Installation Guide for Qualys Sensor in AWS ECS Cluster

Welcome to our three-part blog series where we discuss Docker Technology, Docker Security best practices, and Docker Vulnerability Tools. In Part 1 and Part 2, we explored these topics in detail. In Part 3, we will delve into how to deploy Qualys Container Sensor in AWS ECS Cluster.

By following this step-by-step guide, you will be able to deploy the sensor and gain access to all the details in the Qualys Container Security module.

So, sit tight and buckle up as we take you on a journey through the world of Docker and Container Security.

Index

Part 1: Introduction to Docker, Security Best Practices, and Scans

1. Docker Technology: An Overview
2. Docker Security: A Tricky Way
3. Docker Security Best Practices
4. Docker-Vulnerability Scan (Docker Bench for Security, AWS ECR, Trivy Overview)

Part 2: Docker Vulnerability Scanning

Deploying sensor in AWS ECS Cluster

To start with, please prepare the CS connector in Qualys:

1. Login to the Qualys

Login to Qualys. Go to Container Security and select the Configurations tab.

2. Download the QualysContainerSensor.tar.xz

Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on a computer. Download General (Host) .tar.xz file.

3. Download the container sensor

Download the container sensor. A tar file containing the sensor docker image and the install script will be downloaded. The sensor is pre-configured to connect to the Qualys Cloud Platform.

Prerequisites: AWS ECS Cluster should be up and running.

4. Sensor package operations

Untar the sensor package: tar -xvf QualysContainerSensor.tar.xz

5. Push the Qualys sensor image to an AWS ECR repository

Use the following commands to push the Qualys sensor image to an ECR repository:

5.1. Load image to the local docker

5.2. Go to the AWS account and create ECR Repository

5.3. Check connection to AWS ECR

For example:

aws ecr get-login-password --region us-east-1 --profile xxxxxxx | docker login --username xxxx - password-stdin

xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com

5.4. Tag the image

If the connection is successful, in this step we need to tag the image. For example:

 docker tag xxxxxxxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualys-registery:latest

5.5 Push the image to ECR

docker push xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxxxx-qualys-registery:latest

Note: Do not use the examples as they are. Replace the registry/image path with your own.

6. Modifying the cssensor AWS ECS JSON file

6.1 Modify the cssensor-aws-ecs.json file

Modify the cssensor-aws-ecs.json file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. For the JSON file to work properly, ensure that you do not remove/comment on the respective sections mentioned below.

Note that you can download the JSON file directly from here.

Activation ID and Customer ID are required. You can find your Activation ID and Customer ID in your Qualys subscription:

Modify with your Image information, ActivationID, and CustomerID:

6.2 Replace the image attribute

image:
xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/xxxxxxx-qualyssensor:latest

6.3 Specify appropriate values for cpu (no. of vcpu) and memory (size in MB)

6.4 Remove proxy settings from JSON file

You need to delete the following parts:

a. Delete this part from the environment:

name: qualys_https_proxy, value:

proxy.qualys.com:3128

b. Delete this part from mountPoints:

sourceVolume: proxy-cert-path,

containerPath: /etc/qualys/qpa/cert/custom-ca.crt

c. Delete this part from Volumes:

name: proxy-certpath, host: {
sourcePath: /root/cert/proxy-certificate.crt
}

7. Import the JSON file

7.1. Import the JSON file into Amazon ECS UI to complete the sensor deployment.

7.2. On the Amazon ECS UI, under Task Definitions, click Create New Task Definition.

7.3. Select the launch type compatibility as EC2 (Fargate is not supported).

7.4. Provide the Task Definition name, and then provide Task Role, Network Mode, and Task Execution Role if applicable:

8. Task execution IAM role configurations

8.1. Scroll to the bottom of the page and select Configure via JSON option.

8.2. Remove any existing content and then copy-paste the entire contents of the cssensor-aws-ecs.json file.

8.3. Click Create to create the Task Definition. Once created, it should get listed under Task Definitions.

 

This article may interest you: Introduction to AWS Cloud Development Kit

8.4. Confirm if the task definition is created successfully

9. Select the AWS Cluster

Now go to Clusters and click the cluster name on which you want to deploy the sensor. Under the Services tab, click Create. Select the launch type as EC2.

10. Select the task definition

Select the Task Definition you created above and its revision, then select a cluster. Provide the Service name, Service type as “DAEMON”, and then configure Network, Load Balancing, and Auto Scaling if applicable.

11. Create task definition

Review the provided information, and then click Create to create the Service. Once created, it should get listed under Services. Verify that the service status is Active. In the tasks tab, verify that tasks are running on all ECS containers.

12. Final Qualys Container Security module

Now, you will see all details in the Qualys Container Security module:

Conclusion

In Part 3, “QUALYS – Deploying sensor in AWS ECS Cluster”, of our blog series, we discussed how to deploy your Qualys Container Sensor in AWS ECS Cluster. The deployment of this sensor is a crucial step in ensuring the security of your AWS infrastructure. By using this sensor, you will be able to monitor your containers for any vulnerabilities and take action to address them.

We hope that you found this article informative and helpful. In addition to our blog series, we also offer a variety of security services to help you stay secure. Check out our Vulnerability Management and Cloud Security services to learn more and stay protected.