Configure Zero-touch API Based Scan

The below AWS configurations are required from the customer to enable API Based assessment on the Connector app. You can enable zero-touch API Based scan to perform vulnerability assessments on your new assets with cloud native APIs. The below configurations allow Qualys to listen to changes in the instance states and pass the running instance data to run scans.

Pre-requisites for API Based Scan

•   Qualys Cloud Platform subscription with active VMDR.
•   Enable Zero-touch API Based Scan to your subscription from Qualys Backoffice. Contact your Qualys technical account manager (TAM) for enabling it.
•   AWS EC2 instances that report the inventory to AWS SSM.
•   AWS EventBridge configurations.

OS Compatibility

The following section lists the OS versions and supported platforms for Qualys Zero Touch API Based Assessment. Refer to API-based Scan OS Compatibility.

Configure AWS SSM Inventory

The SSM inventory must be configured to capture the instance data to perform scans. The SSM agent can be configured in selected regions or all regions. Follow the below steps to configure for either setting.

For Selected RegionsFor Selected Regions

1. Login to AWS Console and navigate to AWS Systems Manager.

2. Click Inventory > Setup Inventory.

3. Keep the default settings and click Setup Inventory.

The region presently active in the AWS account will be selected as the region where all managed instances are fetched.

For All RegionsFor All Regions

1. Login to AWS console and navigate to AWS Systems Manager.

2. Click Quick Setup > Create.

3. In Host management > Click Create.

4. Go to 'Configuration options'.

5. Under Systems manager, select 'Collect inventory from your instances every 30 minutes'.

6. Under Targets, you can either choose between deploying to the current Region or a custom set of regions.

7. Choose regions.

8. Choose how you want to target instances. Let's select 'All instances'.

9. Next, under Target Regions.

10. Select 'All Regions'.

11. Click Create.

Configure EventBridge

Once the SSM agent is installed to collect instance data, we configure the EventBridge to listen to changes in instance state.

There are two ways of configuring EventBridge. Either manually from the AWS console or by uploading a CloudFormation template. Let us go through both methods below.

Manually via AWS ConsoleManually via AWS Console

Follow the below steps to enable your cloud events to reach the Qualys platform.

API Destination Connection

curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername> --data-urlencode 'password=<QualysPassword>'--data-urlencode 'token=true'

Login to AWS Console and navigate to Amazon EventBridge.
Click Integrations > API destinations > Connections tabs > Create Connection.
Next, enter the connection name and Description.
Under 'Authorization', select Destination type as 'Others'.
Selection Authorization type as 'API Key'.
Enter API Key name and Value.
Under 'Invocation Http Parameters', provide the parameter, key and value.
Steps to generate a Subscription Token.
Generate Auth token.

10. Generate Subscription Token.

curl --location --request POST 'https://< API Gateway URL >/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token> --data-raw '{ "expiry": 500000}'

11. Click Create.

Now that the connection to the destination has been authorized, we must provide the Qualys API endpoint as the destination to establish the EventBridge connection.

API Destination

Click Integrations -> API destinations -> API destinations tabs -> Create API Destination
API Destination details.
Enter Name and Description.
Enter the API destination URL: <qualys_platform_url>/qflow/aws-eb,
Select HTTP Method as POST.
Select Connection as 'Use an existing connection'.
Select the API Destination Connection created above.

Now, we configure the Rules so that EventBridge knows what to listen to before passing the information to Qualys. In this case, we set the Rule to listen to changes in Instance states. Specifically, the event is alerted when instances are switched to running states.

Rules

Click Events -> Rules -> Create Rule
Rule details.
Enter Name and Description.
Select Event bus as 'Default'.
Select Rule Type as 'Rule with an event pattern'.
Click Next.
Event pattern.
Select Event Source as AWS Services.
Select AWS service as EC2.
Select Event type as 'EC2 Instance State-change Notification'.
Select Specific state(s) as running.
Click Next.
Select targets
Select Target types as 'EventBridge API destination'.
Select API destination as 'Use an existing API destination' (Select the API destination which was created as part of the API Destination).
Select Execution role as 'Create a new role for this specific resource'.
Click Next.
Under Tags, configure tags if required.
Click Next.
Click Review and create.
Click Create Rule.

Using AWS CloudFormation TemplateUsing AWS CloudFormation Template

Login to AWS Console and navigate to CloudFormation.
Stack > Create Stack > With new resources (standard).
In 'Specify template', upload the template file.
Click Next.
Under Specify stack details, provide Stack name.
In APIGatewayURL parameter, provide the Qualys API Gateway URL. Find the Gateway URL at https://www.qualys.com/platform-identification/
Provide the SubscriptionToken and click next.
Keep the default settings step 3 and step 4.
Click Next > Submit.

Additional Information

Connector permissions to be added for API-based Assessment. Provide these permissions in your AWS console.

Create a policy that includes the permissions:

"ssm:ListInventoryEntries"
"ssm:DescribeInstanceInformation"
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"

Refer to the following link to learn how to provide cross-account role access by creating an IAM role. Learn more.