AnsweredAssumed Answered

Code 999 while creating EC2 scan

Question asked by Maxim Budyonny on Dec 12, 2018
Latest reply on Feb 28, 2019 by Michael Simoni

Dear All,

I'm trying to create an automated EC2 scan.  

My workflow:

  • create the, to be scaned, stack in the Amazon
  • create Virtual Scan Appliance (VSA) in Qualys
  • create VSA in the Amazon and wait until VSA status becomes Online
  • establish VPC peering between VSA VPC and to be scanned VPC
  • Get instance list from the Amazon (List of instances to be scanned)
  • Re-run EC2 connector and wait until FINISHED_SUCCESS
  • create scan by placing HTTP POST request to the API_URL/api/2.0/fo/scan/

additional request parameters: 

  • action = launch
  • iscanner_name = AWS-Scanner
  • ec2_endpoint = VPC Id. VPC of the to be scanned stack 
  • option_title = AWS-Profile1
  • connector_name = AWS-Connector1
  • scan_title = Test-AWS-Scan
  • ec2_instance_ids = i-01d4143f9194b77b6,i-0dc96036121e08081,i-0dff0c8d78d972756

But got reply

<?xml version="1.0" encoding="UTF-8" ?>
<TEXT>Following ec2_instance_ids doesn't belong to the provided EC2 environment: i-01d4143f9194b77b6,i-0dc96036121e08081,i-0dff0c8d78d972756</TEXT>

After replacing "suspicious" instance Ids

ec2_instance_ids = i-01d4143f9194b77b6,i-0dc96036121e08081,i-0dff0c8d78d972756.

Striked Ids were removed from the request and I re-running requests I got

<?xml version="1.0" encoding="UTF-8" ?>
<TEXT>You do not have permission to scan following ec2 instances: i-0dff0c8d78d972756</TEXT>


What I'm doing wrong?

How can I increase debug level/verbosity/etc to get a more clear reply from the Qualys?


Thank you.