The below AWS configurations are required from the customer to enable API based assessment on the Connector app. You can enable zero-touch API-based scan to perform vulnerability assessments on your new assets with cloud native APIs. The below configurations allow Qualys to listen to changes in the instance states and pass the running instance data to run scans.
• Qualys Cloud Platform subscription with active VMDR.
• Enable Zero-touch API Based Scan to your subscription from Qualys Backoffice. Contact your Qualys technical account manager (TAM) for enabling it.
• Connector with CV capability and required IAM Role permission (SecurityAudit).
• AWS EC2 instances that report the inventory to AWS SSM.
• AWS EventBridge configurations.
The SSM inventory must be configured to capture the instance data to perform scans. The SSM agent can be configured in selected regions or all regions. Follow the below steps to configure for either setting.
For Selected RegionsFor Selected Regions
1. Login to AWS Console and navigate to AWS Systems Manager.
2. Click Inventory > Setup Inventory.
3. Keep the default settings and click Setup Inventory.
The region presently active in the AWS account will be selected as the region where all managed instances are fetched.
For All RegionsFor All Regions
1. Login to AWS console and navigate to AWS Systems Manager.
2. Click Quick Setup > Create.
3. In Host management > Click Create.
4. Go to 'Configuration options'.
5. Under Systems manager, select 'Collect inventory from your instances every 30 minutes'.
6. Under Targets, you can either choose between deploying to the current Region or a custom set of regions.
7. Choose regions.
8. Choose how you want to target instances. Let's select 'All instances'.
9. Next, under Target Regions.
10. Select 'All Regions'.
11. Click Create.
Once the SSM agent is installed to collect instance data, we configure the EventBridge to listen to changes in instance state.
There are two ways of configuring EventBridge. Either manually from the AWS console or by uploading a CloudFormation template. Let us go through both methods below.
Manually via AWS ConsoleManually via AWS Console
Follow the below steps to enable your cloud events to reach the Qualys platform.
API Destination Connection
curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername> --data-urlencode 'password=<QualysPassword>'--data-urlencode 'token=true'
Next, enter the connection name and Description.
10. Generate Subscription Token.
curl --location --request POST 'https://< API Gateway URL >/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token> --data-raw '{ "expiry": 500000}'
11. Click Create.
Now that the connection to the destination has been authorized, we must provide the Qualys API endpoint as the destination to establish the EventBridge connection.
API Destination
Now, we configure the Rules so that EventBridge knows what to listen to before passing the information to Qualys. In this case, we set the Rule to listen to changes in Instance states. Specifically, the event is alerted when instances are switched to running states.
Rules
Using AWS CloudFormation TemplateUsing AWS CloudFormation Template