At RSA Conference 2013 in San Francisco, Qualys announced powerful new vulnerability management capabilities for Amazon EC2 and VPC customers using a QualysGuard connector leveraging Amazon APIs.


The QualysGuard connector for Amazon automates the discovery and tracking of assets in Amazon EC2 and VPC environments, allows them to be automatically scanned for vulnerabilities, and provides reports giving customers visibility and control of security and compliance in their cloud environments.

The QualysGuard connector for Amazon provides automated discovery and tracking of Amazon-hosted assets by detecting and synchronizing changes to customers’ virtual machine instance inventories. The instances can be tracked over time, even as their IP addresses change, and are scanned for vulnerabilities using QualysGuard Virtual Scanner Appliances deployed on Amazon EC2 or VPC.

This allows security personnel to automate vulnerability assessments using QualysGuard workflows. For example, assets can be scanned automatically after first discovery, on a regular calendar schedule, at intervals based upon each instance’s uptime, selectively based upon particular attributes of each instance, or some combination of factors.

This new set of capabilities announced by Qualys includes:

• Native Amazon API connectors, which can be configured to connect QualysGuard to one or more Amazon accounts to synchronize asset inventories from all EC2 Regions and VPCs. Important instance attributes and contextual metadata are collected and updated as they change over time. Dynamic Asset Tags, which can drive or influence policies and reporting throughout QualysGuard, may be automatically assigned to assets as part of the import process. Attributes and contextual metadata about Amazon instances are also captured and available as data points to inform further Dynamic Asset Tagging within QualysGuard.
• Vulnerability scanning, pre-authorized by Amazon. In collaboration with Amazon, Qualys has built safeguards into a new EC2 Scanning capability within QualysGuard that ensures that scanning will not inadvertently target other Amazon customers’ instances and that all Amazon policies for vulnerability scanning are adhered to. Based upon this, customers may scan at their convenience, as EC2 Scanning using QualysGuard has been pre-authorized by Amazon, negating the need to obtain explicit permission from Amazon before proceeding with scanning as is typically required.
• Enhancements to the QualysGuard Virtual Scanner Appliance AMI (Amazon Machine Image), available to customers at Amazon’s AWS Marketplace. Qualys now has a scanner release in AWS Marketplace designated as “Pre-Authorized” for use with the EC2 Scanning capability within QualysGuard that leverages the Amazon API connection.

“Organizations moving assets to cloud environments are lacking the tools to effectively manage security and assess their compliance posture,” said Philippe Courtot, chairman and CEO for Qualys. “Now, working with Amazon and leveraging their open APIs, we are able to provide our customers with a comprehensive solution to address their security and compliance within Amazon’s cloud environments.”

These features are currently available to Qualys customers as part of their QualysGuard subscriptions. Annual QualysGuard subscriptions start at $2,495 per year for 32 IP addresses. At least one QualysGuard Virtual Scanner Appliance license at $995 per year is required for internal network scanning functionality on Amazon. For more information, visit Amazon AWS.