Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Create A New Connector

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.

  2. Click Connectors.

  3. Click the New Connector button.

    1. The New Connector form will slide into view from the right side of the screen. 

  4. Click the icon of the appropriate Cloud provider.

    1. Amazon Web Services

    2. Google

    3. Microsoft Azure

  5. Complete the form by providing the required information.

    1. The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider. 

    2. Add Run Frequency Value. Run Frequency for a connector decides the rate at which the connector should poll the cloud provider and fetch the data, specified in minutes. Recommended value is 240 minutes. The minimum value it can take is 60 minutes.

  6. Click the Add Connector button.


Create a Connector in AWS, GCP, or Azure

 Amazon Web Services
  1. Log in to Amazon Web Services (AWS) Console.
  2. Go to the IAM service.
  3. Go to Roles and click Create Role.
  4. Under “Select type of trusted entity” choose Another AWS account. Then:
    1. Paste in the Qualys AWS Account ID (from connector details).
    2. Select Require external ID and paste in the External ID (from connector details).
    3. Click Next: Permissions.
  5. Select the following policies:
    1. Find the policy titled “SecurityAudit” and select the check boxes next to it.
    2. Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster). Learn more
    3. Create a custom policy that includes additional permissions (applicable only for EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy. Learn more
  6. Click Next: Tags.
  7. Click Next: Review.
  8. Enter a role name (e.g. QualysCloudViewRole) and click Create role.
  9. Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.
 Google Cloud Platform

Part 1: Enable access to some API's in API library

  1. Log on to Google Cloud Platform (GCP) console.

  2. Select the organization.

  3. Select a project or create a new project. Ensure the correct project is selected.

  4. In the left sidebar, navigate to APIs and Services > Library.

  5. In API Library, click the following APIs and enable them. For help finding the API, use the search field.

    • Compute Engine API

    • Cloud Resource Manager API

    • Kubernetes Engine API

    • Cloud SQL Admin API

    • BigQuery API

    • Cloud Functions API

    • Cloud DNS API

    • Cloud Key Management Service (KMS) API

    • Cloud Logging API

    • Stackdriver Monitoring API

Part 2: Create service account and download configuration file

  1. Login to the GCP console and select a project.

  2. From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT. Provide a name and description (optional) for the service account and click CREATE.

  3. Choose Viewer and Security Reviewer role to assign at least reader permissions to the service account and click CONTINUE.

  4. Click CREATE KEY.  Select JSON as Key type and click CREATE. A message saying “Private key saved to your computer” is displayed and the JSON file is downloaded to your computer. Click CLOSE and then click DONE.

Part 3: Upload the configuration (JSON) file in AMP on the new connector page for GCP connector and click on Add Connector.

 Microsoft Azure

Part 1: Create application in Azure Active Directory

  1. Log on to the Microsoft Azure console. Go to Azure Active Directory in the left navigation pane, then App Registrations.

  2. Click New registration and provide these details:

    1. Name: A name for the application (e.g. My_Azure_Connector)

    2. Supported account types: Select Accounts in any organizational directory

  3. Click Register. The newly created is displayed with its properties. Copy the Application (client)ID and Directory (tenant)ID and paste it into the connector details on the New Connector page in AMP.

Part 2: Provide permission to the new application to access the Windows Azure Service Management API

  1. Select the application that you created and go to API permissions > Add a permission.

  2. Select Azure Service Management API in Microsoft APIs for Request API permissions.

  3. Select user impersonation permission and click Add permissions.

  4. Click Add a permission.

  5. Select Microsoft Graph in Microsoft APIs for Request API permissions.

  6. Select Application permissions and expand User permissions and select User.Read.All permission and click Add permissions.A confirmation notification “Permissions have changed. Users and/or admins will have to consent even if they have already done so previously.” is displayed on success.

Part 3: Create a secret key

  1. Select the application that you created and go to Certificates and Secrets > New client secret.

  2. Add a description and expiry duration for the key (recommended: Never) and click Add.

  3. The value of the key appears in the Value field. Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value into the Authentication Key field in AMP on the New Connector page.

Part 4: Grant permission for the application to access subscription that you want to configure. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

  1. On the Azure portal, navigate to Subscriptions.

  2. Select the subscription for which you want to grant permission to the application and note the subscription ID.

  3. Assign two roles (Reader role and a custom role to the application).Assign Reader Role

    1. To grant permission to the application you created, choose Access Control (IAM).

    2. Go to Add > Add a role assignment. Pick the role as Reader. A Reader can view everything but cannot make any changes to the resources of a subscription.

    3. Select Azure AD user, group, or service principal in Assign Access to dropdown.

    4. Type the application name in Select drop-down and select the application you created.

    5. Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

    Assign Custom Role

    Before you assign the custom role, create the custom role (QRole). Learn more

    1. Go to Add > Add a role assignment. Pick the custom role you created (QRole). The custom role can view but cannot make any changes to the resources of a subscription

    2. Select Azure AD user, group, or service principal in Assign Access to dropdown.

    3. Type the application name in Select drop-down and select the application you created.

    4. Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

  4. Copy the subscription ID you noted and paste it into the connector details in AMP on the New Connector page and click Add Connector.


Offline Connectors

If a connector is showing offline, please follow troubleshooting steps in the Troubleshooting section of this documentation, and do not delete the connector and add it back in an attempt to get it to connect.

Refreshing reports can be done from the Overview tab as documented here


Troubleshooting A Connector

Connectors have four states they can be in:

  • Offline

  • Online

  • Pending

  • Refreshing

If a connector is in the offline or pending state (if it’s a new connector allow up to 15 minutes for it to become online) the following can be done:

  1. Go to the Connectors tab of the Compliance page.

  2. Find the connector that is offline or pending.

  3. Click on the three dots.

  4. Select Refresh.

  5. The state will update to show Refreshing.

  6. If after refreshing the connector the state is still showing offline:

    1. Open a ticket with support for further troubleshooting.

If a connector is in a Regions Discovered state and not fetching information about a VM, make sure you have at least 1 VM in your cloud account.

  • If your account has at least one EC2 instance, CSPM will authenticate and complete region discovery. 
  • State will turn to Success only after fetching information for at least one VM from any of the regions discovered. 




Was this helpful?


  • No labels