Create a role for cross-account access

Follow these steps to create an IAM role in AWS that will give Qualys cross-account access to your AWS resources. Then copy the Role ARN into your connector details.

1) Log in to your Amazon Web Services (AWS) Console.

2) Go to the IAM service.

3) Go to Roles and click Create role.

4) Under "Select type of trusted entity" choose "Another AWS account". Then: a) Paste in the Qualys AWS Account ID (from connector details), b) Select Require external ID and paste in the External ID (from connector details), and c) Click Next: Permissions.

5) Create a custom AWS IAM Policy (see Custom AWS IAM policy) or find the policy titled "SecurityAudit" and select the check box next to it. Click Next: Review.

6) Enter a role name (e.g. QualysRoleForEC2Connector) and click Create role.

7) Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.

Want to create a role using CloudFormation?

1) Download the CloudFormation template from the UI.

2) Log in to Amazon Web Services (AWS) and go to CloudFormation.

3) Create stack & upload template.

4) When the stack is complete, copy the Role ARN value from the output and paste it into the connector details.


Want to use a custom AWS IAM policy?

No problem. Create your own custom IAM policy in AWS with the following settings.


    "Version": "2012-10-17",

    "Statement": [


            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [





            "Resource": "*"