Qualys CloudView User Guide

1 CloudView user Guide December 25, 2021. Copyright 2019-2021 by Qualys , Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys , Inc. All other trademarks are the property of their respective owners. Qualys , Inc. 919 E Hillsdale Blvd 4th Floor Foster City, CA 94404. 1 (650) 801 6100. Table of Contents About this Guide .. 7. About Qualys .. 7. Qualys Support .. 7. CloudView Overview .. 8. Qualys Subscription and Modules required .. 8. Concepts and Terminologies .. 9. Get Started .. 10. AWS .. 10. Steps to Create AWS Connector .. 10. Base Account .. 16. Base Account Configuration in AWS Console .. 18. Permissions for Fargate Profile .. 19. Create Custom Policy .. 21. Editing AWS Connectors .. 22. AWS Resource Inventory .. 23. Microsoft Azure .. 25. Pre-requisites .. 25. Steps to Create Azure Connector .. 26. Configuration Steps on Microsoft Azure console .. 28. Editing Microsoft Azure Connectors .. 36. Azure Resource Inventory .. 36. Google Cloud Platform.

2 38. Steps to Create GCP Connector .. 38. Assign Service Account to other projects .. 43. Editing GCP Connectors .. 44. GCP Resource Inventory .. 44. Enable-Disable Connectors .. 45. Disable Connector .. 45. Enable Connector .. 45. Managing Connector Access for user Permissions .. 47. New Users: Scope and Permissions .. 48. Create user .. 48. Assign Role to Users .. 49. Manage Access for Users (Grouping Connectors) .. 50. Manage Access for Users .. 52. Defining Scope for Existing Users .. 54. Sub user (All Privileges) .. 55. Verity Confidential Sub user (Reader Privileges) .. 58. Securing Cloud 60. Unified Dashboard .. 60. Resources Details .. 60. Instance Details .. 62. Vulnerability Details for Instances .. 62. Drill down to Vulnerability Details for Instances (only for AWS) .. 65. View Security Group Information .. 66. Resources Misconfigurations .. 68. Search Using Resource Parameter Information .. 72. Search Policy Controls .. 73. Exceptions .. 76. Create Exception .. 76. View Exceptions.

3 82. Edit Exceptions? .. 82. Delete exceptions? .. 83. Exception History .. 83. Exception Status .. 83. Policies and Controls .. 85. Customize Controls .. 85. Control Criticality .. 85. System Controls .. 87. user -Defined Controls .. 87. Copy Control and Customize .. 87. Build Your Own Policy .. 89. System Defined Policy .. 89. Set Up Your Own Policy (Custom Policy) .. 89. Policy Search .. 91. Associating Controls .. 91. Reports ..92. Assessment Reports .. 92. On-Screen Reports .. 95. Mandate Based Reporting .. 95. Policy Based Report .. 99. List of Mandates .. 102. Configure Rule-based Alerts .. 104. Create and Manage Actions .. 105. Create a new Action .. 105. Manage Actions .. 106. Create and Manage Rules .. 106. Create New Rule .. 106. Manage Rules .. 108. Manage Alerts .. 108. Sample Queries .. 108. Trigger Criteria .. 109. Alerting Permissions .. 110. Remediating Cloud Resources .. 112. Configuring Remediation .. 112. Pre-requisites .. 112. Configure Remediation for New Connectors: AWS.

4 113. Enable Remediation for New Connectors .. 113. Configuration on AWS Console .. 114. Enable Remediation for Existing AWS Connectors .. 116. Configure Remediation: Microsoft Azure .. 117. Pre-requisites .. 117. Enable Remediation for New Azure Connectors .. 117. Configuration on Microsoft Azure Console .. 118. Enabling Remediation for Existing Azure Connectors .. 119. Configure Remediation: GCP .. 119. Enable Remediation for New GCP Connectors .. 119. Configuration on GCP Console .. 120. Enabling Remediation for Existing GCP Connectors .. 122. Viewing Remediation Activity .. 123. Remediation Activity: AWS .. 123. Remediation Activity: Microsoft Azure .. 124. Remediation Activity: GCP .. 124. Remediating Cloud Resources .. 125. Remediable Evaluations .. 125. Actions for Cloud Resources (AWS) .. 127. Stop Instance .. 127. Remove IAM Profile .. 128. Permissions Required .. 129. CloudView APIs .. 132. Accessing APIs Using Swagger .. 132. Securing Infrastructure as Code .. 134. Template Support.

5 134. Pre-requisites .. 135. Scanning Template Files Using CLI .. 135. Install Qualys IaC Security CLI .. 135. List of Commands .. 136. 5. Understanding Scan Output .. 139. Scanning Template Files Using API .. 139. What's more in Automatic Connector Creation .. 140. Role-based Access Management .. 140. Download Datalist .. 143. Choosing Data Range .. 144. Saved Search .. 144. Customize Dashboards .. 146. How to Take Action .. 146. Adding custom widgets .. 146. Refresh your view .. 148. Configure number of Resources, Controls .. 148. Appendix: List of Policies and Controls .. 149. AWS Policies .. 150. CIS Amazon Web Services Foundations Benchmark .. 150. AWS Best Practices Policy .. 152. AWS Lambda Best Practices Policy .. 159. AWS Database Service Best Practices Policy .. 161. Azure Policies .. 165. CIS Microsoft Azure Foundations Benchmark .. 165. Azure Best Practices Policy .. 169. Azure Function App Best Practices Policy .. 178. Azure Database Service Best Practices Policy .. 180. GCP Policies.

6 183. CIS Google Cloud Platform Foundation Benchmark .. 183. GCP Best Practices Policy .. 188. GCP Cloud Functions Best Practices Policy .. 190. GCP Kubernetes Engine Best Practices Policy .. 190. GCP Cloud SQL Best Practices Policy .. 191. About this Guide About Qualys About this Guide Welcome to Qualys CloudView ! We'll help you get acquainted with the Qualys solutions for securing your AWS, Azure, and GCP resources using the Qualys Cloud Security Platform. About Qualys Qualys , Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro.

7 The company is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit Qualys Support Qualys is committed to providing you with the most thorough support. Through online documentation, telephone help, and direct email support, Qualys ensures that your questions will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. Access online support information at 7. CloudView Overview Qualys Subscription and Modules required CloudView Overview Qualys CloudView provides visibility and continuous security across all of your cloud environments. With CloudView you'll get these features: - Discover assets and resources across all regions from multiple accounts and multiple cloud platforms - Search resource metadata, view resource details and show associations across resources - Out-of-the-box AWS, Azure, GCP policies - Continuously assess and report resource misconfigurations by checking against the controls from out-of-the-box policies - Build your own policies and customize controls to suit your need - Ability to view, filter and export misconfigurations Qualys Subscription and Modules required Check that you have these modules available in your subscription: - CloudView - Vulnerability Management (only if you want to view host vulnerability information).

8 - AssetView - Cloud Agents for VM. - Administration If you need access to a module, please contact your Qualys Technical Account Manager (TAM). 8. CloudView Overview Concepts and Terminologies Concepts and Terminologies Get familiar with common terms used in CloudView . Concept Description Policy A set of configuration checks that will assess different resources collected from your cloud account. Control A configuration check. Each check applies to a specific service/resource. Here are some examples: - MFA should be enabled for console user - applies to AWS IAM Service and IAM user Resource - Password policy should have upper case letter enforced - applies to AWS. IAM Service - Security group should not allow inbound access on port 22 from - applies to EC2/VPC services and Security Group Resource Service A service is the high level grouping by functional area. Each service consists of different entities or resources. Resource A resource is an entity that you can work with. Examples include an Amazon EC2 instance, IAM user , Security Group.

9 Control Passed Each control is applicable to a specific resource type. For each control, applicable resources are collected. The control checks whether the particular attribute of a resource is configured as per best practices. The control is passed when the attribute that the control is checking is found configured as per the desired configuration for all the applicable resources collected. Control Failed Control is considered failed when an attribute of the control being checked is not configured as per the desired configuration for any of the applicable resources collected. Resource Passed Resource is considered passed for a control if it's attribute is configured as per the desired configuration in the control. Resource Failed Resource is considered failed for a control if it's attribute is not configured as per the desired configuration in the control. 9. Get Started AWS. Get Started Just set up a connector for your cloud environment and that's it! We'll start discovering resources that are present in your cloud account.

10 You can create AWS, Azure and GCP. connectors. We'll walk you through the steps. AWS. Configure AWS connectors for gathering resource information from your AWS account. It just takes a couple of minutes. Base Account The AWS connectors uses Qualys accounts to query the AWS APIs. If you do not wish to use the Qualys accounts, you can use the base account feature to use your own AWS. account for AWS API queries from CloudView . You need to configure your AWS account ID. and user credential for each base account type. For more information, refer to Base Account. Steps to Create AWS Connector Go to the Configuration > Amazon Web Services tab and click Create Connector. 10. Get Started AWS. Provide a name and description (optional) for your connector. Select an account type for your connector: Global, US GovCloud or China. You can choose only one account type per connector. Note: If you plan to use connector for China account type, ensure that you set up a base account. For more information, refer to Base Account.