Create A New Connector
In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.
Click the New Connector button.
The New Connector form will slide into view from the right side of the screen.
Click the icon of the appropriate Cloud provider.
Amazon Web Services
Complete the form by providing the required information.
The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider.
- Add Run Frequency Value. Run Frequency for a connector decides the rate at which the connector should poll the cloud provider and fetch the data, specified in minutes. Recommended value is 240 minutes. The minimum value it can take is 60 minutes.
Click the Add Connector button.
Create a Connector in AWS, GCP, or Azure
- Log in to Amazon Web Services (AWS) Console.
- Go to the IAM service.
- Go to Roles and click Create Role.
- Under “Select type of trusted entity” choose Another AWS account. Then:
- Paste in the Qualys AWS Account ID (from connector details).
- Select Require external ID and paste in the External ID (from connector details).
- Click Next: Permissions.
- Select the following policies:
- Find the policy titled “SecurityAudit” and select the check boxes next to it.
- Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster). Learn more
- Create a custom policy that includes additional permissions (applicable only for EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy. Learn more
- Click Next: Tags.
- Click Next: Review.
- Enter a role name (e.g. QualysCloudViewRole) and click Create role.
- Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.
Part 1: Enable access to some API's in API library
Log on to Google Cloud Platform (GCP) console.
Select the organization.
Select a project or create a new project. Ensure the correct project is selected.
In the left sidebar, navigate to APIs and Services > Library.
In API Library, click the following APIs and enable them. For help finding the API, use the search field.
- Compute Engine API
- Cloud Resource Manager API
- Kubernetes Engine API
- Cloud SQL Admin API
- BigQuery API
- Cloud Functions API
- Cloud DNS API
- Cloud Key Management Service (KMS) API
- Cloud Logging API
- Stackdriver Monitoring API
Part 2: Create service account and download configuration file
Login to the GCP console and select a project.
From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT. Provide a name and description (optional) for the service account and click CREATE.
Choose Viewer and Security Reviewer role to assign at least reader permissions to the service account and click CONTINUE.
Click CREATE KEY. Select JSON as Key type and click CREATE. A message saying “Private key saved to your computer” is displayed and the JSON file is downloaded to your computer. Click CLOSE and then click DONE.
Part 3: Upload the configuration (JSON) file in AMP on the new connector page for GCP connector and click on Add Connector.
1. Create Application and get Application ID, Directory ID
Create application in Azure Active Directory and you can then note the application ID.
- Log on to the Microsoft Azure console and press Azure Active Directory in the left navigation pane.
- Click App Registrations > New registration.
- Provide the following details:
- Name: A name for the application (e.g. My_Azure_Connector)
- Supported account types: Select Accounts in any organizational directory
- Click Register. The newly created is displayed with its properties. Copy the Application (client)ID and Directory (tenant)IDand paste it into the connector details.
2. Generate Authentication Key
Provide permission to the new application to access the Windows Azure Service Management API and create a secret key.
- Select the application that you created and go to API permissions > Add a permission.
- Select Azure Service Management API in Microsoft APIs for Request API permissions.
- Select user impersonation permission and click Add permissions.
Create a secret key
- Select the application that you created and go to Certificates and Secrets > New client secret.
- Add a description and expiry duration for the key (recommended: Never) and click Add.
- The value of the key appears in the Value field.
Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value as Authentication Key into the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.
3.Acquire Subscription ID
Grant permission for the application to access subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.
- On the Azure portal, navigate to Subscriptions.
- Select the subscription for which you want to grant permission to the application and note the subscription ID. To grant permission to the application you created, choose Access Control (IAM).
- Go to Add > Add a role assignment. Pick a Reader role. A Reader can view everything but cannot make any changes to the resources of a subscription.
Note: You need to assign the Reader role if the same application is used in AssetView and CloudView module. If the application usage is limited to only AssetView module (and not in CloudView module), you need to have at least below permissions on the built-in or custom role assigned to the subscription. - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/networkSecurityGroups/read"
- Select Azure AD user, group, or application in Assign Access to dropdown.
- Type the application name in Select drop-down and select the application you created.
- Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.
- Copy the subscription ID you noted and paste it into the connector details in AMP on the New Connector page and click Create Connector.
If a connector is showing offline, please follow troubleshooting steps in the Troubleshooting section of this documentation, and do not delete the connector and add it back in an attempt to get it to connect.
Refreshing reports can be done from the Overview tab as documented here.
Troubleshooting A Connector
Connectors have four states they can be in:
If a connector is in the offline or pending state (if it’s a new connector allow up to 15 minutes for it to become online) the following can be done:
Go to the Connectors tab of the Compliance page.
Find the connector that is offline or pending.
Click on the three dots.
The state will update to show Refreshing.
If after refreshing the connector the state is still showing offline:
Open a ticket with support for further troubleshooting.
If a connector is in a Regions Discovered state and not fetching information about a VM, make sure you have at least 1 VM in your cloud account.
- If your account has at least one EC2 instance, CSPM will authenticate and complete region discovery.
- State will turn to Success only after fetching information for at least one VM from any of the regions discovered.
Was this helpful?