The AWS connectors with cross-account role uses Qualys accounts. If you do not wish to use Qualys account, you can use the base account feature to set up the AWS connectors. You can configure to use your own AWS account as a base account while setting up the AWS Connectors instead of using Qualys account. You need to configure your AWS account ID with the base account you create.
For example, you have 3 AWS accounts: A1, A2, A3. All the three accounts belong to Global region. If you create a base account for Global region. All the connectors associated with A1, A2, and A3 accounts will use base account.
Before you create a new connector, create a base account for the same account type (region). If you do not create a base account, you can still create a connector.
Quick Steps
Go to Connectors, click Amazon Web Services Connectors and then click Base Account tab.
Click the Create Base Account button. Provide name, AWS account ID, access and secret keys, and then select the account type. Show meShow me
You can create only one base account per account type. Ensure that the AWS account ID for which you configure that base account has policies associated in the AWS console. Learn more
Go to Amazon Web Services Connectors > Base Account tab, select the base account you want to edit and click the quick action menu, then select Edit. You can edit name, AWS account ID, access keys and secret keys. You cannot edit the account type.
To update the existing AWS connectors with cross-account role to base account usage, you need to
- create a base account using AWS account ID
- update the Trust Entities for your IAM Roles Show meShow me
On AWS console, go to IAM role > Trust relationships and then Edit trust relationship. Ensure that the AWS account ID for which you configure that base account matches the account number in trusted relationships of the AWS console. Click Update Trust Policy.
If you delete a base account, all the connectors that are associated with the base account are automatically updated to Qualys account in Qualys Cloud Platform. However, you need to go to your AWS account, update the Trusted Entities of the arn roles from base account ID to Qualys account ID.