Create a Role for Cross-account Access

Use this procedure to create an IAM (Identity and Access Management) role in Amazon Web Services (AWS) that enables Qualys to access your AWS resources across accounts. After creating the role, copy the Role ARN and External ID and paste it into your connector details.

Steps to Create IAM Role

  1. Log in to your AWS Console.
  2. Navigate to the IAM service.
  3. Go to Roles and click Create role.
  4. Under Select type of trusted entity, choose Another AWS account:   
    • Provide the Qualys AWS Account ID.      
    • Select Require external ID and create an External ID.      
    • Click Next: Permissions.

Role creation in AWS console.

Depending on the type of connector you are creating, select the following policies:

AssetView ConnectorAssetView Connector

Create a policy that includes the following permissions:

"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"
"ec2:DescribeVpcs"

Once you create the policy, find the policy and select the check box next to the policy.

AssetView Connector with API-Based Assesment EnabledAssetView Connector with API-Based Assesment Enabled

Create a policy that includes the permissions:

"ssm:ListInventoryEntries"
"ssm:DescribeInstanceInformation"
"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"

Once you create the policy, find the policy and select the check box next to the policy

AssetView Organization Connector AssetView Organization Connector 

Create a policy that includes the permissions:

"ec2:DescribeInstances"
"ec2:DescribeAddresses"
"ec2:DescribeImages"
"ec2:DescribeRegions"
"ec2:DescribeVpcs"
"organizations:list"

Once you create the policy, find the policy and select the check box next to the policy.

AssetView and CSPM connectorAssetView and CSPM connector

- Find the policy titled “SecurityAudit” and select the check boxes next to it.

Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster). Learn more.

Create a custom policy that includes additional permissions (applicable only for EKS Fargate Profiles associated with EKS cluster, EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy.  Learn more.

Find the custom policy you create and select the check box next to the policy. For detailed steps on creating custom policy and the required permissions, see Create Custom Policy.

CSPM connector with Remediation EnabledCSPM connector with Remediation Enabled

Create a policy that includes the permissions:

"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DisassociateIamInstanceProfile",
"ec2:StopInstances",
"s3:PutBucketPublicAccessBlock",
"rds:ModifyDBInstance"

Once you create the policy, find the policy and select the check box next to the policy

  1. Click Next: Tags.
  2. Click Next: Review.
  3. Enter a role name (e.g. QualysCVRole) and click Create role.

AWS Create Role Screen

  1. Click the role you just created to view details. Copy the Role ARN value and paste it into the connector details

Want to create a role using CloudFormation?

Create Role for Organization Connectors Via Stacks

  1. Download the CloudFormation template from the Organization Details step of the Organization Connector creation.

    You must provide an external ID in the Organization Details step to download a valid CloudFormation template.

  2. Log in to AWS and go to CloudFormation.
  3. Click Create stack With new resources (standard).
  4. Upload the template file and click Next.
    Specify template
  5. Enter a Stack name and click Next.
    Specify stack details
  6. Configure optional stack options.
  7. Accept the IAM acknowledgment and click Create Stack.
  8. Wait for CREATE_COMPLETE status.
    Confirm create stack
  9. Copy the Role ARN from the output and paste it into the connector details.
    RoleARN

Create Role for Member Connectors via StackSet

Use AWS StackSets to deploy the role across multiple accounts.

  1. Download the CloudFormation template from the Member Connector Details step of the Account Connector creation.

    You must provide an external ID in the Member Connector Details step to download a valid CloudFormation template.

  2. Log in to AWS and go to CloudFormation.
  3. Navigate to Services > CloudFormation StackSets Create StackSet.
    Specify template for Stackset
  4. Upload the template and enter a StackSet Name.
    Specify stackset details
  5. Configure optional StackSet options.
  6. Select deployment targets (Organization or Organizational Units).
    Set deployment options
  7. Specify deployment regions.
    Specify regions
  8. Accept the IAM acknowledgment and click Submit.
    Confirm create stackset
  9. After completion, copy the Role Name from the output and paste it into the connector details.

Templates use predefined RoleNames. To use a custom RoleName, edit the template before deployment.

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.