Getting Started with Amazon EC2 Pre-Authorized Scanning

Document created by Justin Lute on Mar 20, 2013Last modified by Qualys Documentation on Aug 16, 2016
Version 18Show Document
  • View in full screen mode

It's easy to get started with Amazon EC2 Pre-Authorized Scanning Solution from Qualys. We'll walk you through the steps.



Tell me the steps


1. Have your Qualys subscription enabled for the Amazon EC2 solution

Once enabled you'll see the workflows New EC2 Connector and New EC2 Scan within your Qualys account. Contact your Qualys TAM (Technical Account Manager) or Qualys Support for assistance.



2. Accept New Data Security Model

Dynamic Asset Tagging is a prerequisite for using the EC2 Scan workflow and it is available only after you accept the "New Data Security Model" within your Qualys subscription. You may have already accepted this when prompted at log in. If not, you can navigate to (1) Vulnerability Management > (2) Users > (3) Setup > (4) Security > (5) New data security model to (6) and accept.



3. Configure at least one "Pre-Authorized Scanning" virtual scanner appliance

(This step can be completed at any point before scanning.)


Things to consider... You must have at least one virtual scanner license in your Qualys subscription. Virtual scanner licenses are available for purchase or for trial by contacting your Qualys TAM or Qualys Support.


What are the steps? You'll launch an instance of the "Pre-Authorized Scanning" appliance AMI in your Amazon account.

How to configure a virtual scanner using Amazon EC2/VPC


4. Create an EC2 Connector

Go to Qualys AssetView (AV) - just select AV from the module picker. Then navigate to the Connectors tab, and click the Create EC2 Connector button. Our wizard will walk you through the steps for configuring a working connection to the EC2 APIs. You will need to provide AWS Access Keys with read access as part of the Connector configuration.

Configuring AWS Read-Only Credentials


Tip - Be sure to create a unique EC2 Connector for each of your Amazon accounts.




Tell me about Asset Tags. Qualys Asset Tags are required in order to successfully target EC2 instances using the EC2 Scan workflow, as EC2 Scan relies upon a "scan-by-tag" workflow. It is recommended that you create at least one generic Asset Tag (e.g. "EC2") and have the Connector automatically apply that tag to all imported assets (shown below). Are there other ways to apply tags? Sure, you may also apply more static and/or dynamic tags using the workflows and policies in Qualys AssetView (AV). Dynamic tags allow you to tag your EC2 assets automatically based upon discovered EC2 metadata.




5. Activate EC2 Assets for scanning

EC2 assets must be activated for your Qualys license in order to scan them.


If you choose "Automatically activate" we'll automatically activate all discovered EC2 assets (size medium and above) - this makes them ready for scanning. If your license has VM only, you can activate EC2 assets for VM scanning. If your license has VM and PC, you can activate them for VM scanning and/or PC scanning.




Want to activate your assets later? No problem you can do it manually anytime. Just go to the Assets tab, select the assets you want to activate, then choose "Activate Assets" from the Actions menu.




6. Scan EC2 instances using the EC2 Scan workflow

Qualys provides a special EC2 Scan (and Schedule EC2 Scan) workflow which only works in collaboration with an instance of the Pre-Authorized Scanning virtual appliance AMI. This solution allows on-demand and scheduled scanning in Amazon EC2-Classic and EC2-VPC, without the need for the customer to manually request scanning permission from AWS.

AWS Acceptable Use Guidance For Scanning


Things to consider... Are you using the Networks feature? If yes, your EC2 hosts will be associated with a network when they are activated. EC2 hosts activated using 8.3 or later will be added to the Global EC2 Network which acts as a placeholder. By default a new virtual scanner appliance is placed in the Global Default Network and when a scan is performed host scan data is added to that network. We recommend you move the appliance to the desired network before scanning - the Global EC2 Network or a custom network.


What are the steps? Navigate to Vulnerability Management (VM), then Scans and select New > EC2 Scan (or Schedule EC2 Scan). Have Policy Compliance (PC)? You'll see a similar workflow for launching compliance scans.



You'll select these scan settings:

- the virtual scanner appliance deployed using the Pre-Authorized Scanning appliance AMI

- the EC2 Connector which relates to the assets you would like to scan

- the EC2 Region or VPC which you would like to target

- one or more Tags (optional) to isolate specific assets you would like to include in or exclude from the scan


Tip - Select "Only scan EC2 Classic Hosts in the region" to avoid scanning VPC hosts in your EC2 region (i.e. all VPC hosts will be filtered out).




That's all there is to it!

You can monitor your scan's progress like any other scan, view scan results and create scan reports including your EC2 hosts.



Learn more

Help Center for Amazon Web Services

Choosing The Correct Scanner AMI (Amazon Machine Image

Reference: QualysGuard Virtual Scanner Appliance

2 people found this helpful