Exceptions

Exceptions allow you to temporarily exempt specific cloud resources from security control evaluations. This enables organizations to meet legitimate business requirements while maintaining governance, visibility, and accountability.

Why Use Exceptions?

In some cases, strict security policies may conflict with short-term operational or application needs. Exceptions provide a controlled and auditable way to:

• Temporarily allow non-compliant resource configurations
• Support custom or legacy applications
• Prevent repeated failures for approved risk acceptances

For example, if an organization has a security control that disallows public SSH (port 22) on cloud servers. Due to a temporary production issue, a team needs SSH access to one virtual machine for troubleshooting.
An exception is created for the affected resource with a defined reason and end date. While the exception is active, the control result changes from Fail to Pass with Exception (Pass^E).
Once the exception expires, the resource is evaluated normally again.

Create Exceptions for Connectors and Tagged Resources

You can create exceptions for resources associated with connectors or tagged with Qualys Tags directly from the Exceptions tab.

1. Go to Policy > Exceptions.
2. Click New to open the exception wizard.
   
3. Enter basic details, including exception name, provider, explanation, and start/end dates.
   
4.  Select the exception scope:
   • Connector – Applies to all resources across all or selected connectors.
     
   • Qualys Tag – Applies to all resources with the selected tag.
     
5. Select controls to exempt. The resources evaluated with these controls will appear with a Pass with Exception (Pass^E) status.
   
6. Review the details and click Create Exception.
   

Build-Time Exceptions for Infrastructure as Code (IaC)

You can skip security controls during IaC evaluations by adding exemption metadata directly into template files.

ARM Template Example

"metadata": {
  "qiac-skip": ["iac:exempt=<cid>:<reason>"]
}

CloudFormation Example

# iac:exempt=20:Skipping CID 20
Resources:
  Trail:
    Type: AWS::CloudTrail::Trail

Terraform Example

# iac:exempt=294:Skipping CID 294
resource "aws_kms_key" "kms_key" {
  description = "KMS key"
}

Run-Time Control Exceptions

Run-time exceptions exempt resources that fail control evaluations during posture assessments.

1. Navigate to the Posture tab and locate a failed control.
   
2. Select the failed resource and choose Create Exception.
   
3. Enter basic details, including exception name, provider, explanation, and start/end dates.
   
4. Specify the scope of the exception you are creating. By default, Resource option is selected. You could expand the scope of the exception to all resources in a specific account.
   • Resource – Choose to create exception at resource level and the exception is applicable only for the selected resource.
     
   • Connector – Choose to create an exception for all resources in the account associated with the connector. By default, the connector associated with the resource is selected. You can click Add More Connectors to add multiple connectors for the exception.
     
   • Qualys Tags – Choose to create an exception for all resources associated with a Qualys tag or a connector tag.
     
5. Select controls to exempt. These controls will apppear with Pass with Exception (Pass^E) Status.
   
6. Review the details and click Create Exception.
   

Once active, the resource status changes from Fail to PassE. Connector-level exceptions take effect during the next connector run.

Learn More

• Manage Exceptions
• Exception Status