Skip to main content
Skip table of contents

Cloud Connectors

Create A New Connector

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Reports under Compliance.

  2. Click Connectors.

  3. Click the New Connector button.

    1. The New Connector form will slide into view from the right side of the screen.

  4. Click the icon of the appropriate Cloud provider.

    1. Amazon Web Services

    2. Google

    3. Microsoft Azure

  5. Complete the form by providing the required information.

    1. The New Connector form is dynamic. Form fields will change relative to the Cloud provider chosen. See below for specifics on how to configure the connection in the relevant provider.

    2. Add Run Frequency Value. Run Frequency for a connector decides the rate at which the connector should poll the cloud provider and fetch the data, specified in minutes. Recommended value is 240 minutes. The minimum value it can take is 60 minutes.

  6. Click the Add Connector button.

Create a Connector in AWS, GCP, or Azure

Amazon Web Services
  1. Log in to Amazon Web Services (AWS) Console.

  2. Go to the IAM service.

  3. Go to Roles and click Create Role.

  4. Under “Select type of trusted entity” choose Another AWS account. Then:

    1. Paste in the Qualys AWS Account ID (from connector details).

    2. Select Require external ID and paste in the External ID (from connector details).

    3. Click Next: Permissions.

  5. Select the following policies:

    1. Find the policy titled “SecurityAudit” and select the check boxes next to it.

    2. Find the policy that includes the permissions: "eks:ListFargateProfiles", "eks:DescribeFargateProfile" and select the check box next to the policy. (applicable only for Fargate Profiles associated with EKS cluster). Learn more

    3. Create a custom policy that includes additional permissions (applicable only for EFS resource, Step Function, Amazon QLDB, Lambda, MSK, API Gateway, AWS Backup, WAF, EBS, EMR, Glue, GuardDuty, CodeBuild and Directory Service). Find the custom policy you create and select the check box next to the policy. Learn more

  6. Click Next: Tags.

  7. Click Next: Review.

  8. Enter a role name (e.g. QualysCloudViewRole) and click Create role.

  9. Click on the role you just created to view details. Copy the Role ARN value and paste it into the connector details.

Google Cloud Platform

Part 1: Enable access to some API's in API library

  1. Log in to Google Cloud Platform (GCP) console.

  2. Select the organization.

  3. For all projects to be onboarded, navigate to APIs and Services > Library.

  4. Select a project or create a new project. Ensure that you have selected the correct project.

  5. In API Library, click the following APIs and enable them. If you need help finding the API, use the search field.

    • Compute Engine API

    • Cloud Resource Manager API

    • Kubernetes Engine API

    • Cloud SQL Admin API

    • BigQuery API

    • Cloud Functions API

    • Cloud DNS API

    • Cloud Key Management Service (KMS) API

    • Cloud Logging API

    • Stackdriver Monitoring API

Part 2: Create a service account and download the configuration file

  1. Log in to Google Cloud Platform (GCP) console.

    • Select an organization.

    • Select a project or create a new project. Ensure you have selected the correct project.

    • From the left sidebar, navigate to IAM & admin > Service accounts and click CREATE SERVICE ACCOUNT.

    • Provide a service account id, name (optional), and description (optional) for the service account, and click CREATE.

    • Next, navigate to IAM & Services > IAM and click ADD..

    • Enter your service account in New Principal.

    • Add the following roles in the Role field and click SAVE:
      - Viewer
      - Security Reviewer

    • Select the newly created service account.

    • Click Actions > Manage Keys > Add Key > Create a new Key. Select JSON as the key type and click Create (A message saying "Private key saved to your computer" is displayed, and the JSON file is downloaded to your computer).

    • Click CLOSE and then click Done.

Part 3: Upload the configuration (JSON) file in AMP on the new connector page for GCP connector and click on Add Connector.

Microsoft Azure
  1. Create Application and get Application ID, Directory ID

Create application in Azure Active Directory and you can then note the application ID.

  1. Log on to the Microsoft Azure console and press Azure Active Directory in the left navigation pane.

  2. Click App Registrations > New registration.

  3. Provide the following details:

    1. Name: A name for the application (e.g. My_Azure_Connector)

    2. Supported account types: Select Accounts in any organizational directory

  4. Click Register. The newly created is displayed with its properties. Copy the Application (client)ID and Directory (tenant)IDand paste it into the connector details.

  1. Generate Authentication Key

Provide permission to the new application to access the Windows Azure Service Management API and create a secret key.
Provide Permission

  1. Select the application that you created and go to API permissions > Add a permission.

  2. Select Azure Service Management API in Microsoft APIs for Request API permissions.

  3. Select user impersonation permission and click Add permissions.

Create a secret key

  1. Select the application that you created and go to Certificates and Secrets > New client secret.

  2. Add a description and expiry duration for the key (recommended: Never) and click Add.

  3. The value of the key appears in the Value field.

Copy the key value at this time. You won’t be able to retrieve it later. Paste the key value as Authentication Key into the connector details. You need to provide the key value with the application ID to log on as the application. Store the key value where your application can retrieve it.

3.Acquire Subscription ID

Grant permission for the application to access subscriptions. Assign a role to the new application. The role you assign will define the permissions for the new application to access subscriptions.

  1. On the Azure portal, navigate to Subscriptions.

  2. Select the subscription for which you want to grant permission to the application and note the subscription ID. To grant permission to the application you created, choose Access Control (IAM).

  3. Go to Add > Add a role assignment. Pick a Reader role. A Reader can view everything but cannot make any changes to the resources of a subscription.
    Note: You need to assign the Reader role if the same application is used in AssetView and CloudView module. If the application usage is limited to only AssetView module (and not in CloudView module), you need to have at least below permissions on the built-in or custom role assigned to the subscription. - "Microsoft.Compute/virtualMachines/read", - "Microsoft.Resources/subscriptions/resourceGroups/read", - "Microsoft.Network/networkInterfaces/read", - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/networkSecurityGroups/read"

  4. Select Azure AD user, group, or application in Assign Access to dropdown.

  5. Type the application name in Select drop-down and select the application you created.

  6. Click Save to finish assigning the role. You’ll see your application in the list of users assigned to a role for that scope.

  7. Copy the subscription ID you noted and paste it into the connector details in AMP on the New Connector page and click Create Connector.

Offline Connectors

If a connector is showing offline, please follow troubleshooting steps in the Troubleshooting section of this documentation, and do not delete the connector and add it back in an attempt to get it to connect.

Refreshing reports can be done from the Overview tab as documented here.

Troubleshooting A Connector

Connectors have four states they can be in:

  • Offline

  • Online

  • Pending

  • Refreshing

If a connector is in the offline or pending state (if it's a new connector allow up to 15 minutes for it to become online) the following can be done:

  1. Go to the Connectors tab of the Compliance page.

  2. Find the connector that is offline or pending.

  3. Click on the three dots.

  4. Select Refresh.

  5. The state will update to show Refreshing.

  6. If after refreshing the connector the state is still showing offline:

    1. Open a ticket with support for further troubleshooting.

If a connector is in a Regions Discovered state and not fetching information about a VM, make sure you have at least 1 VM in your cloud account.

  • If your account has at least one EC2 instance, CSPM will authenticate and complete region discovery.

  • State will turn to Success only after fetching information for at least one VM from any of the regions discovered.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.