The following is a list of commonly asked questions about EC2 scanning. If there's more to be added, please leave a comment:
1. I don't see the EC2 Scan option.
A. Please contact your Technical Account Manager to get the EC2 Scan option enabled.
2. Do I need a scanner to scan EC2 instances?
A. EC2 instances can be scanned using a scanner appliance or by deploying Qualys Cloud Agents.
3. Can all EC2 instance types be scanned with a scanner appliance?
A. All except t1.micro, t2.nano and m1.small can be scanned with a scanner appliance. This is per AWS Acceptable Use Policy: https://aws.amazon.com/security/penetration-testing/
4. How do I scan instances that can't be scanned with a scanner appliance?
A. These instances can be scanned by deploying the Qualys Cloud Agent.
5. Why should I use the Qualys Pre-Authorised scanner?
A. The Qualys Pre-Authorised scanners are approved by AWS. You do not need to submit a penetration testing form when using these scanners.
6. Can I scan using Qualys External scanners?
A. Yes, after submitting a penetration testing form to AWS.
7. Where can I find the AWS penetration testing form?
8. Why do I need to configure an EC2 connector?
A. The EC2 connector allows Qualys to discover the assets in your AWS infrastructure.
9. Why do I need to upgrade my connector?
A. The EC2 connectors created earlier used AWS access/secret access keys. By upgrading, your connectors will now use a cross-account role, allowing Qualys to access your EC2 instances without the need to share your AWS security credentials.
10. How long do I have to upgrade my connector?
A. Support for key-based connectors will be discontinued after 180 days.
11. Can I have multiple connectors for the same AWS account?
A. No. You can now create only one connector per unique AWS account. If you have multiple connectors for the same AWS account, you must retain one and delete the others.
12. Why should I enable automatic activation of assets?
A. Automatic activation ensures that all discovered EC2 instances are available for scanning.
13. How do I manually activate assets?
A. If automatic activation is not enabled, assets can be manually activated from AssetView. Select required assets, click on Actions > Activate.
14. Why should I include a tag in the EC2 connector?
A. Applying tags to discovered EC2 instances allows you to launch a scan on them.
15. Can I tag the discovered instances later?
A. Yes, instances can be tagged later from AssetView.
16. Why does AsssetView show more assets than Host Assets?
A. AssetView shows all assets that have been discovered by the EC2 Connector. All discovered assets may not have been activated (or in other words, added to subscription), this results in AssetView showing more assets than Host Assets.
17. How do I search and remove terminated instances from AssetView?
A. Use the query aws.ec2.instanceState:"TERMINATED" to search for terminated instances. To remove these, please open a case with Qualys Support.
18. I have automatic activation of assets turned on, but I don't see hosts getting added to Host Assets?
A. Verify that the New Data Security Model has been accepted.
19. How do I enter the scanner personalization code?
A. When launching a scanner in AWS, the personalization code must be added to User Data on Step 3 - Configure Instance Details.
20. How do I enter proxy details for the scanner?
A. The proxy details can be added to User Data on Step 3 - Configure Instance Details.
21. Can I scan EC2-Classic Instances?
A. Yes, both EC2-Classic and EC2-VPC instances can be scanned.
22. Can the scanner and target be in different VPC's?
A. Yes, the VPC's must be peered.
23. With the scanner in EC2-VPC, can I scan EC2-Classic instances?
A. Yes. Use EC2 Classic Link to allow the scanner in EC2-VPC to communicate with EC2-Classic instances.
EC2 Classic Link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html
24. How do I verify that the scanner can reach the Qualys SOC?
A. The scanner does not have a console, that means you can't login to the scanner and test connectivity. Alternatively, launch an EC2 instance in the same subnet as the scanner, with the same settings (such as security group). Login to this instance and test connectivity to the Qualys SOC.
25. How should I configure the security group to allow the scanner to reach the Qualys SOC?
A. Security groups by default allow all outbound traffic. If you need to tighten the rules, allow only TCP 443 outbound towards the Qualys SOC IPs. Security groups are stateful, that means return inbound traffic will be automatically allowed.
26. How can I automate the installation of Qualys Cloud Agents on all new EC2 instances?
A. Install the Cloud Agent on an EC2 instance and convert it to an AMI. Using this AMI to launch new instances will automatically deploy Cloud Agents. For more information, refer to the Cloud Agent Whitepaper. A copy of the Cloud Agent Whitepaper can be obtained from your Techincal Account Manager.
27. How can I search for EC2-VPC and EC2-Classic Instances?
A. Use these AssetView queries:
For EC2-VPC assets - provider:"AWS" and aws.ec2.vpcId:*
For EC2-Classic assets - provider:"AWS" and not aws.ec2.vpcId:*
28. How often does the EC2 Connector synchronize?
A. 180 seconds. It is possible to run a manual sync as well.
29. What do the colors in the Asset Count column mean?
A. The Asset Count column shows the assets discovered and synchronized in the latest EC2 connector run.
The green portion represents assets synchronized. Synchronized count represents assets that are successfully processed at Qualys.
The blue portion represents assets which are synchronized but excluded from VM/PC/SCA activation. Excluded assets could be terminated instances or m1.small, t1.micro or t2.nano instances which cannot be scanned per AWS Acceptable Use Guidance for scanning.
AWS Acceptable Use Policy: https://aws.amazon.com/security/penetration-testing/
30. What if the scanner is deployed correctly but still can't reach the Qualys SOC?
A. There could be other configurations such as security groups, NACL's, and routing tables which may prevent the scanner from reaching the Qualys SOC.
31. How do I scan assets in AWS GovCloud?
A. Create a new EC2 Connector and select the GovCloud option.
32. How are EC2 instances tracked within Qualys?
A. EC2 instanes are tracked using their EC2 instance-id.
33. Can I clone or use a snapshot of an existing scanner?
A. No, this is strictly prohibited and doing so will result in failed scans.
34. I'm a Qualys PCP customer. Can I use the same scanner AMI?
A. No. Please contact your Qualys Technical Account Manager or Qualys Support to generate a scanner AMI.
35. What permissions do I need in order to perform EC2 scans?
A. You need Manager or Unit Manager permissions to perform EC2 scans.