EC2 Connector Setup - AWS GovCloud 

Document created by Sean Nicholson Employee on Oct 14, 2019Last modified by Robert Dell'Immagine on Oct 15, 2019
Version 5Show Document
  • View in full screen mode

Summary 

The document outlines the steps necessary to setup a Qualys EC2 Connector for the AWS GovCloud account type / region. In order to configure a Qualys cloud connector for AWS GovCloud in AssetView or CloudView (version 1.9.0 or greater for GovCloud), you will need to setup a base account for the GovCloud account type, then configure the cross-account trust role with the security audit policy. 

 

Steps: 

Base Account User Configuration 

  1. If you do not see GovCloud as an account type in the connector creation window, submit support request to have GovCloud account type enabled for your Qualys subscription 
    Ticket submission can be done through the Qualys UI or by sending an email to support@qualys.com. If sending the request via email, include your Qualys subscription user name and subscription URL.
  2. Proceed with setup of the EC2 Connector once Qualys support has enabled the GovCloud account type for your subscription 
  3. Create a user in an AWS GovCloud account  
  4. Add the permission assumeRole to the user account 

"Version": "2012-10-17", 

"Statement": [ 

        { 

            "Sid": "VisualEditor0", 

            "Effect": "Allow", 

            "Action": "sts:AssumeRole", 

            "Resource": "*" 

        } 

    ] 

} 

   5. Create an access key for the user account. You will need the access key and secret to configure the base account. 

 

Qualys Base Account Configuration 

  1. Create a Qualys base account for the GovCloud account type. Follow instruction to setup a Base account listed in the Qualys Securing Amazon Web Services.Choose GovCloud as the base account type 

  2. Enter AWS GovCloud account ID, User Access key, and User Secret Key from the user created above 
  3. Click Create 

 

Cross Account Trust Role 

  1. If not already on the connector creation screen, log into your Qualys account and navigate to AssetView, then click connectors. 
  2. Click create EC2 Connector 
  3. Choose GovCloud as the account type 
  4. The Base Account ID should show the AWS Account ID from the base account you configured above.  
  5. Copy the AWS account ID and the External ID 
  6. Open a new tab and leave the brwoser window open for the EC2 Connector creation. If you close this window or it times out and you have to log back in, the External ID will be generated again and you will have to update the cross-account trust role security configuration to the new external ID or enter the one from the role’s security configuration to ensure the role’s specified external ID matches the external ID configured for the EC2 connector 
  7. Log into the AWS GovCloud account where you will create the cross-account trust role in a new window. 
  8. Navigate to IAM then Roles 
  9. Click Create Role 
  10. Select Another AWS Account 
  11. Enter the AWS account ID used to create the base account above 
  12. Check the box for Require external ID and enter the external ID specified in the EC2 Connector creation Window. 
  13. Click Next:Permissions 
  14. Search for and add the SecurityAudit policy to the role 
  15. Add Tags for the role per your internal tagging governance requirements 
  16. Provide a Role Name and optionally a description 
  17. Click Create Role 
  18. A CloudFormation template will be available to download once you click on create AWS EC2 connector and choose GovCloud account type from the connector type selector that will include the base account in the role trust 

Trust policy example: 

{ 

  "Version": "2012-10-17", 

  "Statement": [ 

    { 

      "Effect": "Allow", 

      "Principal": { 

        "AWS": "arn: aws-us-gov:iam::<<Base-Account-ID>>:root" 

      }, 

      "Action": "sts:AssumeRole", 

      "Condition": { 

              "StringEquals": { 

               "sts:ExternalId": "<<External-ID>>" 

                } 

      } 

    } 

  ] 

} 

 

Configure the EC2 Connector for GovCloud 

  1. If not already on the connector creation screen, log into your Qualys account and navigate to AssetView, then click connectors. 
  2. Click create EC2 Connector 
  3. Copy the Role ARN from the role created in the above steps 
  4. Enter the ARN for the cross-account role trust into the AWS EC2 Connector creation window and click Continue 
  5. Select the GovCloud account type 
  6. Click Qualys modules to activate for the resources inventoried and added to your subscription 
  7. Add any tags for EC2 resources that this connector will inventory 
  8. Click Finish 
1 person found this helpful

Outcomes