Automate scanner start and stop using AWS Lambda

Document created by Shyam Raj Employee on Feb 8, 2019Last modified by Shyam Raj Employee on Feb 8, 2019
Version 2Show Document
  • View in full screen mode

This document will walk you through the steps to automate the start and stop of Qualys scanners deployed in AWS using a Lambda function.

 

Scenario:

If your EC2 scans are restricted to maintenance windows, you'll need to manually start and stop the scanner. Using Lambda function it is possible to automate this - the scanner will automatically start when your maintenance window begins and automatically stop when your maintenance window ends.

 

In this example, let's assume 00:00 GMT as the start time and 08:00 GMT as the end time of the maintenance window.

 

What you need to know:

  • You'll need a Qualys virtual scanner license.
  • Scanner start and stop will be automated using a Lambda function.
  • CloudWatch event rules will be used to trigger the Lambda function.

 

Setup:

1. Login to your AWS account and launch a virtual scanner

Steps to launch a virtual scanner can be found here: https://vimeo.com/album/4809723/video/237991145

 

2. Create an IAM Role to use with the Lambda function

2.1 First, create an IAM policy to be included in the IAM role

  • Navigate to IAM > Policies > Create Policy > JSON
  • Paste below code and save

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": [

        "logs:CreateLogGroup",

        "logs:CreateLogStream",

        "logs:PutLogEvents"

      ],

      "Resource": "arn:aws:logs:*:*:*"

    },

    {

      "Effect": "Allow",

      "Action": [

        "ec2:Start*",

        "ec2:Stop*"

      ],

      "Resource": "*"

    }

  ]

}

2.2 Next, create the IAM role

  • Navigate to IAM > Roles > Create role
  • Type of trust entity: AWS service
  • Choose the service that will use this role: Lambda
  • Click Next: Permissions
  • Select the policy created in step 2.1 and save.

 

The above IAM role will allow Lambda to write CloudWatch logs and start/stop the scanner.

 

3. Create the Lambda function to start the scanner

  • Navigate to Lambda > Functions > Create Function > Author from scratch:

Name: scanner-start

Runtime: Python 2.7

Role: choose an existing role

Existing role: lambda-start-stop-scanner (created in step 2.2)

  • Click Create Function and paste the below code in the editor:

 

import boto3

# Enter the region your instances are in. Include only the region without specifying Availability Zone; e.g.; 'us-east-1'

region = 'ap-south-1'

# Enter your instances here: ex. ['X-XXXXXXXX', 'X-XXXXXXXX']

instances = ['i-0fe9f0924bac69f43']

 

def lambda_handler(event, context):

    ec2 = boto3.client('ec2', region_name=region)

    ec2.start_instances(InstanceIds=instances)

    print 'started your instances: ' + str(instances)

 

In the above code, replace ap-south-1 with your region code and use your EC2 scanner instance-id. If you have multiple scanners, comma-separate them.

  • Scroll down the code editor, under Basic settings, change the Timeout to 10 seconds.

  • Save your Lambda function.

 

4. Repeat step 3 to create a Lambda function to stop the scanner

Name: scanner-stop

Runtime: Python 2.7

Role: choose an existing role

Existing role: lambda-start-stop-scanner (created in step 2.2)

 

import boto3

# Enter the region your instances are in. Include only the region without specifying Availability Zone; e.g., 'us-east-1'

region = ‘ap-south-1’

# Enter your instances here: ex. ['X-XXXXXXXX', 'X-XXXXXXXX']

instances = ['i-0fe9f0924bac69f43']

 

def lambda_handler(event, context):

    ec2 = boto3.client('ec2', region_name=region)

    ec2.stop_instances(InstanceIds=instances)

    print 'stopped your instances: ' + str(instances)

 

  • Scroll down the code editor, under Basic settings, change the Timeout to 10 seconds.
  • Save your Lambda function.

 

5. Create a CloudWatch rule to trigger the Lambda function to start the scanner

  • Navigate to CloudWatch > Events > Rules > Create rule

Event Source: Schedule > Cross expression

 

Specify a Cron expression that matches the start time of your maintenance window. Read more about designing a Cron here: Schedule Expressions for Rules - Amazon CloudWatch Events 

 

In this example, I've assumed the maintenance window starts at 00:00 GMT each day. Ideally, you want to start the scanner a few minutes before you scan start time, that way it'll have enough time to sync up with the Qualys cloud platform.

 

  • Add the start Lambda function as the target

 

  • Name your rule and save.

6. Create a CloudWatch rule to trigger the Lambda function to stop the scanner

  • Navigate to CloudWatch > Events > Rules > Create rule

Event Source: Schedule > Cross expression

Specify a Cron expression that matches the stop time of your maintenance window.

 

In this example, I've assumed the maintenance window starts at 08:00 GMT each day. 

 

  • Add the stop Lambda function as the target

  • Name your rule and save.

 

Now the CloudWatch event rules will automatically start and stop your scanner(s) at the configured time.

 

Verification:

The CloudWatch logs will contain event details of each trigger of the Lambda function.

 

Attachments

    Outcomes