update the corresponding policy, all your existing ARN based connectors will be automatically upgraded to base account you configure.
If you delete a base account, all the connectors that are associated with the base account will be automatically updated to Qualys account in Qualys Cloud Platform. However you need to go to your AWS account, update the Trusted Entities of the arn roles from base account ID to Qualys account ID.