Masking Proxy Credentials in Amazon EC2 User Data Field

Document created by Justin Lute on Feb 20, 2013Last modified by Qualys Documentation on Aug 15, 2016
Version 7Show Document
  • View in full screen mode


This article describes a workaround process implemented by Qualys to allow proxy server credentials to be masked after they are configured on an Instance of our Qualys Virtual Scanner Appliance for Amazon EC2 using the cleartext "User Data" input mechanism provided by EC2.



What do I need to know?

Depending upon the architecture of your network, you may need to configure your Qualys Virtual Scanner Appliance deployed on Amazon EC2 to communicate through a proxy server in order to call home to the Qualys Cloud Platform.  This management connection is described in more detail in Scanner Appliance: Management Communications.


The virtual appliance deployed on Amazon EC2 provides no console or direct administrative access of any kind.  To configure your virtual appliance with the appropriate proxy settings, you must include them as part of the User Data field for your instance reservation.  The supplied User Data can then be automatically retrieved by the scanner instance at a specific URI which allows for Amazon EC2 instances to access instance-specific metadata. The mechanics of this process are described by AWS in their Instance Metadata documentation, in particular in the User Data Retrievalsection.


How to configure a virtual scanner using Amazon EC2/VPC provides step-by-step guidance on deploying your virtual scanner on Amazon EC2, including the precise configuration settings needed to establish the proxy configuration.  In brief, you must include your desired proxy configuration settings as part of the User Data, as in the following screen:






The configuration information contained in the User Data is stored in cleartext and available for viewing by standard AWS Console users, which is a highly undesirable situation from a security perspective.






Qualys has engineered a workaround which allows the credentials supplied as part of the proxy configuration to be masked after they have been successfully deployed to the scanner appliance.  The process for executing this workaround is as follows:


  • Provision and personalize an instance of the scanner appliance including your proxy credentials as part of the User Data.  Follow the process outlined in How to configure a virtual scanner using Amazon EC2/VPC.  Once proxy settings have been captured from the User Data field, a running instance will keep real proxy credentials on disk in encrypted form.


  • Verify scanner appliance activation by going to the Qualys Vulnerability Management UI (Scans > Appliances) and checking the appliance status. You'll see the green Connected icon once the scanner instance has completely synchronized with the Qualys Cloud Platform and updated itself with the latest software.


  • Stop your scanner appliance instance. You may only make changes to the User Data of an EC2 instance when it is in a stopped state.


  • Engage editing function for your EC2 User Data configuration.  Within the AWS Management Console you can edit User Data by right-clicking the scanner appliance Instance and selecting View/Change User Data from the pop-up menu it presents.




  • Mask credentials in User Data configuration.  To mask the proxy credentials, you must replace the credentials you listed as part of the PROXY_URL attribute with an asterisk (*) character.  For example, you could include text in the format PROXY_URL =****:****@


The workaround engineered by Qualys is that any PROXY_URL entry which begins with an asterisk will signal the virtual appliance to ignore the information in the PROXY_URL User Data and use the last known good proxy configuration.  Therefore, a PROXY_URL entry as simple asPROXY_URL=* would also work.


Do not remove the PROXY_URL= entirely, as this will signal the appliance that all proxy configuration information should be removed from the appliance.




  • Start the scanner appliance instance.  The EC2 User Data PROXY_URL settings are only referenced and updated during the scanner appliance's boot sequence.  If the scanner appliance sees a PROXY_URL= entry which begins with an asterisk it will leave the existing proxy settings (IP address and port, as well as credentials) in place.



Learn more