Versions Compared

Version Old Version 20 New Version 21
Changes made by

Development Operations (Deactivated)

Development Operations (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Create A New Connector

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.

  2. Click Connectors.

  3. Click the New Connector button.

    1. The New Connector form will slide into view from the right side of the screen. 

  4. Click the icon of the appropriate Cloud provider.

    1. Amazon Web Services

    2. Google

    3. Microsoft Azure

  5. Complete the form by providing the required information.

    1. The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider. 

    2. Add Run Frequency Value. Run Frequency for a connector decides the rate at which the connector should poll the cloud provider and fetch the data, specified in minutes. Recommended value is 240 minutes. The minimum value it can take is 60 minutes.

  6. Click the Add Connector button.


Create a Connector in AWS, GCP, or Azure

...

Expand
titleAmazon Web Services
  1. Log in to Amazon Web Services (AWS) Console.
  2. Go to the IAM service.
  3. Go to Roles and click Create Role.
  4. Under “Select type of trusted entity” choose Another AWS account. Then:
    1. Paste in the Qualys AWS Account ID (from connector details).
    2. Select Require external ID and paste in the External ID (from connector details).
    3. Click Next: Permissions.
  5. Select the following policies:
    1. Find the policy titled “SecurityAudit” and select the check boxes next to it.
    2. Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster). Learn more
    3. Create a custom policy that includes additional permissions (applicable only for EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy. Learn more
  6. Click Next: Tags.
  7. Click Next: Review.
  8. Enter a role name (e.g. QualysCloudViewRole) and click Create role.
  9. Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.

...

Expand
titleMicrosoft Azure
Part 1:

1. Create Application and get Application ID, Directory ID

Create application in Azure Active Directory and you can then note the application ID.

  1. Log on to the Microsoft Azure console
. Go to 
  1. and press Azure Active Directory
 in
  1.  in the left navigation pane
, then 
  1. .
  2. Click App Registrations > New registration.
Click New registration and provide these
  1. Provide the following details:
    1. Name: A name for the application (e.g. My_Azure_Connector)
    2. Supported account types: Select Accounts in any organizational directory
Click 
  1. Click Register. The newly created is displayed with its properties. Copy
the 
  1. the Application (client)ID
 and 
  1.  and Directory (tenant)IDand paste it into the connector details
on the New Connector page in AMP
  1. .
Part 2:

2. Generate Authentication Key

Provide permission to the new application to access the Windows Azure Service Management API and create a secret key.
Provide Permission

  1. Select the application that you created and go
to 
  1. to API permissions > Add a permission.
Select 
  1. Select Azure Service Management API
 in
  1.  in Microsoft APIs for Request API permissions.
Select Part 3:
  1. Select user impersonation
 permission and click Add permissions.

  • Click Add a permission.

  • Select Microsoft Graph in Microsoft APIs for Request API permissions.

  • Select Application permissions and expand User permissions and select User.Read.All permission and click Add permissions.A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success.

    1.  permission and click Add permissions.

    Create a secret key

    1. Select the application that you created and go
    to 
    1. to Certificates and Secrets > New client secret.
    2. Add a description and expiry duration for the key (recommended: Never) and
    click 
    1. click Add.
    2. The value of the key appears in the Value field.

    Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value

    into the Authentication Key field in AMP on the New Connector page.Part 4:

    as Authentication Key into the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.

    3.Acquire Subscription ID

    Grant permission for the application to access

    subscription that you want to configure

    subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

    1. On the Azure portal, navigate
    to 
    1. to Subscriptions.
    2. Select the subscription for which you want to grant permission to the application and note the subscription ID.

    Assign two roles (Reader role and a custom role to the application).Assign Reader Role

    1. To grant permission to the application you created,
    choose 
    1. choose Access Control (IAM).
    2. Go
    to 
    1. to Add > Add a role assignment. Pick
    the role as Reader
    1. a Reader role. A Reader can view everything but cannot make any changes to the resources of a subscription.

  • Select Azure AD user, group, or service principal in Assign Access to dropdown.

  • Type the application name in Select drop-down and select the application you created.

  • Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

    • Assign Custom Role

    Before you assign the custom role, create the custom role (QRole). Learn more

  • Go to Add > Add a role assignment. Pick the custom role you created (QRole). The custom role can view but cannot make any changes to the resources of a subscription

    • Select 
    1. Note: You need to assign the Reader role if the same application is used in AssetView and CloudView module. If the application usage is limited to only AssetView module (and not in CloudView module), you need to have at least below permissions on the built-in or custom role assigned to the subscription. - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/networkSecurityGroups/read"
    2. Select Azure AD user, group, or
    service principal in
    1. application in Assign Access to dropdown.
    2. Type the application name in Select drop-down and select the application you created.
    Click 
    1. Click Save
     to
    1.  to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.
    2. Copy
    the 
    1. the subscription ID
     you
    1. you noted and paste it into the connector details in AMP on the New Connector page and click
    Add
    1. Create Connector.


    Offline Connectors

    ...

    If a connector is showing offline, please follow troubleshooting steps in the Troubleshooting section of this documentation, and do not delete the connector and add it back in an attempt to get it to connect.

    ...

    Anchor
    Troubleshooting A Connector
    Troubleshooting A Connector
    Troubleshooting A Connector

    ...

    Connectors have four states they can be in:

    ...