Configure Zero-Touch Snapshot-based Scan for AWS
Qualys Zero-touch Snapshot-based scanning is an agentless scanning technique that helps customers detect risk, vulnerabilities, and compliance posture for virtual machine/compute instances without affecting their current workload.
Snapshot-based assessment offers greater security by using a service account for running scans. The service account will be independent of the target AWS account, where most of your workload operates. The service account can perform scans on multiple target accounts, allowing for bulk scans. This ensures no disruptions and more cost-effective, faster, and reliable scans.
The below Qualys and AWS console configurations are required from the customer to enable Snapshot-based assessment on TotalCloud. With agentless scans, you can enable zero-touch Snapshot-based scan to perform vulnerability assessments on your new assets.
Prerequisites for Snapshot-based Scan
- Qualys Cloud Platform subscription with full TotalCloud Subscription.
- Enable Zero-touch Snapshot-Based Scan to your subscription. Contact your Qualys Technical Account Manager (TAM) to enable it.
Ensure you have the following limits configured.
Service | Limit Required |
---|---|
Transactions per Second (for Snapshot v3 and below) | 25 |
SSM Automation Queue Size | 5000 |
Lambda | 10000 |
EBS | 100 |
OS Compatibility
The following section lists the OS versions and supported platforms for Qualys Zero Touch Snapshot-based scan. Refer to Snapshot-based Scan OS Compatibility.
AWS Services Created for Snapshot-based Scan
The following services are created as part of Snapshot-based scanning deployments.
Service AccountService Account
AGEventListenerApi - AWS::ApiGateway::RestApi
AGEventListenerApiDeploymentf222637d7aaa0daafffcdac5463676f1 - AWS::ApiGateway::Deployment
AGEventListenerApiDeploymentStagev1 - AWS::ApiGateway::Stage
AGEventListenerApiKey - AWS::ApiGateway::ApiKey
AGEventListenerApiResource - AWS::ApiGateway::Resource
AGEventListenerApiResourcePOST - AWS::ApiGateway::Method
AGEventListenerApiUsagePlan - AWS::ApiGateway::UsagePlan
AGEventListenerApiUsagePlanUsagePlanKeyResourceQualysAGEventListenerApiKey0F8E8C20 - AWS::ApiGateway::UsagePlanKey
AGProxyApi - AWS::ApiGateway::RestApi
AGProxyApiDeploymentc66b9d6a8428fab7b9e4a3a03c041414 - AWS::ApiGateway::Deployment
AGProxyApiDeploymentStagev0 - AWS::ApiGateway::Stage
AGProxyApiResource - AWS::ApiGateway::Resource
AGProxyProxyMethod - AWS::ApiGateway::Method
AmiConfig - AWS::SSM::Parameter
ApiConfig - AWS::SSM::Parameter
ApiConnectionQualysFlowConnection - AWS::Events::Connection
ApiDestinationQualysFlowApiDestination - AWS::Events::ApiDestination
AppConfigTable - AWS::DynamoDB::Table
ApStepDestinationQualysFlowApiDestination - AWS::Events::ApiDestination
ApStepDestinationRuleFirst - AWS::Events::Rule
ApStepDestinationRuleSecond - AWS::Events::Rule
CleanupCustomResource - AWS::CloudFormation::CustomResource
CommonLogGroup - AWS::Logs::LogGroup
CreateSnapshotEventPipe - AWS::Pipes::Pipe
DbStreamEventsNotifierRole - AWS::IAM::Role
DbStreamEventsNotifierRoleDefaultPolicy - AWS::IAM::Policy
DynamodbEventLogsStreamPipe - AWS::Pipes::Pipe
DynamodbStreamPipe - AWS::Pipes::Pipe
EBRole - AWS::IAM::Role
EBRoleDefaultPolicy - AWS::IAM::Policy
EC2SSMRole - AWS::IAM::Role
LambdaAppConfigStore - AWS::Lambda::Function
LambdaCFTCleanupFunction - AWS::Lambda::Function
LambdaDataFormatter - AWS::Lambda::Function
LambdaDynamoDbWrapper - AWS::Lambda::Function
LambdaRole - AWS::IAM::Role
LambdaRoleDefaultPolicy - AWS::IAM::Policy
LambdaSDKWrapper - AWS::Lambda::Function
LambdaSDKWrapperSqsEventSourceQualysSsmRateLimiterQueue4A45AE31 - AWS::Lambda::EventSourceMapping
PipeResourceEventsNotifier - AWS::Pipes::Pipe
PollEC2SFRule - AWS::Events::Rule
QualysSecrets - AWS::SecretsManager::Secret
RegionStackSet - AWS::CloudFormation::StackSet
RoleResourceEventsListener - AWS::IAM::Role
RoleResourceEventsListenerDefaultPolicy - AWS::IAM::Policy
RoleResourceEventsNotifier - AWS::IAM::Role
RoleResourceEventsNotifierDefaultPolicy - AWS::IAM::Policy
ScanConfig - AWS::SSM::Parameter
ScanEC2SFRule - AWS::Events::Rule
ServiceKmsKey - AWS::KMS::Key
ServiceKmsKeyAlias - AWS::KMS::Alias
SFAccess - AWS::IAM::Policy
SfnAttachVolume - AWS::StepFunctions::StateMachine
SfnCleanup - AWS::StepFunctions::StateMachine
SfnCommonConfig - AWS::StepFunctions::StateMachine
SfnCopySnapshot - AWS::StepFunctions::StateMachine
SfnCreateInstance - AWS::StepFunctions::StateMachine
SfnCreateSnapshot - AWS::StepFunctions::StateMachine
SfnCreateSnapshotWrapper - AWS::StepFunctions::StateMachine
SfnCreateVolume - AWS::StepFunctions::StateMachine
SfnDeregisterServiceAccount - AWS::StepFunctions::StateMachine
SfnDynamoDbWrapper - AWS::StepFunctions::StateMachine
SfnEC2Filter - AWS::StepFunctions::StateMachine
SfnEC2Poller - AWS::StepFunctions::StateMachine
SfnFindScanCandidates - AWS::StepFunctions::StateMachine
SfnRegisterServiceAccount - AWS::StepFunctions::StateMachine
SfnResourceEventsSyncer - AWS::StepFunctions::StateMachine
SfnRestartInstance - AWS::StepFunctions::StateMachine
SfnRetryFailedSnapshots - AWS::StepFunctions::StateMachine
SfnRole - AWS::IAM::Role
SfnRoleDefaultPolicy - AWS::IAM::Policy
SfnRoleUpdateStepFunction - AWS::StepFunctions::StateMachine
SfnRunScanner - AWS::StepFunctions::StateMachine
SfnSaveInstanceDetails - AWS::StepFunctions::StateMachine
SfnScanInstances - AWS::StepFunctions::StateMachine
SfnSDKWrapper - AWS::StepFunctions::StateMachine
SfnSSMDataWrapper - AWS::StepFunctions::StateMachine
SfnSSMWrapper - AWS::StepFunctions::StateMachine
SfnUpdateCommonConfig - AWS::StepFunctions::StateMachine
SqsFailedErrors - AWS::SQS::Queue
SqsResourceEvents - AWS::SQS::Queue
SqsResourceEventsDlq - AWS::SQS::Queue
SqsSnapshotNotifications - AWS::SQS::Queue
SSMAutomationDocumentRole - AWS::IAM::Role
SsmRateLimiterDLQ - AWS::SQS::Queue
SsmRateLimiterQueue - AWS::SQS::Queue
SSMRoleInstanceProfile - AWS::IAM::InstanceProfile
StackSetAdministrationRole - AWS::IAM::Role
StackSetExecutionRole - AWS::IAM::Role
TableEventLogs - AWS::DynamoDB::Table
TableResourceInventory - AWS::DynamoDB::Table
TagsConfig - AWS::SSM::Parameter
UpdateSFRule - AWS::Events::Rule
Services created on each target account
IamEventsSenderRole - AWS::IAM::Role
IamEventsSenderRoleDefaultPolicy - AWS::IAM::Policy
IamRoleStacksetTargetAdmin- AWS::IAM::Role
IamRoleStacksetTargetExecution - AWS::IAM::Role
IamTargetAccountRole - AWS::IAM::Role
TargetRegionStackSet - AWS::CloudFormation::StackSet
Configuration at Qualys Console
Configure Snapshot-based Scan on New ConnectorConfigure Snapshot-based Scan on New Connector
1. Login to Qualys Console > Navigate to Connectors Application.
2. Click Amazon Web Service > Create Connector > Select the Cloud Security Posture Management checkbox.
3. Configure Basic Details: Name, Description, Application > Next.
4. Configure Authentication Details: Account Type, Polling Frequency, Role ARN > Next.
5. Configure Region Selection: Select regions for the AV inventory.
6. Configure Tags and Activation: - Select Enable Zero-Touch API Snapshot Based Scan and tags for the discovered assets as per requirement.
7. Follow the steps in the 'Snapshot-based vulnerability assessment' textbox to download the required CloudFormation templates. You need these templates to register your service and target account.
7. Review and Confirm.
1. Login to Qualys Console > Navigate to Connectors Application.
2. Click Amazon Web Services > Select a Connector> Click Edit > Navigate to Tags and Activation.
3. Select Automatically activate all assets for the VM Scanning application > Check the Enable Zero-touch Snapshot-based Scan box.
4. Follow the steps on the 'Snapshot-based vulnerability assessment' text box to download the required CloudFormation templates. These templates are required to register your service and target account.
4. Click Save.
The Zero-touch Snapshot-based Scan checkbox remains greyed until a CSPM Connector is registered as a Service Account. Deploy the CFTs to register the service account.
Configuration at AWS Cloud
You will need one CSPM connector registered as a service account to activate the Snapshot scan functionality. Before we begin registering the service and target accounts, we will need to generate and store a subscription token for authorization.
Generate a Subscription Token
Follow the steps below to generate Subscription Token
- Generate AuthToken by running the below command
curl --location --request POST 'https://< API Gateway URL >/auth' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'username=<QualysUsername>' --data-urlencode 'password=<QualysPassword>' --data-urlencode 'token=true'
- Generate SubscriptionToken by running the below command
curl --location --request POST 'https://< API Gateway URL>/qas/subscription-token' --header 'Content-Type: application/json' --header 'Authorization: Bearer <Auth Token>' --data-raw '{ "expiry": 500000}'
- Store the generated Subscription Token for later.
The 'Enable Snapshot Based Scan' option is not visible to you yet. This is because the AWS account is yet to be registered as a service account.
Configure a Service AccountConfigure a Service Account
Register your AWS account as a service account to scan the assets of your target accounts. A service account is necessary to run snapshot scans.
Create stack
- Login to AWS > CloudFormation
- Stacks > Create Stack >With new resources (standard)
- Under Prerequisite - Select Template is ready.
- Upload the CloudFormation Template under 'Specify Template' and click Next.
Specify stack details
- Next, provide the stack parameters. The stack parameters are as follows:
- QToken: Provide the Qualys Subscription token as mentioned above in 'Generate a Subscription Token'.
- QEndPoint: Provide the gateway URL of your QualysGuard account. Find the Gateway URL at https://www.qualys.com/platform-identification/
- Scanner Instances Per Region: Provide the number of scanner instances to execute scans on a single region. The value must be between 1 and 25. Eg: If the value provided is 2 for 10 instances in a region, the scanner performs 2 scans of 5 instances.
- Region Scan Concurrency: Provide the number of regions to be concurrently scanned. The value must be between 1 and 25. Eg: If the value provided is 2 for an account with 10 regions, the scanner scans instances of 2 regions 5 times.
- Scan Target Regions: Specify the AWS regions that should come under snapshot scan. Eg, ap-south-1, us-east-1.
- Scan Frequency: Set the interval to launch then next scan. Provide the value in hours. The minimum value is 24 hours, and the maximum is 168 hours (7 days).
- Batch Trigger Scan Duration: Set the interval to launch the batch scan of instances discovered via events. Provide the value in minutes. The minimum is 5m, and the maximum is 12h.
- Retry Discovery Interval: Set the interval to launch a reattempt at discovering instances that may be missed during event-based discovery. Provide the value in minutes. The minimum is 5m, and the maximum is 12h.
- Tag Filter - Include Instances (All Tags Required): Provide a list of tagKey=tagValue pairs separated by commas to find instances for Snapshot scan. All of the provided tags must be in the instance.
- Tag Filter - Include Instances (Any Tag Sufficient): Provide a list of tagKey=tagValue pairs separated by commas to find instances for Snapshot scan. Any one of the provided tags must be in the instance.
- Tag Filter - Exclude Instances (If Any Tag Matches): Provide a list of tagKey=tagValue pairs separated by commas to exclude instances for Snapshot scan. Any one of the provided tags must be in the instance.
- Tag Filter - Exclude Volumes (If Any Tag Matches), Skips Instances If All Volumes Excluded: Provide a list of tagKey=tagValue pairs separated by commas to exclude volumes for Snapshot scan. Any one of the provided tags must be in the volume. If all the volumes are excluded, the instance is skipped during scan.
- PublicSubnetCIDR: Provide the Subnet Cidr. Eg, 10.82.64.0/22.
- PublicVpcCidr: Provide the Vpc Cidr. Eg, 10.82.64.0/22.
- PrivateSubnetCIDR: Provide the private Subnet Cidr. Eg, 10.82.64.0/22.
- PrivateVpcCidr: Provide the private Vpc Cidr. Eg, 10.82.64.0/22.
- DeployPrivateVpc: Select yes to run scanners inside a private subnet with nat gateway.
Click Next.
Configure Stack Options
Keep the default configurations and click Next.
Review
- Review your configurations.
- Check the acknowledgments
- I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
- Click Submit.
The Service Account Template configuration is completed.
Only a single AWS Account connector with CSPM capability can be registered as a service account.
You will need the Service Account API Endpoint to proceed with the following steps.
Obtain the Service Account API Endpoint
1. Navigate to Stacks from your AWS console.
2. Click the newly deployed service account stack and navigate to Outputs.
3. Copy and store the 'ServiceAccountApiEndpoint' value. You will need this later.
Next, configure a target account as specified below.
Configure a Target Account Configure a Target Account
A target account is where the snapshot scans run. You can configure multiple target accounts to run scans on different accounts.
Create stack
- Login to AWS > CloudFormation.
- Stacks > Create Stack >With new resources (standard).
- Under Prerequisite - Select Template is ready.
- Upload the CloudFormation Template under 'Specify Template' and click Next.
Specify stack details
- Next, give a name for the stack and provide the required parameters.
- Scan configuration
- SourceAccount: Enter the AWS account number of the service account.
- TargetRegions: Provide the regions where the snapshot scan runs.
- API Destination configuration
- Scan configuration
-
Click Next.
Configure stack options
Keep the default configurations and click Next.
Review
Review your configurations.
-
I acknowledge that AWS CloudFormation might create IAM resources.
- I acknowledge that AWS CloudFormation might create IAM resources with a custom name.
- I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
A QualysTargetAccount CF template must be deployed for every account on which Snapshot-based Assessment needs to be carried out.
Frequently Asked Questions
1. How to register a service account?
A: Deploy the CFT-S on an AWS account the customer wishes to register as a service account.
Customers can also use the newly introduced API to register a service account. Learn more.
2. How to deregister a service account
A: We have introduced a new API to deregister service accounts. Learn more.
Or, the customer can delete the connector registered as a service account.
3. Why is the 'Enable Snapshot Based Assessment' checkbox greyed out when creating a connector?
A: The checkbox remains greyed out when your snapshot scan is enabled from the portal back office, but you have not registered a service account.
4. Why does the 'register service account' step function fail after running CFT-S?
A: The 'register-service-account' step function fails in the below scenarios:
- If the connector registered as the service account is deleted/disabled.
- If the TotalCloud subscription is expired.
5. Why does Asset activation fail to show 'ip-limit-exceeded'?
A: The error shows up when you have exhausted your IP limit. Contact support to get your license extended.
6. How to delete a CFT-S?
A: Follow the steps below to delete a service account CloudFormation Template.
- Delete the cross-region-stack - select the checkbox to retain the resources
- Go to StackSets > StackInstances > check if there are any running stack sets on other regions and delete them, if present
- Navigate back to the service account and try deleting the CFT-S again - do not check the checkbox for retaining the resources
- At this stage, the cross-region-vpc stack is deleted from your service account
- Run this command on CLI - aws cloudformation delete-stack-instances --stack-set-name snapshot-scanner-2-cross-region-vpc --accounts 99*******98 --regions us-east-1 us-west-2 --retain-stacks
- At this stage, StackInstances on the StackSet are deleted
- Now, Delete the StackSet as it is empty (does not contain any StackInstances)
7. How to update Region/Tags/QToken
-
Replace the current template.
-
Upload the cft-s that you used before.
-
Edit Region/Tags/QToken.
8. Can a customer subscribe to have API-based assessment and Snapshot-based Assessment at once?
A: Yes, a customer can subscribe to both scans at once.
9. Can there be spaces or tabs in the tags given in CFT-S?
A: No, tags do not support prefixes, suffixes, spaces, or tabs in the CFT-S.
10. Can there be multiple service accounts?
A: No, there can only be one service account for a subscription.
Customer can configure multiple target accounts
11. Can the service account also be the target account?
A: Yes, the service account can be a target account as well.
12. Can the scan interval be set to 1 hour?
A: No. The minimum scan interval is 24 hours.
13. Are marketplace AMIs supported for Snapshot-based Scan?
A: Yes, marketplace AMIs are supported. However, keep in mind the following limitations.
- If an instance in a target account is based on a marketplace AMI that the service account is not subscribed to, the scan will fail because it won't find any volume to mount. Therefore, if the service account is new, ensure subscription to the AMIs used in other target accounts to launch instances.
- The scan is incompatible with older OS versions such as RHEL 6 and Debian 8 obtained from the marketplace.
- The scan is incompatible with the latest Ubuntu version 23.04 from the marketplace.
- EC2 instances launched with ARM-based AWS Marketplace AMIs will be excluded from snapshot scans.
Related Topics
Configure Zero-touch API-based Assessment