Create a role for cross-account access
Follow these steps to create an IAM role in AWS that gives Qualys cross-account access to your AWS resources. Then copy the Role ARN into your connector details.
1 - Log in to your Amazon Web Services (AWS) Console.
2 - Go to the IAM service.
3 - Go to Roles and click Create role.
4 - Under "Select type of trusted entity", select "Another AWS account".
Then:
- Paste in the Qualys AWS Account ID (from connector details)
- Select Require external ID and paste in the External ID (from connector details)
- Click Next: Permissions.
A unique external ID gets generated during connector creation in TotalCloud. You can copy the external ID that Qualys provides and paste it in AWS console.
5 - Depending on the type of connector you are creating, select the following policies:
-
AssetView ConnectorAssetView Connector
Create a policy that includes the following permissions:
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"Once you create the policy, find the policy and select the check box next to the policy.
-
AssetView Connector with API-Based Assesment EnabledAssetView Connector with API-Based Assesment Enabled
Create a policy that includes the permissions:
"ssm:ListInventoryEntries"
"ssm:DescribeInstanceInformation"
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"Once you create the policy, find the policy and select the check box next to the policy
-
AssetView Organization Connector AssetView Organization Connector
Create a policy that includes the permissions:
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"
"organizations:list"Once you create the policy, find the policy and select the check box next to the policy.
-
AssetView and CSPM connectorAssetView and CSPM connector
- Find the policy titled “SecurityAudit” and select the check boxes next to it.
- Create a custom policy that includes additional permissions (applicable only for EKS Fargate Profiles associated with EKS cluster, EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy. Learn more.
Find the custom policy you create and select the check box next to the policy. For detailed steps on creating custom policy and the required permissions, see Create Custom Policy.
-
CSPM connector with Remediation EnabledCSPM connector with Remediation Enabled
Create a policy that includes the permissions:
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DisassociateIamInstanceProfile",
"ec2:StopInstances",
"s3:PutBucketPublicAccessBlock",
"rds:ModifyDBInstance"Once you create the policy, find the policy and select the check box next to the policy
6 - Click Next: Tags.
7 - Click Next: Review.
8 - Enter a role name (e.g. QualysCVRole) and click Create role.
9 - Click the role you just created to view details. Copy the Role ARN value and paste it into the connector details
Want to create a role using CloudFormation?
Create Role for Organization Connectors Via Stacks
1 - Download the CloudFormation template from the Organization Details step on the Create Organization Connector screen.
Note: You must provide an external ID in the Organization Details step to download a valid CloudFormation template.
2 - Log in to Amazon Web Services (for organization) and go to CloudFormation.
3 - Click Create stack and select 'With new resources(standard)'
4 - Select upload a template file under the Specify Template section
5 - Upload the template and click Next
6 - On the Specify stack details step, enter the Stack name and click Next
7 - Configure stack options such as key-value pairs, permissions or other fields. This step is optional.
8 - Accept the IAM acknowledgment for resource creation and select Create Stack. The stack creation is initiated. Wait for the CREATE_COMPLETE status.
9 - When the stack is complete, copy the Role ARN value from the output and paste it into the connector details.
Create Role for Member Connectors via StackSet
AWS StackSets enables you to automate the process of applying the Organization's role across multiple accounts in a single operation.
1 - Download the CloudFormation template from the Member Connector Details step on the Create Organization Connector screen.
Note: You must provide an external ID in the Member Connector Details step to download a valid CloudFormation template.
2 - Log in to Amazon Web Services and go to CloudFormation.
3 - On the AWS management console, select Services > CloudFormation > StackSets > Create StackSet.
4 - Upload the template file and click Next, then enter a StackSet Name.
5 - Configure stackset options. This step is optional.
6 - Next, select whether the stackset deploys stack instances to Organization or Organizational Units.
7 - Specify the region where the stacks will be deployed.
8 - Accept the IAM acknowledgment for resource creation and select Submit.
9 - When the stackset is complete, copy the Role Name value from the output and paste it into the connector details.
Note: The downloaded templates will use the pre-defined RoleName. If you wish to have a custom RoleName, you must edit the template.