EC2 Scan - Perimeter Scanning using Qualys External Scanners

Looking for an overview on securing your Amazon AWS infrastructure? Go here.

Good to Know

Qualys External Scanners (Internet Remote Scanners), located at the Qualys Cloud Platform, may be used for Perimeter Scanning of EC2 instances.

- You’ll use the Standard Scan workflow in Qualys

- Customers need to add the Public IPs of the Instances to your account.

- Qualys External Scanners support both IP-based scans and DNS-based scans

Get Started

Go to VM for a vulnerability scan (or PC for a compliance scan) and choose New > Scan.

New Scan option on Scans tab

Provide scan settings:

For Option Profile we recommend Initial Options to get started.

For Scanner Appliance choose the External option.

For scan target choose IP addresses/asset groups or asset tags defined using Qualys AssetView (AV).

Scan option profile settings

As a part of the option profile, you can turn ON the Load balancer check and also if you have special HTTP header that can be defined too. In this case, the scanner will try to reach out the IPs and wherever the IPs are getting directed to say ELB (Elastic Load Balancer) and try to get to the instances behind it as allowed or routed by the ELB. Ensure that you enable authentication for Windows and/or Unix. See Configure OS Authentication.

DNS-based scans

This feature needs to be turned ON for your subscription. Please contact Qualys Support if you would like to enable this feature.

Adding IPs to scan: Users normally resolve the IPs outside Qualys and then add the IPs for scanning.

How DNS-based scans work: Users submit scans on the DNS for ELB and the rest. The IPs are resolved in real time and then scanned for.