Securing EC2 Instances in AWS - GovCloud

Document created by Hari Srinivasan Employee on Apr 13, 2017Last modified by Hari Srinivasan Employee on Jun 8, 2017
Version 4Show Document
  • View in full screen mode

Qualys Security for EC2 Instances in AWS Gov Cloud

Federal and Vendors for Federal having deployments in AWS GovCloud, can now use the enhanced set of features in securing EC2 Instances in GovCloud.  Qualys also is FedRamp certified, it allows Qualys to expand its offering and establish itself as a cybersecurity cloud services platform of choice within the Federal Civilian sector.


The Qualys solution is also available for users of the AWS GovCloud in addition to the generic AWS regions. Customers can deploy the Qualys sensors a virtual scanner appliance or a cloud agent within an instance, to scan and secure their EC2 instances in GovCloud.


Qualys Sensors for GovCloud

Qualys Virtual Scanner Appliances (qVSA)

AWS GovCloud does not have access to the generally available AWS marketplace. GovCloud users need to get shared access to the qVSA AMI to deploy the scanner appliances. Contact Qualys TAM or support to gain access to the AMI.
Note: Pre-authorized AMIs are supported in GovCloud, so ensure you always deploy the pre-authorized scanner AMIs to avoid hassles of filling out penetration testing forms. Learn more about setting up the EC2 Connector to sync. up with your AWS Govcloud in the section below.


Qualys Cloud Agents

Qualys Cloud Agents (Linux and Windows version) can be deployed on the EC2 instances in GovCloud, there is no difference from that of any other regions. You could deploy the agents directly on a running instance or make it more automated by embedding the agents into the EC2 instance AMIs. Follow the standard cloud agent installation instructions.
Cloud Agents collect metadata of an EC2 instance (it's limited to Amazon Linux today, soon to be working for all OS flavors).  Highly recommend setting up the EC2 connectors to get the complete inventory and full list of metadata for the instances.


Cloud Connector - AWS EC2

EC2 Connectors synchronizes EC2 instances for an AWS user on a regular frequency. In addition, it also collects complete metadata of an instance covering its geolocation, network details, ownership, status, size, etc..  

AWS GovCloud is an isolated region, the AWS account is specific to the region.  Users need to set up a separate EC2 connector to cover the GovCloud region. Follow the instructions in the section below to setup a GovCloud EC2 connector. 


Getting Started


To start securing the EC2 instances in Gov Cloud, you could deploy either or both, Scanner Appliances and Agents.


Get access to the Scanner Appliance AMI for the GovCloud region

Follow the instructions below, to get started with securing your AWS GovCloud using Qualys qVSA:


  1. Contact your Qualys TAM or Qualys Suppor requesting access to a) AWS EC2 feature* and b) Qualys Scanner Appliance Pre-Authorized AMI.
  2. Include your AWS Account ID under which you would be running the scanner, access to the AMI is enabled by Qualys support for specific Account IDs.
  3. Qualys Support would send you a mail with approval and access information.
  4. Create an Instance with the ‘qVSA’ AMI, which will now be available under MyImages section in the Create Instance wizard. (If you need to search, use the keyword ‘qVSA’ to find the Qualys scanner)
  5. Follow the general steps as documented in the links below to configure the scanner for AWS

* Access to AWS EC2 feature currently needs enablement from Support. The AWS GovCloud support is available for all users with EC2 feature.


Setting up EC2 Connectors for GovCloud

AWS GovCloud is an isolated region, the AWS account is specific to the region.  Users need to set up a separate EC2 connector to cover the GovCloud region. 


  1. Log into your Qualys portal. Ensure your Qualys subscription has the GovCloud feature access turned ON.
  2. From the module selector, choose Asset View > Navigate to Connectors tab.
  3. Click 'Create EC2 Connector'
  4. Provide the Basic information, Name, and Description.  Make sure provide a unique name to identify the gov cloud. (Example: JohnDoeAWSGovCloud). Click 'Continue'
  5. Create a new Authentication record for an IAM user of your GovCloud AWS account.  AWS GovCloud account is a separate account from other regions. The cloud connector requires an IAM user with "read-only" access to 3 Describe APIs, learn more from the document listed in the resources section below.
  6. Select the newly created authentication record and select the checkbox at the bottom for "Set the connector only for AWS GovCloud (US) region"
  7. Click Continue, the only Region available today for GovCloud is US region. Select the region and click 'Continue'
  8. Set activation to automatic for the modules you are licensed to. Ensure you add special tags to identify these assets separately. Tags make it easier for to search and it's required for pre-authorized scanning. 
  9. Click 'Continue' and finish creating the EC2 connector
  10. Connector syncs up the asset inventory from GovCloud region and the metadata of the instances.
  11. If you are using Scanners, the EC2 Scan Job and EC2 Scheduled scan job will now display this Connector and the GovCloud region for you to target the scanning.

 Start scanning and securing your GovCloud region. 


More Resources

Qualys security solution for AWS
Configuring scanner in AWS

Getting started with Amazon EC2 Pre Authorized Scanning
Configuring AWS Read-Only Credentials for the EC2 Connector 

AWS GovCloud

Finding your AWS account Id


For further questions and support, please contact - Qualys Support