Use Case 2: Filtering DB Instances
For this QFlow, you need an AWS Resource node (accessing all RDS RB instances) and a Filter node (filtering out publicly accessible RDS DB instances).
Following are the steps to create the QFlow.
Step 1: Add Basic Details
- Log in to your Qualys Flow account.
- On the QFlows tab, go to Create QFlow and click From scratch.
- From the Editor window, click the icon to enter the basic details of the QFlow.
- Provide a QFlow Name and Description for your QFlow.
- Select Security as Category from the list.
You can select multiple categories from the list. These categories are filters you can apply while searching for specific QFlow among the multiple QFlow available on the QFlows tab.
Step 2: Add a Triggering Method
The Trigger node is the first node in any QFlow and is set to manual trigger by default. The Trigger node defines the time of the execution of the QFlow. You need to set it to TotalCloud. For more details on nodes, refer to Knowing the Nodes.
At a later time, if you do not want to link your QFlow with the CSPM connector, you can set it to manual trigger; in this way, you can execute the QFlow manually as per your requirement.
- Click the icon to input the trigger method.
The Edit Trigger Node pop-up window is displayed. - Click TotalCloud trigger, toggle to Active and click Save.
Step 3. Add a Resource Node
Use this node to select the resources for finding all DB instances. Set the configuration. For more details on nodes, refer to Knowing the Nodes.
To find out all DB resources, follow these steps:
- To add the Resource node, click the icon.
- On the Explore Nodes pop-up window, go to AWS Nodes, select AWS Resource node.
AWS Resource node is added in the Editor.
- Click the icon on the node to set up the configuration.
The Edit AWS Resource Node pop-up window is displayed. - Select RDS as Service and DB Instances as Method from the list.
- Click Addons to select the additional resources that are linked with your resource.
Additional params are like filters that could be added to the Totalcloud API calls that could narrow down the results returned. This is particularly useful if the data set is large (>100 objects).
Addons are additional API calls made to the cloud to fetch the details of resources that are related to the actual API call configured in the resource node.
For example, in the case of DB instances, security groups are linked to these DB instances as Addons. These security groups may be allowing public IPs on the databases. You can also add those security groups to the resource node to get information about these resources. Based on your selected service, addons are auto-populated.
- On the Select Addons window, select Security Groups from the list and click Apply.
Step 4: Select an AWS Account and a Region
Qualys recommends testing and verifying the QFlow with a single account and region before applying it to multiple accounts and regions. Once you are satisfied with the QFlow and outcome, you can deploy the QFlow on multiple accounts and regions. Load More option is provided to view all your accounts while selecting the account.
- Click Select Account to choose the account from the list and then click Apply.
- Click Select Region to choose the region from the list and then click Apply.
Step 5: Add the TotalCloud Node
Use TotalCloud node to take the output from the resource node and filter publicly available RDS DB instances. For more details on nodes, refer to Knowing the Nodes.
To find out all publicly available RDS DB resources, follow these steps:
- Click the icon placed after the resource node.
- On the Explore Nodes pop-up window, from General Nodes, select TotalCloud node.
- Click the icon on the TotalCloud Control node to set up the configuration.
- On Edit TotalControl Control Node pop-up window, from the list for Data to evaluate field, select AWSResource.DBInstances.
To view all the publicly available instances, you need to apply two filter types:
- param filter with publicly accessible key
- security group filter that may have given access to public IP
- From Evaluation Criteria, click Edit.
The Evaluation Criteria window is displayed to enter the details of both filters.
- Select Filter type as Param.
- Select Key as PubliclyAccessible from the list, the Operator as == and write Value as true.
- Click the Add Condition and select OR to apply the Security Group Filter Type.
- To check for any publicly accessed IP which may be part of the security group, select Filter type as Security Group.
- Select Type as Inbound, Port Range, Source as Public IPv4, IP/SG as 0.0.0.0/0, Protocol Type as Any, Protocol as ANY and click Save.
The Edit TotalCloud Control Node window is updated with the applied filters.
- From Select Keys for evidence field, select ResourceID as DBInstanceIdentifier and DisplayName as DBName.
- From Available Keys, select PubliclyAccessible and SecurityGroups.IpPermissions then click Save.
Now you have created QFlow. It is ready for testing and running.
Step 6: Run and Check Functionality of Nodes
It is best practice to check the functionality of individual nodes before running the QFlow. It avoids data loss if any node is not working correctly because of some configuration error.
- Click the three dots present at the top right corner of the specific node to get the Run till option for running the QFlow till that specific node.
The status of the running of the QFlow is displayed. The status of the input and output of the node is displayed in green.
You can view execution detail by clicking the icon.
- Click the icon to view the details of execution details.
For demonstration, we have shown the Trigger node’s execution history. You can download the JSON file using icon or copy the JSON code in the clipboard using icon.
Once you verify the functioning of your QFlow, you can save the QFlow.
Step 7: Associate your QFlow with AWS Accounts and Regions
- To save the QFlow, click Save.
- Select the AWS Accounts, Regions from the list and click Save.
Your QFlow is ready. You can now create user-defined control in the TotalCloud application.