Configure Zero-Touch Snapshot-based Scan for AWS

This guide provides step-by-step instructions to configure Zero-Touch Snapshot-based Scan for Amazon Web Services (AWS) environments. Zero-Touch Snapshot-based Scanning provides agentless, automated vulnerability assessments of AWS resources by analyzing EC2 instances snapshots, eliminating the need for direct access to live workloads.

Snapshot-based assessment offers enhanced security and operational efficiency by utilizing a service account that is independent of the target AWS account. This separation ensures secure operations, as the service account can perform assessments across multiple target accounts without requiring credentials or access from each. This architecture supports bulk scans, enabling organizations to scale assessments without disrupting workloads.

You must perform the following Qualys and AWS console configurations to activate Snapshot-based assessment on TotalCloud. Let's get started with your first Snapshot-based scan!

Prerequisites for Snapshot-based Scan

  • An active Qualys Enterprise TruRisk Platform with full TotalCloud Subscription.
  • Zero-Touch Snapshot-based Scan feature activated for your subscription. Raise a Customer Support ticket to activate this feature.
  • To activate SCA Scan, Secret Scan or AMI Scan - You must select these checkboxes while creating a connector
  • To activate SCA Scan, you must also activate SwCA from CSAM (ITAM) application.
  • To activate on-demand scan, raise a Customer Support ticket.

Ensure the following AWS service limits are configured:

Service  Required Limit
Transactions per Second (for Snapshot v3 and below) 25
SSM Automation Queue Size 5000
Lambda 10000
EBS 100

OS Compatibility

For a list of supported operating systems and platforms compatible with Qualys Zero-Touch Snapshot-based Scanning, refer to Snapshot-based Scan OS Compatibility.

AWS Services Created for Snapshot-based Scan

The following AWS services and resources are provisioned during the deployment of Snapshot-based scanning:

Service AccountService Account

  • AGEventListenerApi - AWS::ApiGateway::RestApi
  • AGEventListenerApiDeploymentf222637d7aaa0daafffcdac5463676f1 - AWS::ApiGateway::Deployment
  • AGEventListenerApiDeploymentStagev1 - AWS::ApiGateway::Stage
  • AGEventListenerApiKey - AWS::ApiGateway::ApiKey
  • AGEventListenerApiResource - AWS::ApiGateway::Resource
  • AGEventListenerApiResourcePOST - AWS::ApiGateway::Method
  • AGEventListenerApiUsagePlan - AWS::ApiGateway::UsagePlan
  • AGEventListenerApiUsagePlanUsagePlanKeyResourceQualysAGEventListenerApiKey0F8E8C20 - AWS::ApiGateway::UsagePlanKey
  • AGProxyApi - AWS::ApiGateway::RestApi
  • AGProxyApiDeploymentc66b9d6a8428fab7b9e4a3a03c041414 - AWS::ApiGateway::Deployment
  • AGProxyApiDeploymentStagev0 - AWS::ApiGateway::Stage
  • AGProxyApiResource - AWS::ApiGateway::Resource
  • AGProxyProxyMethod - AWS::ApiGateway::Method
  • AmiConfig - AWS::SSM::Parameter
  • ApiConfig - AWS::SSM::Parameter
  • ApiConnectionQualysFlowConnection - AWS::Events::Connection
  • ApiDestinationQualysFlowApiDestination - AWS::Events::ApiDestination
  • AppConfigTable - AWS::DynamoDB::Table
  • ApStepDestinationQualysFlowApiDestination - AWS::Events::ApiDestination
  • ApStepDestinationRuleFirst - AWS::Events::Rule
  • ApStepDestinationRuleSecond - AWS::Events::Rule
  • CleanupCustomResource - AWS::CloudFormation::CustomResource
  • CommonLogGroup - AWS::Logs::LogGroup
  • CreateSnapshotEventPipe - AWS::Pipes::Pipe
  • DbStreamEventsNotifierRole - AWS::IAM::Role
  • DbStreamEventsNotifierRoleDefaultPolicy - AWS::IAM::Policy
  • DynamodbEventLogsStreamPipe - AWS::Pipes::Pipe
  • DynamodbStreamPipe - AWS::Pipes::Pipe
  • EBRole - AWS::IAM::Role
  • EBRoleDefaultPolicy - AWS::IAM::Policy
  • EC2SSMRole - AWS::IAM::Role
  • LambdaAppConfigStore - AWS::Lambda::Function
  • LambdaCFTCleanupFunction - AWS::Lambda::Function
  • LambdaDataFormatter - AWS::Lambda::Function
  • LambdaDynamoDbWrapper - AWS::Lambda::Function
  • LambdaRole - AWS::IAM::Role
  • LambdaRoleDefaultPolicy - AWS::IAM::Policy
  • LambdaSDKWrapper - AWS::Lambda::Function
  • LambdaSDKWrapperSqsEventSourceQualysSsmRateLimiterQueue4A45AE31 - AWS::Lambda::EventSourceMapping
  • PipeResourceEventsNotifier - AWS::Pipes::Pipe
  • PollEC2SFRule - AWS::Events::Rule
  • QualysSecrets - AWS::SecretsManager::Secret
  • RegionStackSet - AWS::CloudFormation::StackSet
  • RoleResourceEventsListener - AWS::IAM::Role
  • RoleResourceEventsListenerDefaultPolicy - AWS::IAM::Policy
  • RoleResourceEventsNotifier - AWS::IAM::Role
  • RoleResourceEventsNotifierDefaultPolicy - AWS::IAM::Policy
  • ScanConfig - AWS::SSM::Parameter
  • ScanEC2SFRule - AWS::Events::Rule
  • ServiceKmsKey - AWS::KMS::Key
  • ServiceKmsKeyAlias - AWS::KMS::Alias
  • SFAccess - AWS::IAM::Policy
  • SfnAttachVolume - AWS::StepFunctions::StateMachine
  • SfnCleanup - AWS::StepFunctions::StateMachine
  • SfnCommonConfig - AWS::StepFunctions::StateMachine
  • SfnCopySnapshot - AWS::StepFunctions::StateMachine
  • SfnCreateInstance - AWS::StepFunctions::StateMachine
  • SfnCreateSnapshot - AWS::StepFunctions::StateMachine
  • SfnCreateSnapshotWrapper - AWS::StepFunctions::StateMachine
  • SfnCreateVolume - AWS::StepFunctions::StateMachine
  • SfnDeregisterServiceAccount - AWS::StepFunctions::StateMachine
  • SfnDynamoDbWrapper - AWS::StepFunctions::StateMachine
  • SfnEC2Filter - AWS::StepFunctions::StateMachine
  • SfnEC2Poller - AWS::StepFunctions::StateMachine
  • SfnFindScanCandidates - AWS::StepFunctions::StateMachine
  • SfnRegisterServiceAccount - AWS::StepFunctions::StateMachine
  • SfnResourceEventsSyncer - AWS::StepFunctions::StateMachine
  • SfnRestartInstance - AWS::StepFunctions::StateMachine
  • SfnRetryFailedSnapshots - AWS::StepFunctions::StateMachine
  • SfnRole - AWS::IAM::Role
  • SfnRoleDefaultPolicy - AWS::IAM::Policy
  • SfnRoleUpdateStepFunction - AWS::StepFunctions::StateMachine
  • SfnRunScanner - AWS::StepFunctions::StateMachine
  • SfnSaveInstanceDetails - AWS::StepFunctions::StateMachine
  • SfnScanInstances - AWS::StepFunctions::StateMachine
  • SfnSDKWrapper - AWS::StepFunctions::StateMachine
  • SfnSSMDataWrapper - AWS::StepFunctions::StateMachine
  • SfnSSMWrapper - AWS::StepFunctions::StateMachine
  • SfnUpdateCommonConfig - AWS::StepFunctions::StateMachine
  • SqsFailedErrors - AWS::SQS::Queue
  • SqsResourceEvents - AWS::SQS::Queue
  • SqsResourceEventsDlq - AWS::SQS::Queue
  • SqsSnapshotNotifications - AWS::SQS::Queue
  • SSMAutomationDocumentRole - AWS::IAM::Role
  • SsmRateLimiterDLQ - AWS::SQS::Queue
  • SsmRateLimiterQueue - AWS::SQS::Queue
  • SSMRoleInstanceProfile - AWS::IAM::InstanceProfile
  • StackSetAdministrationRole - AWS::IAM::Role
  • StackSetExecutionRole - AWS::IAM::Role
  • TableEventLogs - AWS::DynamoDB::Table
  • TableResourceInventory - AWS::DynamoDB::Table
  • TagsConfig - AWS::SSM::Parameter
  • UpdateSFRule - AWS::Events::Rule

Target AccountTarget Account

Services created on each target account

  • IamEventsSenderRole - AWS::IAM::Role
  • IamEventsSenderRoleDefaultPolicy - AWS::IAM::Policy
  • IamRoleStacksetTargetAdmin- AWS::IAM::Role
  • IamRoleStacksetTargetExecution - AWS::IAM::Role
  • IamTargetAccountRole - AWS::IAM::Role
  • TargetRegionStackSet - AWS::CloudFormation::StackSet

Activate the Snapshot-Scan Checkbox

To activate Snapshot-based Scan for your connector, you need to create or edit an AWS 

Follow the steps provides in Create AWS Connectors and navigate to the Tags and Actication step.

Click the Need Help? icon on the top-right to view the Snapshot-scan vulnerability assessment steps. Here, you can download the CloudFormation Templates, CFT-S and CFT-T required to activate your Snapshot-based Scan. Download these assets and deploy the CFT-S to select the Enable Zero-touch Snapshot-based Scan checkbox.

The Zero-touch Snapshot-based Scan checkbox remains greyed until a CSPM Connector is registered as a Service Account. Deploy the CFTs to register the service account.

Read the steps instructed below at "Deploy the Service and Target Account CloudFormation Templates" to provision your CFTs. After which you can select the required checkboxes.

We support 3 additional scan techniques along with the Snapshot-based Scan checkbox.

  • Secret Detection
  • SCA
  • AMI Scanning

Deploy the Service and Target Account CloudFormation Templates

To activate the Snapshot scan functionality, you will need one CSPM connector registered as a service account. Before we register the service and target accounts, we will need to generate and store a subscription token for authorization.

Generate a Subscription Token

Follow the steps below to generate Subscription Token

  1. Generate an authorization token by running the following command: 
    curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'
  2. Generate SubscriptionToken by running the following command: 
    curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}' 
  3. Store the generated Subscription Token for later.

 At this stage, the 'Enable Snapshot Based Scan' option is not visible to you yet while creating a connector. This is because the AWS account is yet to be registered as a service account.

Configure a Service AccountConfigure a Service Account

Register your AWS account as a service account to scan the assets of your target accounts. A service account is necessary to run snapshot scans.

Create stack

  1. Sign in to the AWS Management Console and navigate to CloudFormation.
  2. Choose Stacks > Create Stack > With new resources (standard).
  3. Under Prerequisite - Select Template is ready.
  4. Upload the CloudFormation Template under 'Specify Template' and click Next.

Specify Stack Details

Next, provide the stack parameters. The stack parameters are as follows:

Gateway Configuration

Parameter Name

Description

SubscriptionToken

(Required) The long living token required for authentication. Can be generated by following the steps provided above at Generate a Subscription Token

APIGatewayURL

(Required) This is the gateway proxy endpoint for the particular pod. Choose the gateway URL from Qualys Platform Identification

Scanner Configuration

Parameter Name

Description

Software composition analysis (SCA)

(Disabled by default) Enable to trigger an SCA scan for an instance. (Also select on connectors application as mentioned in prerequisites)

Scan Sampling

(Disabled by default) Enable to use Sampling for a group of instances. Involves selecting and analyzing a subset of instances from a larger population to make inferences about the whole group.

Sampling Group Scan Percentage

(10 by default) Enter the percentage to execute scans on sampling group instances. The value must be between 1 and 50

Scanner Instances Per Region

(10 by default) Number of scanner instances to be used for a single region. Minimum is 1 and Maximum is 50

Region Scan Concurrency

(2 by default) Number of regions that should be concurrently scanned. Minimum is 1 and Maximum is 5

Target Regions

(us-east-1 by default) Region(s) where instances should be considered for Snapshot scan

Snapshot Refresh Interval

(24 by default) Formerly named Scan Frequency. Interval between two scans of the same EC2 instance in hours. This is 24 hours by default. Minimum is 24 hours and Maximum is 168 hours (7 days)

Batch Trigger Scan Duration

(10 by default) Event-based. Pause to check/find new ready snapshots for scanning in minutes. This is 10 minutes by default. Minimum is 5 minutes and Maximum is 720 hours (12h)

Retry Discovery Interval

(60 by default) Poll-based. Pause between Polls EC2 instances from Target Account(s) in minutes. This is 60 minutes by default. Minimum is 15 minutes and Maximum is 12h

SCA Include directories

Enter the directory that should be considered particularly for scanning (All other directories will be excluded). By default all directories will be scanned

SCA Exclude directories

Enter the directory that should not be considered particularly for scanning (All other directories will be included)

SCA Scan Timeout

(Set to 120 by default) Maximum time which an SCA scan should try to run for (in seconds). Set this time with an estimation directly proportional to number of packages
Secret Scan (Disabled by default) Should be Enabled to trigger a secret scan for an instance. (This feature must be selected on the connectors application while creating or editing your connector.)
Include Directories for Secret Scan Enter the directory that should be considered particularly for scanning (All other directories will be excluded). By default all directories will be scanned.
Exclude Directories for Secret Scan  Enter the directory that should not be considered particularly for scanning (All other directories will be included).
Secret Scan Timeout (Set to 120 by default) Maximum time which a secret scan should try to run for (in seconds). Set this time with an estimation directly proportional to number of packages.
AMI  (Disabled by default) Should be Enabled to trigger OS scan for an AMI. (Also enable on connectors module as mentioned in prerequisites).
AMI Offline Scan (Disabled by default) Replaying the scan without the interference of cloud resources to re-run the scan.

EC2 Tag Configuration

Parameter Name

Description

Include Instances (All Tags Required)

All tags must be present on the Instance

Include Instances (Any Tag Sufficient)

Any one tag must be present on the Instance

Exclude Instances (If Any Tag Matches)

If any tag in the list is present on the Instance, it will be excluded

Exclude Volumes (If Any Tag Matches)

If any tag in the list is present on the Volume, it will be excluded. If all volumes are excluded on an Instance, Instance will be skipped during scan

QScanner VPC Configuration 

Parameter Name

Description

PublicVpcCidr

(Required) Provide the VPC CIDR

PublicSubnetCidr

(Required) Provide the Subnet CIDR

PrivateSubnetCidr

(Required) Provide the Private Subnet CIDR

DeployPrivateVpc

(Required) Select 'yes' to run scanners inside a private subnet with NAT gateway

Event Trigger API Endpoint Configuration

Parameter Name

Description

Enable Custom Domain

(Disabled by default) Select 'Enabled' to use custom Route53 Domain in ApiGateway. This is for the Endpoint given in CFT-T

Route53 Domain Id

If Custom Domain is enabled above, enter the registered domain Id of the hosted zone

Route53 Domain Name

If Custom Domain is enabled above, enter the registered domain name of the hosted zone

Advanced Configuration

Parameter Name

Description

Release Pipeline

(Set to GA by default) Set this parameter to run the snapshot scan as part of a feature release pipeline. You can update this when communicated by your TAM. It is recommended to set to GA otherwise.

 Click Next.

Configure Stack Options

Keep the default configurations and click Next.

Review

  1. Review your configurations.
  2. Check the acknowledgments
    • I acknowledge that AWS CloudFormation might create IAM resources.
    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
  3. Click Submit.

The Service Account Template configuration is completed.

 Only a single AWS Account connector with CSPM capability can be registered as a service account.

You will need the Service Account API Endpoint to proceed with the following steps.

Obtain the Service Account API Endpoint

To retrieve the API endpoint for the service account:

  1. Open the Stacks section in the AWS Management Console.
  2. Select the deployed service account stack.
  3. Navigate to the Outputs tab.
  4. Copy the value labeled ServiceAccountApiEndpoint. You will need this endpoint during the target account configuration.

Next, configure a target account as specified below.

Configure a Target Account Configure a Target Account

Target accounts are AWS accounts where snapshot scans are executed. You can configure multiple target accounts to enable scanning across various environments.

Steps to Create the Stack

  1. Sign in to the AWS Management Console and navigate to CloudFormation.

  2. Go to Stacks > Create Stack > With new resources (standard).

  3. Under Prerequisite – Prepare template, select Template is ready.

  4. Upload the CloudFormation template under Specify template.

  5. Click Next.

Specify stack details

  1. Next, give a name for the stack and provide the required parameters.
    1. Scan configuration
      • SourceAccount: Enter the AWS account number of the service account.
      • TargetRegions: Provide the regions where the snapshot scan runs.
    2. API Destination configuration

      If you have selected Custom Domain in your CFT-S parameters, then you can use the same domain for the API Destination Enpoint in CFT-T.

      • QToken: Provide the Qualys Subscription token as mentioned in 'Generate a Subscription Token'.
      • APIDestinationEndpoint: Provide the AWS Service Account API Gateway Endpoint as mentioned in 'Obtain the Service Account API Endpoint' under 'Configure a Service Account'.

  2. Click Next.

Configure stack options 

Keep the default configurations and click Next.

Review

Review your configurations.

  1. I acknowledge that AWS CloudFormation might create IAM resources. 

  2. I acknowledge that AWS CloudFormation might create IAM resources with a custom name.
  3. I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.

A QualysTargetAccount CF template must be deployed for every account on which Snapshot-based Assessment needs to be carried out.

Deploy CFTs with AWS CloudShell

To simplify the version update process and avoid deployment discrepancies, we recommend using AWS CloudShell for deploying the Qualys Snapshot-based Scan CFTs. This method ensures consistent deployment across service and target accounts while automatically managing AWS credentials based on your permissions.

What you will need

  • APIGatewayURL: The Gateway URL for your Qualys pod (available at Platform Identification)
  • SubscriptionToken: Your authentication token - follow the instructions provided at Generate a Subscription Token

CLI Deployment Instructions

Environment Setup

Before proceeding with deployment, set up your environment variables:

Step 1: Set APIGatewayURL

sh
export APIGatewayURL=https://<API_Gateway_URL>

Step 2: Set SubscriptionToken

sh
export SubscriptionToken=<Subscription_Token>

Step 3: Download the CLI

Run the following command to download the CLI:

sh
wget "$APIGatewayURL/qflow/snapshot/v1/distribution/qscanner-sfn-orchestrator/cli.zip" \
--header="Authorization: Bearer $SubscriptionToken" -O "qscanner-sfn-orchestrator-cli.zip"

Step 4: Extract the CLI

Unzip the downloaded file:

 sh
 unzip -o "qscanner-sfn-orchestrator-cli.zip"

You must deploy configurations in both the service account and all target accounts.

Step 5: Deploy in Service Account

Execute the following command to deploy the snapshot scanner in the service account:

sh
./qscanner-sfn-orchestrator service deploy --config user-config-service.json --cft cfts/cloudformation_service.yaml

If you need to specify a unique stack name, use:

sh
./qscanner-sfn-orchestrator service deploy --config user-config-service.json --cft cfts/cloudformation_service.yaml --stack-name <CFT-S-abcd>  Step 6: Deploy in Target Account(s)

Execute the following command to deploy the snapshot scanner in each target account:

sh
. /qscanner- sfn-orchestrator target deploy --config user-config-target.json --cft cfts/cloudformation_target.yaml

If you need to specify a unique stack name, use:

sh
./qscanner- sfn-orchestrator target deploy --config user-config-target.json --cft cfts/cloudformation_target.yaml --stack-name <CFT-T-abcd>

Notes

  • Ensure that the configuration file and CloudFormation template paths are correctly specified before executing the commands.
  • The configuration files can be empty; you will be prompted to enter values if required.
  • AWS CloudShell automatically manages AWS credentials based on your permissions, eliminating the need for manual credential configuration.
  • Verify the deployment is successful in each account before proceeding to the next one.

Upgrade the CloudFormation Template

If you are using an older version of the CloudFormation template, you must follow these steps to upgrade your templates to the latest version.

For the latest version of the AWS CloudFormation templates for Snaphsot-based Scans- you need to delete your older deployment and redeploy the CFTs.

Execute the following commands to destroy and deploy your CFTs.

To destroy QUALYS-CFT-AUTOBUILD

sh
./qscanner-sfn-orchestrator destroy-autobuild

To destroy QUALYS-CFT-S

sh
./qscanner-sfn-orchestrator destroy

To deploy QUALYS-CFT-AUTOBUILD

sh
./qscanner-sfn-orchestrator destroy-autobuild

To deploy QUALYS-CFT-S

sh
./qscanner-sfn-orchestrator deploy-autobuild

View Scan Findings in TotalCloud

After a successful Snapshot-based scan execution, all findings are available for your view in the TotalCloud application.

You can navigate to the inventory and click on an instance scanned by this FlexScan technique to view its details.

Under the Security tab, you can find Vulnerabilities, Software Composition Analysis and Secrets. Depending on your scan configurations, these findings are available for your analysis.

Here are a few examples below.

Secrets Findings

Here are the secrets detected with Snapshot scan on an instance.

AMI Vulnerabilty Findings

Here are the AMI Vulnerabilities detected with Snapshot scan on an instance.

Frequently Asked Questions

1. How to register a service account?

A: Deploy the CFT-S on an AWS account the customer wishes to register as a service account.

Customers can also use the newly introduced API to register a service account. Learn more.

2. How to deregister a service account

A: We have introduced a new API to deregister service accounts. Learn more.

Or, the customer can delete the connector registered as a service account.

3. Why is the 'Enable Snapshot Based Assessment' checkbox greyed out when creating a connector?

A: The checkbox remains greyed out when your snapshot scan is enabled from the portal back office, but you have not registered a service account. 

4. Why does the 'register service account' step function fail after running CFT-S?

A: The 'register-service-account' step function fails in the below scenarios:

  • If the connector registered as the service account is deleted/disabled.
  • If the TotalCloud subscription is expired.

5. Why does Asset activation fail to show  'ip-limit-exceeded'?

A: The error shows up when you have exhausted your IP limit. Contact support to get your license extended.

6. How to delete a CFT-S?

A: Follow the steps below to delete a service account CloudFormation Template.

  1. Delete the cross-region-stack - select the checkbox to retain the resources
  2. Go to StackSets > Stack Instances > check if there are any running stack sets on other regions and delete them, if present
  3. Navigate back to the service account and try deleting the CFT-S again - do not check the checkbox for retaining the resources
  4. At this stage, the cross-region-vpc stack is deleted from your service account
  5. Run this command on CLI - aws cloudformation delete-stack-instances --stack-set-name snapshot-scanner-2-cross-region-vpc --accounts 99*******98 --regions us-east-1 us-west-2 --retain-stacks
  6. At this stage, StackInstances on the StackSet are deleted
  7. Now, Delete the StackSet as it is empty (does not contain any StackInstances)

7. How to update Region/Tags/QToken

  1. Replace the current template.

  2. Upload the CFT-S that you used before.

  3. Edit Region/Tags/QToken.

8. Can a customer subscribe to have API-based assessment and Snapshot-based Assessment at once?

A: Yes, a customer can subscribe to both scans at once.

9. Can there be spaces or tabs in the tags given in CFT-S?

A: No, tags do not support prefixes, suffixes, spaces, or tabs in the CFT-S.

10. Can there be multiple service accounts?

A: No, there can only be one service account for a subscription.

Customer can configure multiple target accounts

11. Can the service account also be the target account?

A: Yes, the service account can be a target account as well.

12. Can the scan interval be set to 1 hour?

A: No. The minimum scan interval is 24 hours.

13. Are marketplace AMIs supported for Snapshot-based Scan?

A: Yes, marketplace AMIs are supported. However, keep in mind the following limitations.

  • If an instance in a target account is based on a marketplace AMI that the service account is not subscribed to, the scan will fail because it won't find any volume to mount. Therefore, if the service account is new, ensure subscription to the AMIs used in other target accounts to launch instances. 
  • The scan is incompatible with older OS versions such as RHEL 6 and Debian 8 obtained from the marketplace.
  • The scan is incompatible with the latest Ubuntu version 23.04 from the marketplace.
  • EC2 instances launched with ARM-based AWS Marketplace AMIs will be excluded from snapshot scans.

Related Topics

Configure Zero-touch API-based Assessment

 

 

© Qualys , Inc. All rights reserved. Privacy Policy.