EC2 Scan Checklist

We recommend these steps before scanning.

Check Appliance Status

Define Amazon EC2 API Proxy Settings

Check EC2 Assets are activated

Configure security groups for the EC2 instances to be scanned

Configure OS authentication


Check Appliance Status

Go to Scans > Appliances to make sure your appliance is connected to the Qualys Cloud Platform. Green scanner connected icon means your appliance is connected and ready for scanning.

Appliances tab showing scanner connected status

Define Amazon EC2 API Proxy settings (only if you have defined Proxy Server)

This step is required if you've defined Proxy Server in the User Data field during the pre-authorized scanner deployment. Your EC2 scan won’t work if you do not perform this step.

Go to Scans > Appliances and edit your EC2 Virtual Scanner Appliance. The Proxy Settings tab is where you'll tell us about your proxy server, including hostname and/or IP address, port and proxy credentials (if required by proxy server).

Learn more >>

Check EC2 Assets are activated

Check that your EC2 hosts are activated and have the EC2 tracking method. You can see this in VM on the Host Assets tab and also in AssetView on the Assets tab.

Host Assets tab showing assets with EC2 tracking method

Configure security groups for the EC2 instances to be scanned

In AWS, you must associate a security group that allows inbound access on all ports for the IP address of the scanner appliance or the security group of the scanner appliance. Here is the sample security group assigned to EC2 instance allowing inbound access on all the ports for the security group of Qualys Virtual Scanner Appliance.

Create Security Group in AWS

Configure OS authentication

You'll want to set up Windows and/or Unix authentication records for your EC2 instances and enable these authentication types in your scan option profile.

Go to Scans > Option Profiles. Edit the profile Initial Options, use Save As to save a copy with another name. In your new profile enable the authentication types you’ll need.

Authentication options in VM option profile

Go to Scans > Authentication. Add authentication records for the EC2 instances you’ll be scanning - Unix and/or Windows. In the record you’ll need to add credentials for the account to be used for authentication - this is an account for OS user (not the AIM user). We recommend you create a dedicated account for authentication on target systems.

View sample records with recommended settings >>

Authentication tab for creating Unix and Windows authentication records for EC2 instances