Launching Virtual Scanner Appliance on Gov or Commercial Cloud Without Access to AWS Marketplace

To secure the AWS GovCloud, you need to follow the appropriate instructions based on your Qualys platform type.

Deploying qVSA from Gov or Commercial Cloud on PCPs or SCPs Without Access to AWS Marketplace

To deploy qVSA from AWS GovCloud or commercial cloud on PCPs or SCPs without access to the AWS marketplace, perform the following steps:

Contact your Qualys Technical Account Manager (TAM) or Qualys Support to request access to the following:
1. GovCloud Feature
2. Qualys Virtual Scanner Appliance AMI
Make sure to include your AWS Account ID, as access to the AMI is granted by Qualys Support for specific Account IDs.
Once your request is approved, Qualys Support will send you an email with the access information.
Create a Qualys Virtual Scanner Instance using the qVSA AMI, which will now be available in the My AMIs section of the Create Instance wizard. If you need to search for it, use the keyword qVSA to locate the Qualys scanner.
Configure the Virtual Scanner Instance as outlined in the provided documentation.

To Launch Custom AMI from AWS Console

To launch from a custom AMI that has been shared with your AWS account:

Log in to your AWS console.
Go to Images - AMI – Private Images.
Enter qVSA in the search box.
Check all Qualys virtual scanner images shared with your account:
Launch the virtual scanner AMI in a region.

Use the wizard to enter AMI settings. Qualys now also supports the V2(token required) version. In the Advanced Details section, select the Metadata version accordingly.

In the User data field, you must enter the personalization code obtained from Qualys. In addition, you can configure other optional parameters.

Configuration Parameters in User Data

The following table includes the complete list of configurable parameters in user data.

Parameter	Description	Format/Example	Required
PERSCODE	Personalization code obtained from Qualys.	PERSCODE=12345678901234	Required
PROXY_URL	Proxy server details. Used when the scanner does not have direct connectivity to the Qualys Enterprise TruRisk™ Platform.	PROXY_URL=username:password@proxyhost:port Example: PROXY_URL=jdoe:[email protected]:3128	Optional
DNS_SERVERS	Specify up to two custom DNS servers on the scanner, separated by a comma. When configured, these DNS servers will be added at the top of the /etc/resolv.conf file. If the scanner is also configured with a DHCP lease, the DNS servers provided by the DHCP lease will be added below the custom entries.	DNS_SERVERS=dns1.example.com,dns2.example.com Example: DNS_SERVERS=8.8.8.8,8.8.4.4	Optional

Parameter

Description

Format/Example

Required

PERSCODE

Personalization code obtained from Qualys.

PERSCODE=12345678901234

Required

PROXY_URL

Proxy server details. Used when the scanner does not have direct connectivity to the Qualys Enterprise TruRisk™ Platform.

PROXY_URL=username:password@proxyhost:port

Example: PROXY_URL=jdoe:[email protected]:3128

Optional

DNS_SERVERS

Specify up to two custom DNS servers on the scanner, separated by a comma.

When configured, these DNS servers will be added at the top of the /etc/resolv.conf file. If the scanner is also configured with a DHCP lease, the DNS servers provided by the DHCP lease will be added below the custom entries.

DNS_SERVERS=dns1.example.com,dns2.example.com

Example: DNS_SERVERS=8.8.8.8,8.8.4.4

Optional

If you use a proxy server, ensure that you configure the Amazon EC2 API Proxy server settings in Qualys UI.
For more information, refer to Define Amazon EC2 API Proxy settings in Qualys UI.

Virtual Appliance Connecting to Qualys Enterprise TruRisk™ Platform

Once launched, the Virtual Appliance connects to the Qualys Enterprise TruRisk™ Platform. This step registers the Virtual Scanner Appliance with your Qualys account. Your appliance also downloads all the latest software updates immediately and is ready for scanning.

Last updated: October, 2025