Configure Zero-Touch Snapshot-based Scan
Qualys Zero-touch Snapshot-based scanning is an agentless scanning technique that helps customers detect risk, vulnerabilities, and compliance posture for virtual machine/compute instances without affecting their current workload.
Snapshot-based assessment offers greater security by using a service account for running scans. The service account will be independent of the target AWS account, where most of your workload operates. The service account can perform scans on multiple target accounts, allowing for bulk scans. This ensures no disruptions and more cost-effective, faster, and reliable scans.
The below Qualys and AWS console configurations are required from the customer to enable Snapshot-based assessment on TotalCloud. With agentless scans, you can enable zero-touch Snapshot-based scan to perform vulnerability assessments on your new assets.
Prerequisites for Snapshot-based Scan
- Qualys Cloud Platform subscription with full TotalCloud Subscription.
- Enable Zero-touch Snapshot-Based Scan to your subscription from Qualys Backoffice. Contact your Qualys technical account manager (TAM) to enable it.
OS Compatibility
The following section lists the OS versions and supported platforms for Qualys Zero Touch Snapshot-based scan. Refer to Snapshot-based Scan OS Compatibility.
Configuration at AWS Cloud
You will need one CSPM connector registered as a service account to activate the Snapshot scan functionality.
Generate a Subscription TokenGenerate a Subscription Token
Follow the steps below to generate Subscription Token
- Generate AuthToken by running the below command
curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'
- Generate SubscriptionToken by running the below command
curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'
- Store the generated SubscriptionToken for later.
The 'Enable Snapshot Based Scan' option is not visible to you yet. This is because the AWS account is yet to be registered as a service account.
Configure a Service AccountConfigure a Service Account
Register your AWS account as a service account to scan the assets of your target accounts. A service account is necessary to run snapshot scans.
- Login to AWS > CloudFormation
- Stacks > Create Stack > With new resources (standard)
- Under Prerequisite - Select Template is ready.
- Upload the CloudFormation Template under 'Specify Template' and click Next.
- Next, provide the stack parameters.
- AdditionalTagKey: Optional field to add another tag key besides the mandatory key field listed below.
- AdditionalTagValue: Optional field to add another tag value besides the mandatory field listed below.
- Concurrency: Provide the number of regions to be concurrently scanned. The value must be between 1 and 4 (where 1 is 10 and 4 is 40). Eg: If the value provided is 2 for an account with 20 regions, the scanner scans instances of 10 regions 2 times.
- IntervalHours: Set the interval to launch then next scan. Provide the value in hours. The minimum value is 24 hours.
- QEndPoint: Provide the gateway url of your QualysGuard account. Find the Gateway URL at https://www.qualys.com/platform-identification/
- QToken: Provide the Qualys Subscription token as mentioned in Generate a Subscription Token
- Regions: Specify the AWS regions that should come under snapshot scan. Eg, ap-south-1, us-east-1.
- Single Region Concurrency: Provide the number of scanner instances to execute scans on a single region. The value must be between 1 and 7 (where 1 is 10 and 7 is 70).
- TagKey and TagValue: Filter instances to scan by the key-value pair for a tag. This is a mandatory field.
- SubnetCIDR: Provide the Subnet Cidr. Eg, 10.82.64.0/22.
- VpcCidr: Provide the Vpc Cidr. Eg, 10.82.64.0/22.
- Click Next.
- Keep the default setting > Next.
- Review your configurations.
- Check the acknowledgments.
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
10. Click Submit.
Once the Service Account Template configuration is completed, proceed to the next step.
Only a single AWS Account connector with CSPM capability can be registered as a service account.
Configure a Target AccountConfigure a Target Account
A target account is where the snapshot scans run on. You can configure multiple target accounts to run scans on different accounts.
- Login to AWS > CloudFormation.
- Stacks > Create Stack >With new resources (standard).
- Under Prerequisite - Select Template is ready.
- Upload the CloudFormation Template under 'Specify Template' and click Next.
- Next, give a name for the stack and provide the parameter.
- AWSSourceAccount: Enter the AWS Service account number
The remaining configurations are the same as Generate a Subscription Token .
Check the acknowledgments before submitting.
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom name.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
Note: A QualysTargetAccount CF template must be deployed for every account on which Snapshot-Based Assessment needs to be carried out.
Configuration at Qualys Console
New ConnectorNew Connector
- Login to Qualys Console > Navigate to TotalCloud.
- Click Configure Connector.
- Click Manage Connector.
- Select the Connector type.
- Enter the Connector name.
- Add Role ARN.
- Under FlexScan, select Snapshot-based Scan.
5. Enable Cloud Security Posture Management, if necessary.
6. Add tags, if necessary.
7. Validate and Save.
1. Login to Qualys Console > Navigate to Connectors Application.
2. Click Amazon Web Service > Create Connector.
3. Configure Basic Details: Name, Description, Application > Next
4. Configure Authentication Details: Account Type, Polling Frequency, Role ARN > Next.
5. Configure Region Selection: Select regions for the AV inventory.
6. Configure Tags and Activation: - Select “Enable Zero-Touch API Snapshot Based Scan” and tags for the discovered assets as per requirement. Download the CFT templates as specified on the right.
7. Review and Confirm.
Existing ConnectorExisting Connector
1. Login to Qualys Console > Navigate to Connectors Application.
2. Click Amazon Web Services > Select the Connector where the Service account CFT was deployed > Click Edit > Navigate to Tags and Activation.
3. Select Automatically activate all assets for the VM Scanning application > Check the Enable Zero- touch Snapshot Based Scan box.
4. Click Save.
Note: The Zero-touch Snapshot-based Scan checkbox remains greyed until a CSPM Connector is registered as a Service Account.
Frequently Asked QuestionsFrequently Asked Questions
1. How to register a service account?
A: Deploy the CFT-S on an AWS account which customer wishes to register as a service account.
Or, customer can also use the newly introduced API to register a service account. Learn more.
2. How to deregister a service account
A: We have introduced new API to deregister service account. Learn more.
Or, the customer can delete the connector which was registered as a service account.
3. Why is the 'Enable Snapshot Based Assessment' checkbox greyed-out when creating a connector?
A: The checkbox remains greyed-out when your snapshot scan is enabled from the portal back office but you have not registered a service account.
4. Why does the 'register service account' step function fail a fter running CFT-S?
A: The 'register-service-account' step function fails in below scenarios:
- If the connector which is registered as the service account is deleted/disabled.
- If the CloudView subscription is expired.
5. Why does Asset activation fail showing 'ip-limit-exceeded'?
A: The error shows up when you have exhuasted your IP limit. Contact support to get your licence extended.
6. How to delete a CFT-S?
A: Follow the steps below to delete a service account CloudFormation Template.
- Delete the cross-region-stack - select the checkbox to retain the resources
- Go to StackSets > StackInstances > check if there are any running stack sets on other regions and delete them, if present
- Navigate back to the service account and try deleting the CFT-S again - do not check the checkbox for retaining the resources
- At this stage, cross-region-vpc stack is deleted from your service account
- Run this command on CLI - aws cloudformation delete-stack-instances --stack-set-name snapshot-scanner-2-cross-region-vpc --accounts 99*******98 --regions us-east-1 us-west-2 --retain-stacks
- At this stage, StackInstances on the StackSet are deleted
- Now, Delete the StackSet as it is empty (does not contain any StackInstances)
-
How to update Region/Tags/QToken
-
Replace the current template
-
Upload the cft-s that you used before
-
Edit Region/Tags/QToken
-
7. Can a customer subscribe to have API Based Assessment and Snapshot Based Assessment at once?
A: Yes, a customer can subscribe to both scans at once.
8. Can there be spaces or tabs in the tags given in CFT-S?
A: No, tags do not suppot prefixes, suffixes, spaces or tabs in the CFT-S.
9. Can there be multiple service accounts?
A: No, there can only be one service account for a subscription.
Note: Customer can configure multiple target accounts
10. Can the service account also be the target account?
A: Yes, the service account can be a target account as well.
11. Can the scan interval be set to 1 hour?
A: No. The minimum scan interval is 24 hours.
Related Topics
Configure Zero-touch API-based Assessment
