Configure Zero-Touch Snapshot Based Scan
Qualys Zero-touch Snapshot-based scanning is an agentless scanning technique that helps customers detect risk, vulnerabilties, and compliance posture for virtual machine/compute instance without affecting their current workload.
Snapshot-Based Assessment offers greater security by using a service account for running scans. The service account will be independent of the target AWS account where the bulk of your workload will operate. The service account can perform scans on multiple target accounts, allowing for bulk scans. This ensures no disruptions, more cost-effective, faster and reliable scans.
The below Qualys and AWS console configurations are required from the customer to enable Snapshot-Based assessment on TotalCloud. You can enable zero-touch Snapshot-based assessment to perform vulnerability assessments on your new assets with agentless scans.
Prerequisites for Snapshot-based Scan
- Qualys Cloud Platform subscription with active VMDR and CSA
- Enable Zero-touch Snapshot-Based Scan to your subscription from Qualys Backoffice. Contact your Qualys technical account manager (TAM) for enabling it.
- Request support to provide the required CloudFormation Templates for Service and Target account.
OS Compatibility
The following section lists the OS versions and supported platforms for Qualys Zero Touch Snapshot Based Assessment. Refer to Snapshot-based Scan OS Compatibility.
Configuration at AWS Cloud
To avail snapshot scan functionality, you will need one CSPM connector registered as a service account.
Follow the steps below to generate Subscription Token
- Generate AuthToken by running the below command
-
curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername> --data-urlencode 'password=<QualysPassword>'--data-urlencode 'token=true'
- Generate SubscriptionToken by running the below command
-
curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token> --data-raw '{ "expiry": 500000}'
- Store the generated SubscriptionToken for later.
Register your AWS account as a service account to scan assets of your target accounts. A service account is necessary to run snapshot scans.
1. Login to AWS > CloudFormation
2. Stacks > Create Stack >With new resources (standard)
3. Under Prerequisite - Select Template is ready
4. Upload the CloudFormation Template under 'Specify Template' and click Next
5. Next, give a name for the stack and provide the parameters
- intervalHours: Here, you can determine the period when the Snapshot scan runs (in hours). By default, the value is set to 24 hours.
- QEndPoint: Provide the gateway url of your QualysGuard account. Find the Gateway URL at https://www.qualys.com/platform-identification/
- QToken: Provide the Qualys Subscription Token as generated earlier.
- Regions: Specify the AWS regions that should come under snapshot scan. Eg, ap-south-1, us-east-1.
- SubnetCIDR: Provide the Subnet Cidr (optional). Eg, 10.82.64.0/22
- VPC CIDR: Provide the Vpc Cidr (optional)
- TagKey and TagValue: Filter instances to scan by specifying tags.
- TagKey1 and TagValue1: Additional tag fields to filter more instances.
6. Click Next
7. Keep the default setting > Next
8. Review your configurations
9. Check the acknowledgements
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom name.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
10. Click Submit
Once Service Account Template configuration is completed, proceed to the next step.
A target account is where the snapshot scans run on. You can configure multiple target accounts to run scans on different accounts.
1. Login to AWS > CloudFormation
2. Stacks > Create Stack >With new resources (standard)
3. Under Prerequisite - Select Template is ready
4. Upload the CloudFormation Template under 'Specify Template' and click Next
5. Next, give a name for the stack and provide the parameter.
- AWSSourceAccount: Enter the AWS Service account number
The remaining steps are the same as for Service Account.
Check the acknowledgements before submitting.
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom name.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
Configuration at Qualys Console
1. Login to Qualys Console > Navigate to Connectors Application
2. Click Amazon Web Service > Create Connector
3. Configure Basic Details: Name, Description, Application > Next
4. Configure Authentication Details: Account Type, Polling Frequency, Role ARN > Next
5. Configure Region Selection: Select regions for the AV inventory
6. Configure Tags and Activation: - Select “Enable Zero-Touch API Snapshot Based Scan” and tags for the discovered assets as per requirement.
7. Review and Confirm.
1. Login to Qualys Console > Navigate to Connectors Application
2. Click Amazon Web Services > Select the Connector where Service account CFT was deployed > Click Edit > Navigate to Tags and Activation
3. Select Automatically activate all assets for the VM Scanning application > Check the Enable Zero- touch Snapshot Based Scan box
4. Click Save.
1. How to register a service account?
A: Deploy the CFT-S on an AWS account which customer wishes to register as a service account.
Or, customer can also use the newly introduced API to register a service account. Learn more.
2. How to deregister a service account
A: We have introduced new API to deregister service account. Learn more.
Or, the customer can delete the connector which was registered as a service account.
3. Why is the 'Enable Snapshot Based Assessment' checkbox greyed-out when creating a connector?
A: The checkbox remains greyed-out when your snapshot scan is enabled from the portal back office but you have not registered a service account.
4. Why does the 'register service account' step function fail after running CFT-S?
A: The 'register-service-account' step function fails in below scenarios:
- If the connector which is registered as the service account is deleted/disabled.
- If the TotalCloud subscription is expired.
5. Why does Asset activation fail showing 'ip-limit-exceeded'?
A: The error shows up when you have exhuasted your IP limit. Contact support to get your licence extended.
6. How to delete a CFT-S?
A: Follow the steps below to delete a service account CloudFormation Template.
- Delete the cross-region-stack - select the checkbox to retain the resources
- Go to StackSets > StackInstances > check if there are any running stack sets on other regions and delete them, if present
- Navigate back to the service account and try deleting the CFT-S again - do not check the checkbox for retaining the resources
- At this stage, cross-region-vpc stack is deleted from your service account
- Run this command on CLI - aws cloudformation delete-stack-instances --stack-set-name snapshot-scanner-2-cross-region-vpc --accounts 99*******98 --regions us-east-1 us-west-2 --retain-stacks
- At this stage, StackInstances on the StackSet are deleted
- Now, Delete the StackSet as it is empty (does not contain any StackInstances)
-
How to update Region/Tags/QToken
-
Replace the current template
-
Upload the cft-s that you used before
-
Edit Region/Tags/QToken
7. Can a customer subscribe to have API Based Assessment and Snapshot Based Assessment at once?
A: Yes, a customer can subscribe to both scans at once.
8. Can there be spaces or tabs in the tags given in CFT-S?
A: No, tags do not suppot prefixes, suffixes, spaces or tabs in the CFT-S.
9. Can there be multiple service accounts?
A: No, there can only be one service account for a subscription.
10. Can the service account also be the target account?
A: Yes, the service account can be a target account as well.
11. Can the scan interval be set to 1 hour?
A: No. The minimum scan interval is 24 hours.