How to Deploy the Stack using AWS Console
We use AWS CloudFormation for scanning container images in AWS Fargate ECS.
Follow these deployment instructions:
1) Log into your AWS Console.
2) Go to CloudFormation, click Create Stack and select With new Resources.
3) Under Specify template, in the Amazon S3 URL field, enter the Qualys CloudFormation Template S3 URL (see URL in the Prerequisites section).
Then, click Next to continue to the template configuration.
4) Under Stack name, enter a name for the Qualys AWS Fargate scanning stack, such as 'qualys-fargate-scanning-stack'.
5) Under Qualys Global Configuration, provide environment details for your subscription, including POD URL, Activation ID, and Customer ID.
To get the Activation ID and Customer ID auto-generated for your subscription, go to Configurations > Sensors in the Qualys Enterprise TruRisk™ Platform, click Download Sensor, and then click any sensor type. The installation command on the Installation Instructions page contains your Activation ID and Customer ID.
- QualysPodUrl: Enter the Container Security Server URL for the Qualys Platform where your account is located (e.g. https://cmsqagpublic.qg2.apps.qualys.com/ContainerSensor for US2 Platform). If you are not sure of the URL, refer to the following link to identify your Qualys platform and get the Container Security Server URL: https://www.qualys.com/platform-identification/#container-security-servers
- QualysCustomerId: Enter your Qualys subscription’s customer ID.
- QualysActivationId: Enter your Qualys subscription’s activation ID.
6) Under Qualys CS Lambda function Configuration, provide Lambda S3 bucket name, key and log level. See the following link to get the bucket name and key values: Qualys CS Lambda Function S3 Bucket Names and Keys
- QualysLambdaFunctionS3BucketName: Enter the S3 bucket name for the Qualys Lambda function.
- QualysLambdaFunctionS3BucketKey: Enter the S3 bucket key as the name of the Qualys Lambda function - qcslambda-1.3.0-0-PUBLIC.zip.
- QualysLambdaLogLevel: Select a log level for the Qualys Lambda function. The default value is 'info'. Keep the default value or select another log level if more verbose logging is needed.
- QualysPodCustomerRootCertPath: Specify Qualys Private cloud platform custom certificate path.
- QualysInsecureSkipverify: Lambda function can skip server certificate verification using this field.
true: The Lambda function skips the server certificate verification.
Valid Values: 'true' or 'false'
Default value: false
7) Under Qualys CS Sensor Configuration, provide the following details:
- QualysSensorImage: Enter the name of the sensor image as 'latest'.
- QualysSensorLogLevel: Select a log level (0-5) for the Qualys sensor. The default value is 3 (Information). Keep the default value or select another log level if more logging details are needed.
- QualysSensorCLIParameters: You can keep this field empty.
8) Click Next to continue through the workflow. On the final page, you will need to select the I acknowledge that AWS CloudFormation might create IAM resourcescheck box.
9) Click Create stack. That’s it!
Resources Created
When the stack creation is successful, several resources are created and they’ll appear in the Resources section, as shown below. In this example, the resources were created for a stack named fargate-demo.
Here’s another look at the resources created.
| Logical ID | Type |
| QualysECSFargateImageScanningBuildProject | AWS::CodeBuild::Project |
| QualysECSFargateImageScanningInvokeLambdaPermission | AWS::Lambda::Permission |
| QualysECSFargateImageScanningLambda | AWS::Lambda::Function |
| QualysECSFargateImageScanningLambdaRole | AWS::IAM::Role |
| QualysECSFargateImageScanningRule | AWS::Events::Rule |
| QualysECSFargateImageScanningServiceRole | AWS::IAM::Role |