Manage and Activate Amazon Machine Image (AMI) Scan

An Amazon Machine Image (AMI) is a master image used to create virtual machine instances in Amazon Web Services (AWS). Amazon Machine Image (AMI) Scan is a zero-touch assessment capability in Qualys TotalCloud that evaluates the security posture of Amazon Machine Images before deployment. Using Snapshot-Based Scanning, AMI Scan performs comprehensive operating system vulnerability checks without launching instances, reducing risk and improving compliance for pre-deployment images.

Integrating AMI scanning into your cloud build process ensures that every image promoted to production meets organizational security and compliance requirements without disrupting existing workloads.

Benefits of AMI Scan

• Detects vulnerabilities in AMIs without requiring instance startup or agent installation.
• Validates image security and compliance before deployment.
• Identifies configuration issues, missing patches, and outdated components.
• Performs assessments offline, minimizing impact on cloud resources and workload performance.

Set Up AMI Scan with AWS Snapshot-Based Scan

You need an existing or new AWS connector to enable AMI scanning as part of your Snapshot-Based Scan configuration.

1. Create a new AWS connector or edit an existing one.
2. Go to the Tags and Activation section and select Enable AMI Scanning under the Enable Zero-touch Snapshot Based Scan checkbox.
   

• In the snapshot-based scan settings for service accounts, set the AMI parameter to Enabled. For more details, see Snapshot-Based Scan.
• Optionally enable AMI Offline Scan to re-run assessments without consuming additional cloud resources.
• Review identified vulnerabilities under the AMI Vulnerability Findings section in TotalCloud.

AMI Scan provides a consistent, automated method to assess image security prior to deployment. Early detection of vulnerabilities and misconfigurations strengthens your overall cloud posture while maintaining operational continuity.