Versions Compared

Version Old Version 25 New Version 26
Changes made by

Luke Fritz (Unlicensed)

Luke Fritz (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Create A New Connector

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.

  2. Click Connectors.

  3. Click the New Connector button.

    1. The New Connector form will slide into view from the right side of the screen.

  4. Click the icon of the appropriate Cloud provider.

    1. Amazon Web Services

    2. Google

    3. Microsoft Azure

  5. Complete the form by providing the required information.

    1. The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider.

    2. Add Run Frequency Value. Run Frequency for a connector decides the rate at which the connector should poll the cloud provider and fetch the data, specified in minutes. Recommended value is 240 minutes. The minimum value it can take is 60 minutes.

  6. Click the Add Connector button.


Create a Connector in AWS, GCP, or Azure

...

Log in to (AWS) Console.
  • Go to the IAM service.
    • Go to Roles and clickCreate Role.Under "Select type of trusted entity" chooseAnother AWS account. Then:Paste in the Qualys AWS Account ID (from connector details).
  • Select Require external ID and paste in the External ID (from connector details).
    • ClickNext: Permissions.Select the following policies:
  • Find the policy titled "SecurityAudit" and select the check boxes next to it.
    • Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster).Learn moreCreate a custom policy that includes additional permissions (applicable only for EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy.Learn moreClickNext: Tags.ClickNext: Review.Enter a role name (e.g. QualysCloudViewRole) and clickCreate role.
  • Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.
    • Expand
    titleAmazon Web Services
    Amazon Web Services

    Part 1: Enable access to some API's in API libraryLog in to (GCP) console.

  • Select the organization.

  • For all projects to be onboarded, navigate to APIs and Services > Library.

  • Select a project or create a new project. Ensure that you have selected the correct project.

  • In API Library, click the following APIs and enable them. If you need help finding the API, use the search field.

    • - Compute Engine API

    • - Cloud Resource Manager API

    • - Kubernetes Engine API

    • - Cloud SQL Admin API

    • - BigQuery API

    • - Cloud Functions API

    • - Cloud DNS API

    • - Cloud Key Management Service (KMS) API

    • - Cloud Logging API

    • - Stackdriver Monitoring API

    • Part 2: Create a service account and download the configuration file

    1. Log in to Google Cloud Platform (GCP) console.

      • Select an organization.
      • Select a project or create a new project. Ensure you have selected the correct project.
      • From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT.
      • Provide a service account id, name (optional), and description (optional) for the service account, and click CREATE.
      • Next, navigate to IAM & Services > IAM and click ADD..
      • Enter your service account in New Principal.
      • Add the following roles in the Role field and click SAVE:
        - Viewer
        - Security Reviewer
      • Select the newly created service account.
      • Click Actions > Manage Keys > Add Key > Create a new Key. Select JSON as the key type and click Create (A message saying "Private key saved to your computer" is displayed, and the JSON file is downloaded to your computer).
      • Click CLOSE and then click Done.

    Part 3: Upload the configuration (JSON) file in AMP on the new connector page for GCP connector and click on Add Connector.

    Expand
    titleGoogle Cloud Platform
    Google Cloud Platform

    1. Create Application and get Application ID, Directory ID

    Create application in Azure Active Directory and you can then note the application ID.

    Log on to the Microsoft Azure console and pressAzure Active Directoryin the left navigation pane.ClickApp Registrations > New registration.
  • Provide the following details:
    1. Name: A name for the application (e.g. My_Azure_Connector)
    2. Supported account types: Select Accounts in any organizational directory
    • ClickRegister. The newly created is displayed with its properties. Copy theApplication (client)IDandDirectory (tenant)IDand paste it into the connector details.2.Generate Authentication Key

    Provide permission to the new application to access the Windows Azure Service Management API and create a secret key.
    Provide Permission

    Select the application that you created and go toAPI permissions > Add a permission.SelectAzure Service Management APIin APIs for Request API permissions.Selectuser impersonationpermission and clickAdd permissions.

    Create a secret key

    Select the application that you created and go toCertificates and Secrets > New client secret.Add a description and expiry duration for the key (recommended: Never) and clickAdd.
  • The value of the key appears in the Value field.
    • Copy the key value at this time. You won't be able to retrieve it later. Paste the key value asAuthentication Keyinto the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.

    3.Acquire Subscription ID

    Grant permission for the application to access subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

    On the portal, navigate toSubscriptions.Select the subscription for which you want to grant permission to the application and note the subscription ID. To grant permission to the application you created, chooseAccess Control (IAM).Go toAdd > Add a role assignment. Pick aReaderrole. A Reader can view everything but cannot make any changes to the resources of a subscription.
    Note: You need to assign the Reader role if the same application is used in AssetView and CloudView module. If the application usage is limited to only AssetView module (and not in CloudView module), you need to have at least below permissions on the built-in or custom role assigned to the subscription. - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/networkSecurityGroups/read"
  • Select Azure AD user, group, or application in Assign Access to dropdown.
    • Type the application name inSelectdrop-down and select the application you created.ClickSaveto finish assigning the role. You'll see your application in the list of users assigned to a role for that scope.Copy the subscription ID you noted and paste it into the connector details in AMP on the New Connector page and click Create Connector.
    Expand
    titleMicrosoft Azure
    Microsoft
    Azure


    Offline Connectors

    ...

    If a connector is showing offline, please follow troubleshooting steps in the Troubleshooting section of this documentation, and do not delete the connector and add it back in an attempt to get it to connect.

    ...

    Anchor
    Troubleshooting A Connector
    Troubleshooting A Connector
    Troubleshooting A Connector

    ...

    Connectors have four states they can be in:

    ...