Practical Tips – Qualys Licenses in AWS
Now you should see the EC2 Connector you already have configured for your subscription. In our setup it is called the “PBSec EC2 Connector”. Select your connector and then click on small down arrow to open the Quick Actions Menu and select “Edit”.
Within the Edit screen, select the last option on the right hand, “Tags and Activation”. This configuration screen lets you automatically tag or activate the assets discovered in your AWS environment by the EC2 Connector. Although it seems like a good idea to automatically activate your assets for Qualys scanning, it does not work as intended due to the dynamic nature of AWS. If you are utilizing any of the dynamic scaling features, you might end up with tens or hundreds of instances that are active one day and not the other. Activating each and every asset discovered to the Qualys subscription will deplete your licenses in no time.
Go ahead and uncheck the boxes in the screen above to avoid unintended activations in the future. Now comes the fun part; going through all the assets that are already activated and deleting them from Qualys. I will admit, it is tedious and time consuming. If you are a PurpleBox Security customer, give us a call and we will do it for you.
Select the Vulnerability Manager (VM) Module from the module picker and then go to the Assets Tab. Here you want to click on the “Hosts Assets” sub tab to see a list of assets that are activated in Qualys. It does not mean that they are scanned but since they are activated, so they are using your available licenses.
Select New – Remove IPs option on this screen. This will open a window that will let you select the IPs or IP address ranges you want to delete from Qualys. Of course it will warn you that deleting IPs from your Qualys subscription has some permanent effects. Please make sure these IPs are absolutely the ones you want to delete before proceeding. Once you delete the IPs from Qualys, you will lose all historical scan data and configuration options associated with that IP. You can always add it back and scan it in future but if you have any compliance requirements that need you demonstrate the scans have taken place in the past, you night have some issues.
Of course, there is a bigger question for those companies that have started at AWS or are making the move to AWS: Is there a better way to do vulnerability scanning and vulnerability management in AWS? Yes there is! The best practices and mature procedures you have been using in a traditional on-prem or co-location facility do not work in an AWS environment. In these traditional environment, the number of systems and servers are relatively stable and the IPs addresses do not change that much. However, in AWS the number of instances active at one time can vary from day to day, sometime hour to hour. If you are using autoscaling to spun new app/web servers in busy hours, do you really need to scan all of these instances? No, you don’t.
As we said, there is a better way of doing Vulnerability and Configuration Management in the cloud. Complete the form to the right and we will be glad to arrange a no-cost discovery session to understand your environment and help you devise a better approach.