EC2 Scan - Scan using Pre-Authorized Virtual Scanner Appliance

Looking for an overview on securing your Amazon AWS infrastructure? Go here.

Start Here

Install a pre-authorized virtual scanner appliance

The pre-authorized virtual scanner appliance allows scanning in Amazon EC2-Classic and EC2-VPC, without the need for the customer to manually request scanning permission from AWS. Learn more

EC2 Connector is Required

If this is your first EC2 scan then we recommend you start by creating an EC2 connector. You create EC2 connectors within the AssetView application. A wizard will walk you through the steps for selecting EC2 hosts to scan. Learn more

EC2 Scan Checklist

There are recommended steps you'll want to take before starting your scan, including configuring your virtual scanner appliance and making sure it's connected, defining API proxy settings, configuring security groups and setting up OS authentication. See the checklist

Interested in securing your AWS GovCloud?

You'll need to reach out to your Qualys TAM or Qualys Support to request access to a) GovCloud Feature and b) Qualys Scanner Appliance Pre-Authorized AMI. Then you'll follow the scan steps below. Learn how to get started

 


Let's launch a scan

Go to Scans > Scans > New > EC2 Scan (or Schedule EC2 Scan). Click here for help with scheduling.

New EC2 Scan menu option under Scans

Provide scan settings:

(1) Give your scan a title and select the option profile you configured with authentication.

(2) Select the EC2 connector name you've configured.

(3) Choose one of these platform options: EC2 Classic, EC2 VPC (All VPCs in region) or EC2 VPC (Selected VPC). Based on your selection you’ll select region(s). Click here for help choosing an option.

EC2 scan settings - Option Profile and Platform

(4) Select asset tags to specify the EC2 hosts to be scanned. These are the assets activated for your connector. Optionally, scan specific instance IDs. Instance IDs can be specified with or without tags. To specify the instance IDs, select the Scan specific Instance IDs, applicable typically for scanning instances in build or AMI testing phase check box.

(5) Choose the Virtual Scanner Appliance AMI you’ve launched in Amazon EC2.

EC2 scan settings - Scanner Appliance

Click Launch and start scanning and securing your Amazon EC2 infrastructure.

The EC2 Vulnerability Scan Preview lists all the instances (including terminated). During the scan the terminated instances will be ignored from the scan and filtered out.

EC2 Vulnerability Scan Preview screen

Create Reports

Create reports to identify the vulnerabilities on your EC2 assets. Go to Reports > Reports > New > Scan Report. You can then choose a pre-configured template or customized template. Give the report a name, choose the template, report format, hosts (IP address or tags) and then generate the report.

Depending on your template settings, your report could include graphs, charts depicting vulnerability information and EC2 instance information such as Image Id, VPC Id, Instance state, type and so on. You could use the instance information for remediation.

Query EC2 Assets in AssetView

Our search capabilities give you the ability to quickly find all about your assets all in one place.

Choose AssetView from the app picker. Go to the Assets tab. Start typing AWS and we'll show you the asset properties you can search like accountId, instanceType, hostname, etc. Select the one you're interested in.

Search field on Assets tab in AssetView

 


More on Target Hosts

Scanning EC2 Classic instances

Choose EC2 Classic (Selected Region) to scan EC2 classic hosts in a region. When selected we’ll only scan EC2 Classic instances in the region.

EC2 Classic (Selected Region) option

Scanning VPC instances

Choose EC2-VPC (Selected VPC) to scan only a VPC you select.

EC2 VPC (All VPCs in Region) option

Scanning instances using VPC Peering

Choose EC2-VPC (All VPCs in Region) to scan all VPCs in a region. Select this option ONLY if there is peering between all the VPCs in the region, or you could end up with Host not found errors for instances where your Virtual Scanner Appliances cannot reach them.

EC2 VPC (Selected VPC) option