Practical Tips – Running Qualys Scanner in AWS
Automatically Start and Stop your Qualys Scanner Appliance Instance in Amazon Web Services (AWS)
More and more enterprises of all sizes are starting to utilize to cloud services not only for development and DR functions but also for their Production systems. AWS is one of the cloud providers for IaaS services where we see our customers running their servers, databases and applications.
Although AWS is very easy to get started and the individual instance per hour costs are very low, over time the costs can add up quickly if you are not careful. A good practice is always run your instances only when you need them to minis costs. One of the instances you need to run within AWS is the Qualys Scanner Appliance if you want to perform Vulnerability Scans on your servers in the AWS. And since you typically do not run scans 24×7, it makes sense to start the Qualys appliance only when needed and stop it when the scan job is finished.
A simple cost calculation shows that this can result in $54.64 savings per month (that is $655.68 per year!!!!). This is only one appliances. If you are running multiple appliances due to your scanning needs, the savings are even higher. Below is one way to automate the process to start and stop the Qualys Appliance using cron jobs.
- You need to have a Qualys Vulnerability Manager (VM) subscription enabled for AWS scanning.
- You need to have a Qualys Virtual Scanner installed and configured in your AWS subscription (EC2 or VPC).
- You need to have a Linux box (Amazon Linux preferred) that is up and running 24×7 in your subscription (this can be a free-tier eligible server or a server that you already run for some other function in your AWS environment).
Step 1 – Create an AWS Identity and Access Management (IAM) Policy with the necessary access rights:
- On your IAM Dashboard click on Policies -> Get Started.
- Click on “Create Policy” and choose the “Create your own Policy” option.
- Complete the Policy details using the screen below as a guide.
This policy will allow the actions listed (start instance, stop instance, associate elastic IP) on all resources in your subscription. Unfortunately there is no way to limit this access to a specific instance (i.e. your Qualys scanner appliance instance) at this time. The “AssociateAddress” action does not support resource-level permissions. We are monitoring the AWS API news and will update this document once it is supported. The “StartInstances” and “StopInstances” actions already support this.
Step. 2 – Create a Role in AWS IAM:
Although you can use an administrative account for this purpose, the recommended and more secure way is to use the AWS Roles function. This way, you do not have to copy and paste your account login credentials on to the Linux server. To create a new role for this purpose:
- On your IAM Dashboard click on Roles -> Create New Role.
- Enter a role name and click Next. In our AWS account, we used the name “ScannerAdmin”.
- In the “Select Role Type” screen, click on the Select button next to the “Amazon EC2” role type. Since our main purpose is to start and stop instances, this will provide us a list of available policies to select in the next screen.
- In the “Attach Policy” screen, select the “Start_and_Stop_Instances” policy we created in the previous step and click next.
- Review your settings and click on “Create Role” to finish this step.
Step 3 – Prepare your AWS Linux server that will run the scripts:
In this scenario, we are using a free-tier AWS Amazon Linux AMI image that will be running 24×7. This server will be used to run the cron scripts to start and stop the Qualys virtual scanner appliance instance on the schedule we want. We will assume that you do not have a server like this running already in your environment and start with a brand new instance.
- In your AWS console, go to the EC2 service
- Click on Instances and the “Launch New Instance”
- Click select next to the Amazon Linux AMI that is eligible for free tier. Another benefit of the Amazon Linux is that it includes all necessary tools already installed such as the AWS Command Line Interface (CLI) tools.
- Select the default option General Purpose t2.micro instance type and click on “Next: Configure Instance Details”.
- In this screen we will be selection some important instance configuration options. Select the network options based on your environment. In our case:
- We will put it in our production VPC (PRPLBX) and in a subnet that has access to the internet.
- We will also give it a Public IP so we can access it over SSH.
- And we will select the “ScannerAdmin” IAM role we created earlier.
- Click Next to review the Storage options. You can leave the default settings here and click on “Next: Tag Instance”
- We will give it a name and BU tags for tracking purposes. and click on “Next: Configure Security Group”.
- In our environment we have a default DMZ policy that we will use for this instance. Our DMZ enables inbound HTTP/HTTPS access from everywhere. And inbound SSH policy from our offices only.
- In the last step, review your settings and click on “Launch” and select a key-pair you use for accessing your instances in AWS.
- Now you can go back to your AWS console and verify that your new Amazon Linux server is up and running. Once you confirm the Instance State is “Running” and Status Checks is “2/2 checks passed”, connect to your Amazon Linux image with ssh on a terminal screen. The command should be similar to:
host:~ user$ ssh firstname.lastname@example.org -i .ssh/keyfile.pem
Replace the “keyfile.pem” with the name of the private key file and replace the “xx.xx.xx.xx” with the public IP address of your host. You can find this in EC2 Dashboard –> Instances –> Select your instance and check the Public IP field.
- First some housekeeping items for new instances:
- assume root (sudo su)
- install any updates (yum update -y)
- verify the AWS CLI is installed and running correctly.
- By default the Amazon EC2 Command Line Interface Tools are installed in the Amazon Linux image. To verify that your installation has CLI tools installed and working correctly, follow the steps at this link:
- Create two script files, similar to the figure below using your favorite text editor:
- Test that your scripts are working by running them and then checking the status of your instances from the EC2 Dashboard –> Instances
Step 4 – Use cron to automate the running of start and stop scripts
- Now that your start and stop scripts are ready, the last step is to configure cron to automate the process. There are many different ways doing this but the way described here is one of the more straightforward ways that works.
- Use “crontab –l” command to list any current cron jobs scheduled. Then use “crontab – e” to open the cron table in the vi editor add the entries necessary to run the start and stop scripts on defined schedule. See below an example setup.
This cron table will run every Saturday the start instance script at midnight 00:01 and run the stop instance script at 23:59 (11:59PM). This means your scanner appliances will be up and running for about 23 hours and 58 minutes, which should be a good window to complete your scans. Of course, you can adjust this schedule based on your scan windows.
*** Troubleshooting Tip *** Make sure you synch the times when your scanner appliance is scheduled to turn on/off and when your scans are scheduled to run. The cron function uses the UTC but your Qualys scan schedule settings will use the local timezone you configured (i.e. US East). If your scans are running successfully when you do a manual ad-hoc scan but they error out if you schedule them, first check the scan schedule times and the corn job times to make sure you appliance is up and running at the scheduled scan time.