Configure EC2 connectors for scanning EC2 instances for security issues using the Qualys Cloud Platform. Our connector wizard walks you through the steps - set up ARN authentication, select EC2 regions and activate your EC2 assets for scanning.
Support for Cross-Account Role Authentication for EC2 Connectors
This lets you grant Qualys access to your AWS EC2 instances without sharing your AWS security credentials. Qualys will access your AWS EC2 instances by assuming the IAM role that you create in your AWS account.
Click here to learn more
The AWS connectors with cross-account role uses Qualys accounts. If you do not wish to use Qualys account, you can use the base account instead to set up the AWS connectors. Learn more
Get an overview of the steps to secure Amazon Web Services using Qualys: steps to sync inventory and metadata from an AWS account, deploy Qualys sensors and scan without a penetration testing form, and view the security and compliance of your AWS EC2 instances.
Watch Video Series | Download User Guide
Go to the Connectors tab, select Create EC2 Connector and our wizard will walk you thru the steps.
Tip - We recommend you create at least one generic asset tag (for example EC2) and have the connector automatically apply that tag to all imported assets. You can add more tags to your EC2 assets based upon discovered EC2 metadata.
Enabling the EC2 connector for CloudView
While creating the EC2 Connector use the Create Connector in CloudView option (available in the Tags and Activation panel) to enable that EC2 connector to be available in the CloudView App as well. This will save you from creating a separate conector in CloudView. Once enabled in AssetView, disabling this option later will not remove the corresponding connector from CloudView. You need to explicitly remove the connector from the CloudView app.
We'll activate EC2 assets for scanning automatically so you don't have to take this extra step. Just configure the Tags and Activation step within the EC2 connector wizard. Then we'll activate them automatically as they are discovered and even assign them tags if you want.
If your connector is not configured to activate assets automatically you'll need to activate them manually. Learn more
We're excited to support scanning EC2 instances in the region AWS GovCloud (US). Learn more
Activating EC2 assets
When you activate EC2 assets for VM scanning, we'll add them to your host assets list in the VM/VMDR app (go to Assets > Host Assets).
When you activate them for PC scanning, we'll add them to your host assets list in the PC module.
In the Host Assets list Tracking column, you'll see an EC2 icon next to each EC2 asset.
Can I disable a connector? Sure, no problem
A new connector is enabled automatically. This means your EC2 assets are automatically monitored and any updates are synchronized with your account.
Disabling a connector stops the automatic monitoring and synchronization of EC2 assets with our asset database. When you choose this option, you'll notice the value "Disabled" in the State column on the Connectors list.
Enabling a connector turns on the automatic monitoring and synchronization of EC2 assets with our asset database.
Easily view assets imported by a connector
The Show Assets option lets you view the EC2 assets imported and synchronized by an EC2 connector of interest. Go to the connectors list, hover over a connector, and select Show Assets from the Quick Actions menu.
Run option - use to manually synchronize instance data
The Run option lets you run the process that synchronizes EC2 assets into your asset inventory. Go to the connectors list, hover over a connector, and select Run from the Quick Actions menu.
How to Delete a connector
The Delete option lets you delete (remove) a connector from your account. Go to the connectors list, hover over a connector, and select Delete from the Quick Actions menu. Good to Know - assets imported by the connector will not be removed.
What if my EC2 instances have IP address changes?
Your EC2 instances may have IP address changes. We can continue to scan your EC2 instances because we scan by EC2 instance ID (not by IP address). If changes are found by an EC2 scan, you'll see the new IP addresses in your scan results. Once these scan results are processed the new IP addresses are shown in your account and will be included in your scan reports.