The following is a list of commonly asked questions about EC2 scanning. If there's more to be added, please leave a comment:
1. I don't see the EC2 Scan option.
A. Please contact your Technical Account Manager to get the EC2 Scan option enabled.
2. Do I need a scanner to scan EC2 instances?
A. EC2 instances can be scanned using a scanner appliance or by deploying Qualys Cloud Agents.
3. Can all EC2 instance types be scanned with a scanner appliance?
A. Yes, All instances can be scanned with a scanner appliance, however, Qualys EC2 Scan workflow prevents scanning of instance sizes t1.micro, t2.nano and m1.small by default. This is done because these instances types have very limited resources. It is recommended to use Qualys Cloud agents installed on these instance types for VM/PC scanning. If you wish to scan these instance types with a scanner appliance, please refer to the VM API documentation on how to enable scanning these instance types in your scans ( here ). This is per AWS Acceptable Use Policy: https://aws.amazon.com/security/penetration-testing/
4. How do I scan instances that can't be scanned with a scanner appliance?
A. These instances can be scanned by deploying the Qualys Cloud Agent.
5. Why should I use the Qualys Pre-Authorised scanner?
A. The Qualys Pre-Authorised scanners are approved by AWS. You do not need to submit a penetration testing form when using these scanners. Qualys Pre-authorized scanners do not support IP address based scanning. Scan targets are identified by the AssetView EC2 Connectors which will query for instance metadata directly from the AWS API endpoints. This information is used to identify what targets to scan based on the instance metadata returned from AWS API. EC2 scan jobs can be setup to scan by Tag or instanceId's. More information is available here .
6. Can I scan using Qualys External scanners?
A. Yes, after submitting a penetration testing form to AWS.
7. Where can I find the AWS penetration testing form?
8. Why do I need to configure an EC2 connector?
A. The EC2 connector allows Qualys to discover the assets in your AWS infrastructure and inventory the instances' metadata. This metadata is used to identify the scan targets in the users defined scan scope.
9. Why do I need to upgrade my connector?
A. The EC2 connectors created prior to second half of 2018 used AWS access/secret access keys. By upgrading, your connectors will now use a cross-account role, allowing Qualys to access your EC2 instances without the need to share your AWS security credentials. If you still require to use your own AWS Credentials, you can configure a base account for use with the your cross account role trust connector configuration. Information on configuring a base account can be found here .
10. Can I have multiple connectors for the same AWS account?
A. No. You can now create only one connector per unique AWS account. If you have multiple connectors for the same AWS account, you must retain one and delete the others.
11. Why should I enable automatic activation of assets?
A. Automatic activation ensures that all discovered EC2 instances are available for scanning with in the VM and/or PC modules.
12. How do I manually activate assets?
A. If automatic activation is not enabled, assets can be manually activated from AssetView. Select required assets, click on Actions > Activate.
13. Why should I include a tag in the EC2 connector?
A. Applying tags to discovered EC2 instances allows you to categorize inventoried assets with tags specific to the connector. Additional tags can be created using the AssetView Tag rule "Cloud Asset Search" to create tags based on provider metadata specific queries.
14. Can I tag the discovered instances later?
A. Yes, instances can be tagged later from AssetView using dynamic or static tag engine rules.
15. Why does AsssetView show more assets than Host Assets?
A. AssetView shows all assets that have been discovered by the EC2 Connector. All discovered assets may not have been activated (or in other words, added to subscription), this results in AssetView showing more assets than Host Assets.
16. How do I search and remove terminated instances from AssetView?
A. Use the query aws.ec2.instanceState:"TERMINATED" to search for terminated instances. To remove these, please open a case with Qualys Support.
17. I have automatic activation of assets turned on, but I don't see hosts getting added to Host Assets?
A. Verify that the New Data Security Model has been accepted.
18. How do I enter the scanner personalization code?
A. When launching a scanner in AWS, the personalization code must be added to User Data on Step 3 - Configure Instance Details.
19. How do I enter proxy details for the scanner?
A. The proxy details can be added to User Data on Step 3 - Configure Instance Details.
20. Can I scan EC2-Classic Instances?
A. Yes, both EC2-Classic and EC2-VPC instances can be scanned.
21. Can the scanner and target be in different VPC's?
A. Yes, the VPC's must be peered or you must have a transit VPC configured. To scan targets in other VPC's, the targets private/internal IP address must be routable from the scanner.
22. With the scanner in EC2-VPC, can I scan EC2-Classic instances?
A. Yes. Use EC2 Classic Link to allow the scanner in EC2-VPC to communicate with EC2-Classic instances.
EC2 Classic Link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html
23. How do I verify that the scanner can reach the Qualys SOC?
A. The scanner does not have a console, that means you can't login to the scanner and test connectivity. Alternatively, launch an EC2 instance in the same subnet as the scanner, with the same settings (such as security group). Login to this instance and test connectivity to the Qualys SOC.
24. How should I configure the security group to allow the scanner to reach the Qualys SOC?
A. Security groups by default allow all outbound traffic. If you need to tighten the rules, allow only TCP 443 outbound towards the Qualys SOC IPs. Security groups are stateful, that means return inbound traffic will be automatically allowed.
25. How can I automate the installation of Qualys Cloud Agents on all new EC2 instances?
A. Install the Cloud Agent on an EC2 instance and convert it to an AMI. Using this AMI to launch new instances will automatically deploy Cloud Agents. For more information, refer to the Cloud Agent Whitepaper. A copy of the Cloud Agent Whitepaper can be obtained from your Techincal Account Manager.
26. How can I search for EC2-VPC and EC2-Classic Instances?
A. Use these AssetView queries:
For EC2-VPC assets - provider:"AWS" and aws.ec2.vpcId:*
For EC2-Classic assets - provider:"AWS" and not aws.ec2.vpcId:*
27. How often does the EC2 Connector synchronize?
A. 240 minutes. It is possible to run a manual sync as well.
28. What do the colors in the Asset Count column mean?
A. The Asset Count column shows the assets discovered and synchronized in the latest EC2 connector run.
The green portion represents assets synchronized. Synchronized count represents assets that are successfully processed at Qualys.
The blue portion represents assets which are synchronized but excluded from VM/PC/SCA activation. Excluded assets could be terminated instances or m1.small, t1.micro or t2.nano instances which cannot be scanned per AWS Acceptable Use Guidance for scanning.
AWS Acceptable Use Policy: https://aws.amazon.com/security/penetration-testing/
29. What if the scanner is deployed correctly but still can't reach the Qualys SOC?
A. There could be other configurations such as security groups, NACL's, and routing tables which may prevent the scanner from reaching the Qualys SOC.
30. How do I scan assets in AWS GovCloud?
A. Create a new EC2 Connector and select the GovCloud option.
31. How are EC2 instances tracked within Qualys?
A. EC2 instances are tracked using their EC2 instance-id.
32. Can I clone or use a snapshot of an existing scanner?
A. No, this is strictly prohibited and doing so will result in failed scans.
33. I'm a Qualys PCP customer. Can I use the same scanner AMI?
A. No. Please contact your Qualys Technical Account Manager or Qualys Support to generate a scanner AMI.
34. What permissions do I need in order to perform EC2 scans?
A. You need Manager or Unit Manager permissions to perform EC2 scans.