Setting up EC2 Connector

The Connector for Amazon continuously discovers Amazon EC2 and VPC assets using an Amazon API integration. Connectors may be configured to connect to one or more Amazon accounts so they can automatically detect and synchronize changes to virtual machine instance inventories from all Amazon EC2 Regions and Amazon VPCs.

Helpful resources

Get an overview of the steps to secure Amazon Web Services using Qualys: steps to sync inventory and metadata from an AWS account, deploy Qualys sensors, scan, and view the security and compliance of your AWS EC2 instances.

Watch Video Series | Download User Guide

Base Account Configuration (Optional)

The AWS connectors with cross-account role uses Qualys accounts. If you do not wish to use Qualys account, you can use the base account feature to set up the AWS connectors. You can configure to use your own AWS account as a base account while setting up the AWS Connectors instead of using Qualys account.

You can create only one base account per account type. Ensure that the AWS account ID for which you configure that base account has policies associated in the AWS console.

Before you create a new connector, create a base account for the same account type (region). If you do not create a base account, you can still create a connector.

Go to Connectors > Connectors and then click Configure Base Account. Provide name, AWS account ID, access and secret keys and then select the account type. Show me

Connector Configuration

We recommend you setup one EC2 connector per AWS account. Our connector wizard walks you through the steps - set up ARN authentication, select EC2 regions and activate your EC2 assets for scanning.

- Cross-Account Role Authentication: This lets you grant Qualys access to your AWS EC2 instances without sharing your AWS security credentials. Qualys will access your AWS EC2 instances by assuming the IAM role that you create in your AWS account. This eliminates the overhead of management of IAM user keys in your Qualys subscription. For more information, refer to Securing Amazon Web Services using Qualys (pdf).

1) Choose AssetView (AV) from the app picker. Then navigate to the Connectors tab, and click Create EC2 Connector.

2) You will need to provide name, description and select account type. Provide the Role ARN and click Continue. Learn more

Create EC2 Authentication Record in Create EC2 Connector wizard

The wizard will walk you through the steps for selecting EC2 hosts to scan.

Selecting EC2 regions

3) Select the regions you want to collect EC2 data from.

You can use the Sync Assets button to get the asset count for each region. If you select only a few regions here, you can later modify to add additional regions.

Tip: We recommend to select all regions. This gives you the visibility whether someone has turned up instance in another region.

Select EC2 Regions in Create EC2 Connector wizard

Activating Assets

4) EC2 assets must be activated for your Qualys license in order to scan them.

If you are going to use the Pre-authorized scanner in AWS, you are required to activate your assets here or manually from AssetView. By choosing “Automatically activate” we'll automatically activate all discovered EC2 assets (size medium and above). This makes them ready for scanning.

By default, assets with instance type m1.small, t1.micro or t2.nano are excluded from activation. These assets will be imported to Qualys however they won’t be activated for VM, PC or SCA. Please reach out to your Technical Account Manager or Qualys Support to lift this limitation and allow assets with these instance types to be auto-activated based on the connector settings.

Select Activation options in Create EC2 Connector wizard.

Enabling the EC2 connector for CloudView

5) While creating the EC2 Connector use the CreateConnector in CloudView option (available in the Tags and Activation panel) to enable that EC2 connector to be available in the CloudView App as well. This will save you from creating a separate conector in CloudView. Once enabled in AssetView, disabling this option late rwill not remove the corresponding connector from CloudView. You need to explicitly remove the connector from the CloudView app.

Assigning Tags

6) EC2 Scans with Qualys relies upon a “scan-by-tag” workflow.

Tip: Associate a Qualys tag to all of your EC2 instances. To scan using a pre-authorized scanners use of tags is required. It’s recommended you create at least one generic Asset Tag (for example, "EC2") and have the connector automatically apply the EC2 tag to all imported assets.

You can also create dynamic tags that allow you to tag your EC2 assets automatically based upon the IP address of the discovered EC2 instances & other EC2 attributes.

Click Finish to complete the connector creation.