Configuring AWS Read-Only Credentials for the EC2 Connector

Document created by Justin Lute on Mar 4, 2013Last modified by Qualys Documentation on Aug 16, 2016
Version 14Show Document
  • View in full screen mode

Configure an EC2 Connector in Qualys AssetView if you wish to perform Pre-Authorized Scanning of your instances deployed on Amazon EC2. Then use our EC2 Scan worfklow to launch  vulnerability management scans and/or compliance scans of your EC2 instances. See Getting Started with Amazon EC2 Pre-Authorized Scanning


EC2 Connector

An "EC2 Connector" should not be thought of as a specific device or component.  It is simply a configuration policy which defines the parameters for how Qualys Cloud Platform will interact with Amazon EC2 API endpoints on your behalf.


Some "connector" calls will be made "cloud to cloud", directly from the Qualys Cloud Platform to the Amazon API endpoints.  Other "connector" calls will be made at scan run time from a deployed Qualys Virtual Scanner Appliance (Pre-Authorized Scanning) to the Amazon API endpoints.


AWS IAM Access Keys

You must associate valid AWS IAM (Identity and Access Management) credentials with sufficient privileges to read from your AWS account through the EC2 APIs.  This credential comes in the form of an AWS IAM Access Key pair, which must be created by your AWS administrator and then typed/pasted into your Qualys EC2 Connector configuration.



Least Privilege Permissions For AWS

In keeping with best practices around least privilege and non-repudiation, Qualys recommends that a unique user account be created solely for the Qualys EC2 Connector in AWS Identity and Access Management (IAM).  Further, this account should be restricted to a limited set of read-only permissions when you configure its permission policy in AWS IAM.


AWS provides various out-of-the-box "read only" permission policy templates, many of which would allow our EC2 Connector to work.  As of this writing, these three tempaltes are known to include sufficient access for the Qualys EC2 Connector: Read Only Access, Amazon EC2 Read Only Access, and Security Audit.


If you wish to provide absolute minimum permissions by creating a custom AWS permission policy, note that only the following Amazon EC2 API permissions are actually needed by the Qualys EC2 Connector as of this writing:

  • DescribeInstances
  • DescribeImages
  • DescribeAddresses


These permissions may be associated at the User or Group level within AWS IAM.



Creating A Custom Permission Policy Using the Policy Generator

An AWS user with administrative access to the AWS IAM service must create the AWS user account which the Qualys Connector will use.


You may configure the permissions through the AWS Management Console web UI or through the AWS IAM APIs.  As of this writing, when configured through the web UI, the workflow to create a custom policy with the Policy Generator looks like this:


Select the Policy Generator












Add a new policy Statement


  1. Effect: Allow
  2. AWS Service: Amazon EC2
  3. Actions (multi-select): DescribeAddresses, DescribeImages, DescribeInstances
  4. Amazon Resource Name (ARN): * (asterisk character)
  5. Click the Add Statement button.




































Review and Apply Policy


The completed permissions policy will be JSON-formatted text and should look approximately like this:


















The raw JSON which represents the least privilege policy is below.  Note that you should replace the Version and Statement Sid values with values relevant to your organization.  This JSON includes placeholder values of <myVersionNumberHere> and <myStatementIdHere> for reference.


  "Version": "<myVersionNumberHere>",
  "Statement": [
      "Sid": "<myStatementIdHere>",
      "Effect": "Allow",
      "Action": [
      "Resource": [




Looking for more on host to configure IAM permissions policies? See AWS Identity and Access Management Managing IAM Policies



Configuring AWS IAM Access Keys

AWS credentials are requested by the Qualys Cloud Suite UI during the creation of the Connector or Amazon Web Services.  You must be able to provide the Access Key Id and Secret Access Key for a valid AWS user security credential.


Those access keys will look approximately like this:


Access Key Id:



Secret Access Key:



They must by typed/pasted into an AWS/EC2 Authentication Record as part of the Connector configuration workflow:





Learn more

Help Center for Amazon