To configure a virtual scanner using Amazon EC2/VPC, you must first visit the Qualys Virtual Scanner Appliance page at the AWS Marketplace and subscribe to our AMI. Be sure to subscribe using each AWS account from which you might want to launch the virtual scanner.
Note: AWS IAM users are not currently supported in AWS Marketplace. An AWS admin from your organization may need to perform the act of subscribing to the AMI using a direct AWS account. Then the AMI will become visible to you in the AWS Management Console, and you will be able to launch it using your AWS IAM credentials.
How to subscribe to the virtual scanner AMI
1) Go to the AWS Marketplace. Visit the Qualys Virtual Scanner Appliance page at the AWS Marketplace at:
2) Review the Qualys Virtual Scanner Appliance page, then click Continue.
3) For a new account click “Go to AWS Account Sign-Up”. Note that account activation may take a minute.
4) Click “Launch with EC2 Console” and then click Accept Terms.
5) Review confirmation. You will receive an email notification confirming you have subscribed to the Qualys Virtual Scanner Appliance on the AWS Marketplace. Then you are ready to launch an AMI instance and enter configuration settings, including the personalization code for your virtual scanner.
A note on scanning capabilities
Once instantiated, a Virtual Scanner AMI is technically capable of scanning:
- Private IP addresses within Amazon EC2 and Amazon VPC
- Private IP addresses which you have connected to an Amazon VPC subnet via an IPSec VPN (e.g., your organization’s internal on-premise network)
- Public IP addresses within Amazon EC2 and VPC, including Elastic IP addresses
- Public IP addresses outside of AWS (i.e., the Internet)
For a variety of reasons, including the volatile nature of IP addressing within EC2 and the potential for extra data transfer charges for scanning any public IP address within EC2 or VPC, the primary use case that Qualys is addressing with this product is the scanning of private IP space within Amazon VPC subnets, and this is the recommended use. A Virtual Scanner AMI deployed within Amazon EC2/VPC does not support these appliance configurations: VLANs, static routes and IPv6 support.
A note on acceptable use
It is important to note that you must obtain pre-approval from Amazon Web Services before scanning in all cases, even for internal VPC-only scanning.
Guidelines for acceptable penetration testing are to be found here, and the full AWS Acceptable Use Policy is here. Amazon customers should complete the AWS Vulnerability / Penetration Testing Request Form (link requires authentication), supplying the source and destination IP addresses and the Amazon machine Instance IDs which will be involved in the scan. Note also that Amazon advises that it “can take 2-3 business days to evaluate your request.”
A note on monetary charges from AWS
Computing and storage capacity
Any instances of the virtual scanner which you instantiate from our AMI will be associated with your AWS account and you will bear the associated charges for the use of this compute capacity (typically per-hour charges). The Qualys Virtual Scanner Appliance makes use of Amazon Elastic Block Store (EBS) storage, which also has associated costs based upon capacity used and the quantity of I/O requests.
You should expect to incur data transfer charges for scanning, which can vary depending upon your configuration. This will be of two primary types as described below. Data transfer outbound from your virtual scanner instance to the Qualys Cloud Platform. Administrative communications, as well as scan results must travel out to Qualys in order to be associated with your Qualys subscription.
Data transfer between the virtual scanner instance and any of the targeted EC2 and VPC assets which it scans. These charges will differ depending upon whether the virtual scanner and the targeted asset are in the same EC2 Region and/or Availability Zone, as well as whether you are targeting internal IP addresses or public/elastic IP addresses with your scans. As of this writing, data transfer from one internal IP address to another internal IP address in the same EC2 Region and same Availability Zone is free.
Complete Amazon EC2 pricing can be seen here: