Configure Zero-touch Snapshot-based Assessment
Click to view navigation pane

Configure Zero-Touch Snapshot-based Scan

Qualys Zero-touch Snapshot-based scanning is an agentless scanning technique that helps customers detect risk, vulnerabilities, and compliance posture for virtual machine/compute instances without affecting their current workload. 

Snapshot-based assessment offers greater security by using a service account for running scans. The service account will be independent of the target AWS/Azure account, where most of your workload operates. The service account can perform scans on multiple target accounts, allowing for bulk scans. This ensures no disruptions and more cost-effective, faster, and reliable scans. 

The below Qualys and AWS/Azure console configurations are required from the customer to enable Snapshot-based assessment on TotalCloud. With agentless scans, you can enable zero-touch Snapshot-based scan to perform vulnerability assessments on your new assets. 

Prerequisites for Snapshot-based Scan

OS Compatibility

The following section lists the OS versions and supported platforms for Qualys Zero Touch Snapshot-based scan.  Refer to Snapshot-based Scan OS Compatibility.

Configuration at Qualys Console

New ConnectorNew Connector

1. Login to Qualys Console > Navigate to Connectors Application.

2. Click Amazon Web Service > Create Connector > Select the Cloud Security Posture Management checkbox.

3. Configure Basic Details: Name, Description, Application > Next.

4. Configure Authentication Details: Account Type, Polling Frequency, Role ARN > Next.

5. Configure Region Selection: Select regions for the AV inventory.

6. Configure Tags and Activation: - Select “Enable Zero-Touch API Snapshot Based Scan” and tags for the discovered assets as per requirement.

7. Follow the steps on the 'Snapshot-based vulnerability assessment' text box to download the required CloudFormation templates. These templates are required to register your service and target account.

7. Review and Confirm.

Existing ConnectorExisting Connector

1. Login to Qualys Console > Navigate to Connectors Application.

2. Click Amazon Web Services > Select a Connector> Click Edit > Navigate to Tags and Activation.

3. Select Automatically activate all assets for the VM Scanning application > Check the Enable Zero- touch Snapshot Based Scan box.

4. Follow the steps on the 'Snapshot-based vulnerability assessment' text box to download the required CloudFormation templates. These templates are required to register your service and target account.

4. Click Save.

The Zero-touch Snapshot-based Scan checkbox remains greyed until a CSPM Connector is registered as a Service Account. Deploy the CFTs to register the service account.

Configuration at AWS Cloud 

You will need one CSPM connector registered as a service account to activate the Snapshot scan functionality. 

Generate a Subscription TokenGenerate a Subscription Token

Follow the steps below to generate Subscription Token

  1. Generate AuthToken by running the below command

    curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'

  2. Generate SubscriptionToken by running the below command

    curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}' 

  3. Store the generated SubscriptionToken for later.

 

 The 'Enable Snapshot Based Scan' option is not visible to you yet. This is because the AWS account is yet to be registered as a service account.

Configure a Service AccountConfigure a Service Account

Register your AWS account as a service account to scan the assets of your target accounts. A service account is necessary to run snapshot scans.

  1. Login to AWSCloudFormation
  2. Stacks > Create Stack >With new resources (standard).
  3. Under Prerequisite - Select Template is ready.
  4. Upload the CloudFormation Template under 'Specify Template' and click Next.
  5. Next, provide the stack parameters. The stack parameters are as follows:
    • QToken: Provide the Qualys Subscription token as mentioned above in 'Generate a Subscription Token'.
    • QEndPoint: Provide the gateway URL of your QualysGuard account. Find the Gateway URL at https://www.qualys.com/platform-identification/
    • Scanner Instances Per Region: Provide the number of scanner instances to execute scans on a single region. The value must be between 1 and 25. Eg: If the value provided is 2 for 10 instances in a region, the scanner performs 2 scans of 5 instances.
    • Region Scan Concurrency:  Provide the number of regions to be concurrently scanned. The value must be between 1 and 25. Eg: If the value provided is 2 for an account with 10 regions, the scanner scans instances of 2 regions 5 times.
    • Scan Target Regions: Specify the AWS regions that should come under snapshot scan. Eg, ap-south-1, us-east-1.
    • Scan Frequency: Set the interval to launch then next scan. Provide the value in hours. The minimum value is 24 hours, and the maximum is 168 hours (7 days).
    • Batch Trigger Scan Duration: Set the interval to launch the batch scan of instances discovered via events. Provide the value in minutes. The minimum is 5m, and the maximum is 12h.
    • Retry Discovery Interval: Set the interval to launch a reattempt at discovering instances that may be missed during event-based discovery. Provide the value in minutes. The minimum is 5m, and the maximum is 12h.
    • Tag Filter - Include Instances (All Tags Required): Provide a list of tagKey=tagValue pairs separated by commas to find instances for Snapshot scan. All of the provided tags must be in the instance.
    • Tag Filter - Include Instances (Any Tag Sufficient): Provide a list of tagKey=tagValue pairs separated by commas to find instances for Snapshot scan. Any one of the provided tags must be in the instance.
    • Tag Filter - Exclude Instances (If Any Tag Matches): Provide a list of tagKey=tagValue pairs separated by commas to exclude instances for Snapshot scan. Any one of the provided tags must be in the instance.
    • Tag Filter - Exclude Volumes (If Any Tag Matches), Skips Instances If All Volumes Excluded: Provide a list of tagKey=tagValue pairs separated by commas to exclude volumes for Snapshot scan. Any one of the provided tags must be in the volume. If all the volumes are excluded, the instance is skipped during scan.
    • PublicSubnetCIDR: Provide the Subnet Cidr. Eg, 10.82.64.0/22.
    • PublicVpcCidr: Provide the Vpc Cidr. Eg, 10.82.64.0/22.
    • PrivateSubnetCIDR: Provide the private Subnet Cidr. Eg, 10.82.64.0/22.
    • PrivateVpcCidr: Provide the private Vpc Cidr. Eg, 10.82.64.0/22.
    • DeployPrivateVpc: Select yes to run scanners inside a private subnet with nat gateway.

6. Click Next.

7. Keep the default setting > Next.

8. Review your configurations.

9. Check the acknowledgments 

  1. I acknowledge that AWS CloudFormation might create IAM resources. 
  2. I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  3. I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

10. Click Submit.

The Service Account Template configuration is completed.

 Only a single AWS Account connector with CSPM capability can be registered as a service account.

You will need the Service Account API Endpoint to proceed with the following steps.

Obtain the Service Account API Endpoint

1. Navigate to Stacks from your AWS console.

2. Click the newly deployed service account stack and navigate to Outputs.

3. Copy and store the 'ServiceAccountApiEndpoint' value. You will need this later.

Next, configure a target account as specified below.

Configure a Target Account Configure a Target Account

A target account is where the snapshot scans run. You can configure multiple target accounts to run scans on different accounts.

  1. Login to AWSCloudFormation.
  2. Stacks > Create Stack >With new resources (standard).
  3. Under Prerequisite - Select Template is ready.
  4. Upload the CloudFormation Template under 'Specify Template' and click Next.
  5. Next, give a name for the stack and provide the required parameters.
    1. Scan configuration
      • SourceAccount: Enter the AWS account number of the service account.
      • TargetRegions: Provide the regions where the snapshot scan runs.
    2. API Destination configuration
      • QToken: Provide the Qualys Subscription token as mentioned in 'Generate a Subscription Token'.
      • APIDestinationEndpoint: Provide the AWS Service Account API Gateway Endpoint as mentioned in 'Obtain the Service Account API Endpoint' under 'Configure a Service Account'.

  6. Click Next.

  7. Keep the default setting > Next.

  8. Review your configurations.

    1. I acknowledge that AWS CloudFormation might create IAM resources. 

    2. I acknowledge that AWS CloudFormation might create IAM resources with a custom name.
    3. I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.

A QualysTargetAccount CF template must be deployed for every account on which Snapshot-based Assessment needs to be carried out.

Frequently Asked QuestionsFrequently Asked Questions

1. How to register a service account?

A: Deploy the CFT-S on an AWS account the customer wishes to register as a service account.

Or, customers can also use the newly introduced API to register a service account. Learn more.

2. How to deregister a service account

A: We have introduced a new API to deregister service accounts. Learn more.

Or, the customer can delete the connector registered as a service account.

3. Why is the 'Enable Snapshot-based Assessment' checkbox greyed out when creating a connector?

A: The checkbox remains greyed out when your snapshot scan is enabled from the portal back office, but you have not registered a service account. 

4. Why does the 'register service account' step function fail after running CFT-S?

A: The 'register-service-account' step function fails in the below scenarios:

5. Why does Asset activation fail to show 'ip-limit-exceeded'?

A: The error shows up when you have exhausted your IP limit. Contact support to get your license extended.

6. How to delete a CFT-S?

A: Follow the steps below to delete a service account CloudFormation Template.

  1. Delete the cross-region-stack - select the checkbox to retain the resources
  2. Go to StackSets > StackInstances > check if there are any running stack sets on other regions and delete them, if present
  3. Navigate back to the service account and try deleting the CFT-S again - do not check the checkbox for retaining the resources
  4. At this stage, cross-region-vpc stack is deleted from your service account
  5. Run this command on CLI - aws cloudformation delete-stack-instances --stack-set-name snapshot-scanner-2-cross-region-vpc --accounts 99*******98 --regions us-east-1 us-west-2 --retain-stacks
  6. At this stage, StackInstances on the StackSet are deleted
  7. Now, Delete the StackSet as it is empty (does not contain any StackInstances

7. How to update Region/Tags/QToken?

    1. Replace the current template.

    2. Upload the CFT-S that you used before.

    3. Edit Region/Tags/QToken.

8. Can a customer subscribe to have API Based Assessment and Snapshot Based Assessment at once?

A: Yes, a customer can subscribe to both scans at once.

9. Can there be spaces or tabs in the tags given in CFT-S?

A: No, tags do not support prefixes, suffixes, spaces, or tabs in the CFT-S.

10. Can there be multiple service accounts?

A: No, there can only be one service account for a subscription.

Customer can configure multiple target accounts.

11. Can the service account also be the target account?

A: Yes, the service account can be a target account as well.

12. Can the scan interval be set to 1 hour?

A: No. The minimum scan interval is 24 hours.

13. Can the customer run an on-demand scan?

A: Yes, contact support for more information on running on-demand scans.

Related Topics

Configure Zero-touch API-based Assessment