Configure AWS Connectors for China Region
There are additional requirements when configuring an AWS connector for the China region. Qualys generally allows you to choose either the Qualys account or your AWS account to set up as a base account for your cloud connectors. A base account is created to associate connectors belonging to specific regions. The multiple cloud accounts and their related connectors are all associated with a single base account belonging to any specified region.
Qualys currently does not support out-of-the-box China base accounts for connector configuration. Thus, you will have to use your own AWS account for creating a China base account.
Prerequisites
- Ensure you have a valid TotalCloud Subscription.
- To start creating a connector for the China region, your subscription must have the region enabled for it. We suggest contacting your TAM or raising a support ticket to enable the China region.
- Before configuring the Cloud Connector, you must create a base account and merge it with the TotalCloud application.
Create an IAM User and Associate the Policy in AWS
These configurations are essential from your Amazon Web Services account to grant the permissions required to create base accounts in Qualys.
On the AWS console, navigate to AWS > Policies and create a policy (for example, AssumeRole) that contains the following JSON content.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1501205548000",
"Effect": "Allow",
"Action": [“sts:AssumeRole”],
"Resource": ["*"]
}
]
}
Next, let’s create an IAM User. Navigate to Identity and Access Management > Users and then click Add User.
Provide a user name and enable Programmatic access for the user. Click Next: Permissions.
Select Attach existing policies directly and then type the name of the policy you created (AssumeRole) in Filter policies. Select the policy (AssumeRole) you configured and click Next: Tags.
Add tags if needed (as this is optional). Review the user settings you configured and then click Create User.
Create a Base Account for the China Region
To create a base account, simply navigate to the Connectors application and select AWS from the list of cloud providers.
Navigate to the Base Account tab on the Connector listing page.
The base account screen shows the list of available base accounts with their account type. Click Create Base Account to create a new base account of China type.
In the Create Base Account wizard, provide authentication values of your AWS account, such as Account Name, Account ID, Access Key, and Secret Key.
Select the Account Type as China.
You can only create one base account per Account type. Ensure that the AWS account ID for which you configure the base account has policies associated with the AWS console.
Merge Base Account with TotalCloud
Once your base account is ready, you must merge it with TotalCloud to create connectors that discover resources to the TotalCloud inventory.
Navigate to the TotalCloud Application > Configure tab.
The CSPM Connectors tab shows the list of available connectors associated with TotalCloud. Once your connector is successfully created, you can find them listed here.
Click Configure Base Account. Here, you can see the available base accounts for each account type. You can identify the base accounts yet to be merged with the 
icon.
Under AWS Base account configuration, select the base account with China account type. On the Actions dropdown, select Merge.
The Merge Base Account wizard pops up. Here, you get to choose between AssetView and CSPM.
Select AssetView base account.
The CSPM base account is available for accounts of the Global account type. As we have selected the China account type, you must select the AssetView base account.
Select the acknowledgment checkbox and click Merge Base Account.
Create an AWS Connector
Once your base account setup is complete, we can create the connector.
Navigate back to the AWS Connector page in the Connector app and click Create Connector.
Basic Details
Provide a name and description for the connector. We recommend you provide a unique name for the connector.
Select applications that apply to the connector. The AssetView application discovers the cloud assets in your Asset Inventory (CSAM). The Cloud Security Posture Management application discovers cloud assets in your Cloud Inventory (TotalCloud).
You can select Enable Remediation to enable remediation on the connector. You need to configure additional permissions before you enable remediation for AWS connectors. Refer to Configuring Remediation for AWS.
Authentication Details
Provide the required details to authenticate your AWS account with Qualys.
Account Type
Select the China account type for your connector. You can choose only one account type per connector.
Polling Frequency
Select a frequency at which the connector should poll the cloud provider and fetch data.
By default, the connector polling frequency is configured for every 4 hours. As a result, the connector connects with the cloud provider every 4 hours to fetch the data.
You can configure frequency from one hour to a maximum of 24 hours. We recommend configuring a frequency of 4 hours or more for optimal use of your connector. Configuring a low polling frequency (less than 4 hours) can affect the connector's performance and may result in AWS API throttling error.
Cross-account ARN
The cross-account role lets you grant Qualys access to your AWS resources without sharing your AWS security credentials. Qualys accesses your AWS resources by assuming the IAM role you create in your AWS account. Learn more.
AWS requires that vendors provide a unique external ID value amongst all their customers when providing a vendor account for a trust relationship. However, we no longer require customers to adhere to any fixed format for external IDs. Learn more.
In the Application list, select TotalCloud/AssetView, paste the Role ARN, and click Add.
Test Connection
Click Test Connection to verify if the connector can successfully authenticate using the provided role ARN information. If the test connection is successful, proceed with the connector creation process. If the test connection fails, you may need to check and update the authentication details.
Select Regions
Select regions to discover the asset/resource and fetch the data from all the selected regions.
Region selection is only applicable for AV connectors. CSPM connectors will continue to show resources for all the regions, even if a few regions are selected while creating connectors.
Tags and Activation
We can activate AWS assets for scanning automatically, so you do not have to take this extra step. Select the required check box to enable activation for the required app. We automatically activate the assets as they are discovered and even assign them tags if you want.
Assign Tags
Assign tags to the connector that you are creating by clicking Add Tags. Tags help you organize your assets and to manage user access to them.
You can also create a new tag. For details on creating new tags, see Configure Tags in Qualys CyberSecurity Asset Management documentation.
Review and Confirm
Review your configurations and submit your changes to create a connector.
That’s it! The connector connects with Amazon Web Services to discover resources from the configured region.
Once the connector is created, you can run the connector, disable or delete the connector, and view assets and resources information.
The Amazon Web Services page displays the list of AWS connectors. The Status column indicates the status of the connector created: Completed successfully, Completed with errors, Queued, Synchronizing, and Disabled.