Deploying sensor in AWS ECS Cluster

Perform the following steps to deploy Qualys Container Sensor as a daemon service in Amazon ECS cluster.

Prerequisites

AWS ECS Cluster should be up and running.

Perform the following steps.

  1. Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a Linux computer
  2. Untar the sensor package:
    sudo tar -xvf QualysContainerSensor.tar.xz
  3. Use the following commands to push the qualys sensor image to a repository common to all nodes in the cluster:
    sudo docker load -i qualys-sensor.tar
    sudo docker tag <IMAGE NAME/ID> <URL to push image to the repository>
    sudo docker push <URL to push image to the repository>

    For example:
    sudo docker load -i qualys-sensor.tar

    sudo docker tag c3fa63a818df 20576712438.dr.ecr.us-east-1.amazonaws.com/container-sensor:qualys-sensor-xxx

    sudo docker push 20576712438.dr.ecr.us-east-1.amazonaws.com/container-sensor:qualys-sensor-xxx

Do not use the examples as is. Replace the registry/image path with your own.

Modify the cssensor-aws-ecs.json file

Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. In order for the json file to work properly, ensure that you do not remove/comment the respective sections mentioned below. Note that you can download the json file directly from https://github.com/Qualys/cs_sensor

"containerDefinitions": [

   {

      "name": "qualys-container-sensor",

      "image": "20576712438.dr.ecr.us-east-1.amazonaws.com/container-

               sensor:qualys-sensor-xxx",

      "cpu": 10,

      "memory": 512,

      "essential": true,

      "command": [

          "--ecs-mode"

          ],

Specify appropriate values for cpu (no. of vcpu) and memory (size in MB).

If you want to deploy the sensor for CI/CD environment provide the command value as:

"command": [

    "--ecs-mode",

    "--cicd-deployed-sensor",

    ],

 

If you want to deploy a Registry Sensor provide the command value as:

"command": [

     "--ecs-mode",

    "--registry-sensor",

    ],

 

If you want to change the log level, provide "--log-level", "<a number between 0 and 5>" as an additional value in args, e.g if you want logs in trace provide:

"command": [ "--ecs-mode", "--log-level", "5",]

 

If you want to define the number of archived qpa.log files to be generated and size per log file, provide "-log-filesize", "<digit></K/M>" where "K" means kilobyte and "M" means megabyte, and "log-filepurgecount", "<digit>" as an additional value in args. Default is
"log-filesize": "10M" and "log-filepurgecount": "5" applied via config.

"--log-filesize": can be used to define the maximum size per log file. For example, "10K" (kilobytes), "10M" (megabytes) or "10" (bytes).

"--log-filepurgecount": can be used to define the number of archived log files to be generated. Please note that there will always be current qpa.log file in log/directory.

"command": [ "--ecs-mode", "--log-level", "5", "--log-filesize", "5M", "--log-filepurgecount", "4"]

 

If you want to print logs on the console, provide "--enable-console-logs" as an additional value in command.

If you want to change the log level, provide "--log-level", "<a number between 0 and 5>" as an additional value in args, e.g if you want logs in trace provide:
args: ["--k8s-mode", "--log-level", "5"]

If you want to disable the default log generation in qpa.log file, provide "--qlys-disable-default-logging-to-file" as an additional value in args
args: ["--k8s-mode","--enable-console-logs","--qlys-disable-default-logging-to-file"]

 

If you want to disable image scans for General Sensor (supported for all Runtimes), add the "--disableImageScan" parameter:
"command": [ "--ecs-mode", "--disableImageScan"]

 

If you want to disable container scans for General Sensor (supported for all Runtimes), add the "--disableContainerScan" parameter:
"command": [ "--ecs-mode", "--disableContainerScan"]

 

"--disable-log4j-scanning" can be used to disable log4j vulnerability scanning for container images.

"command": [ "--ecs-mode", "--disable-log4j-scanning"]

 

"--disable-log4j-static-detection" can be used to disable log4j static detection for dynamic/static image scans.
"command": [ "--ecs-mode", "--disable-log4j-static-detection"]

 

If you want to optimize image scans for General Sensor, add the "--optimize-image-scans" parameter:
"command": [ "--ecs-mode", "--optimize-image-scans"]

 

If you want to enable secret detection for container images, add the "--perform-secret-detection" parameter. Note that secret detection is supported only on CICD and registry sensors.
"command": [ "--ecs-mode", "--perform-secret-detection"]

 

If you want to enable malware detection for container images, add the "--perform-malware-detection" parameter. Note that malware detection is supported only on registry sensor.
"command": [ "--ecs-mode", "--perform-malware-detection"]

 

Under environment specify the following:

"environment": [

      {

        "name": "ACTIVATIONID",

        "value": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

      },

      {

        "name": "CUSTOMERID",

        "value": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

      },

      {

        "name": "POD_URL",

        "value": "<Specify POD URL>"

      },

      {

        "name": "qualys_https_proxy",

        "value": "<proxy FQDN or IP address>:<port#>"

      }

 ]

 

Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription. Specify proxy information, or remove the section if not required. If you remove the proxy section, ensure that json indentation is correct.

If you are not using a proxy and you have removed qualys_https_proxy from environment, you can remove the following parts from mountPoints and volumes:

configs:

 - source: proxy-cert-path

   target: /etc/qualys/qpa/cert/custom-ca.crt

 

configs:

 proxy-cert-path:

   file: /root/cert/proxy-certificate.crt

 

If proxy section is removed from environment, then remove proxy-cert-path sections under mountPoints and volumes as well:

"mountPoints": [

           {

           "sourceVolume": "proxy-cert-path",

                    "containerPath": "/etc/qualys/qpa/cert/custom-ca.crt"            

           },

         ]

 

"volumes": [

       {

           "name": "proxy-cert-path",

           "host": {

               "sourcePath": "/root/cert/proxy-certificate.crt"

           }

           }

       ]

 

Under volumes, provide information for persistent_volume. If you specify a custom location for persistent_volume, it would get created if not already available on the Docker Host. Once you are done with the changes, save the cssensor-aws-ecs.json file.

Import the json file into Amazon ECS UI to complete the senor deployment

On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.

Select the launch type compatibility as EC2. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role, if applicable.

Scroll to the bottom of the page and select Configure via JSON. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.

Click Create to create the Task Definition. Once created, it should get listed under Task Definitions.

Now go to Clusters, and click the cluster name on which you want to deploy the sensor.

Under Services tab, click Create. Select the launch type as EC2. Select the Task Definition you created above and its revision, and then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable. Review the information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.

Stopping Qualys sensor on Amazon ECS Cluster

If you want to stop the Qualys container sensor from running on all containers, simply delete the service from the Services tab. This will kill the qualys-container-sensor service, but will not remove the sensor from the AWS ECS instances.

Launch Sensor without Persistent Storage

You can run the sensor without using persistent storage on host. In this case data is not stored on host but stored at the /usr/local/qualys/qpa/data folder relative to the Sensor.

To launch sensor without persistent storage, modify the cssensor-aws-ecs.json file and provide "--sensor-without-persistent-storage" as an additional value in command.

"command": [

    "--ecs-mode",

    "--sensor-without-persistent-storage"

    ],

It is recommended to use the "--enable-console-logs" option along with "--sensor-without-persistent-storage" to preserve the logs.

Under mountPoints remove the persistent-volume section.

"mountPoints": [

     {

         "sourceVolume": "persistent_volume",

         "containerPath": "/usr/local/qualys/qpa/data"

     },

 

Under volumes remove the persistent-volume section.

"volumes": [

       {

           "name": "persistent_volume",

           "host": {

               "sourcePath": "/usr/local/qualys/sensor/data"

           }

       },

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: December, 2025