Qualys CloudView 1.23 version includes important changes to the way CloudView connectors are configured. It also introduces a new place for AssetView connectors and role-based access control (RBAC) for CloudView Reports.
Unified Configuration for Cloud Connectors
Currently, the cloud connectors can be configured at two places:
- AssetView: to enable collection of asset inventory and vulnerability scans on those assets
- CloudView: to collect cloud resource inventory and detect/remediate resource misconfigurations
In CloudView Release 1.23 and Portal 188.8.131.52 releases, we are now launching one centralized place for you to create connectors needed for AssetView, CloudView, a new application named “Connectors”. The “Connectors” application will be listed under the “Sensor Management” section of the module picker.
What happens to my existing connectors?
- Automatic Migration of Existing AssetView Connectors
- Clicking AssetView connector tab now navigates you to our new “Connectors” application.
- All your existing AssetView connectors are automatically migrated and displayed in the new application.
- You need not do anything for existing AssetView connectors.
- Existing CloudView Connectors
- The changes to the CloudView connector configuration would not be allowed until you merge the CloudView connectors to “Connectors” application. You are requested to merge CloudView connectors to the “Connectors” application via the merge utility. Post the merger, you can then update the connectors in the new “Connectors” application.
- The CloudView connector groups will be automatically migrated to Qualys tags. Refer to the “CloudView Groups to Qualys Tags” section for more details.
- If both CloudView and AssetView use different base accounts, you would be required to merge the base accounts to the one of your choice and then going further all the existing connectors of AssetView and CloudView, and the new connectors will take the merged base account in use.
- New Cloud connectors
- After this release, new connectors can only be created using the “Connectors” application.
- Selecting Modules: You can choose AssetView and CloudView based on the selection. It also shows remaining connectors for CloudView which you can deploy per purchased quantity.
- Choosing Roles: You can provide the roles for each of the selected applications in Authentication details.
- Assigning Tags: You can also assign Qualys tags to the connector for the selected applications. You may apply none or more than one tags.
- Configuring Polling Frequency for Asset Inventory
- Currently, the default polling frequency for AssetView connectors is every 4 hours.
- With the common configurations of connectors for AssetView and CloudView, you can now configure a polling frequency to any value between 1 hour to 24 hours.
- The configured polling frequency is then applicable for both applications.
- Role-based Access for Connectors
- We have now renamed the Asset Management permissions “Manage Asset Data Connectors” to “Manage Connectors”.
- This permission will be used to provide access to sub-users to perform respective actions in the “Connectors” application.
All the existing CloudView groups that are assigned to CloudView connectors will be migrated to Qualys tags. The sub-users, who had connector group assignment, will be assigned the equivalent tag during the migration process. There is no impact to Manager users.
- The “Assign Tag” option is introduced instead of “Assign Group” for Connector Actions. The tags allocated to a connector will be displayed in the TAGS column.
- The current allocation of Cloud accounts to sub-users made in “Access Management” would be converted to Qualys tags and those tags would be allocated to the respective sub-user who had direct account allocated.
- Region assignment made to sub-user under “Access Management” will not be available when groups are migrated to tags.
- “Access Management” tab under CloudView Connectors will be removed.
Scenarios for Sub-users
Sub-user with no groups allocated
This set of users can see all the CloudView Connectors, collected inventory and cloud assessment today. We plan to add CLV_ALL tag to all the connectors and the sub-users so that they can continue to get same visibility post migration.
Sub-user with direct cloud account allocated (and no region allocated for AWS)
This set of users will be assigned the respective cloud connector tag based on their direct cloud account allocation in “Access Management” and can view only the cloud inventory and assessment of the account tags assigned.
Sub-user with direct account allocated for AWS with a specified region allocated
This set of users can only view the cloud inventory and assessment of the allocated account tags. The assigned region is ignored. As a result, they will get an access to all regions, like earlier scenario.
It is requested to create dynamic tags to achieve region specific use case.
RBAC for CloudView Report
With CloudView 1.23 release, we also introduce granular permissions for reports by the use of global reporting permissions available in Qualys Cloud Platform.
While introducing the permissions, we will pre-allocate the same set of permissions to the existing sub-users based on their current CloudView Permissions. Going further, if you want sub-users to create, edit, delete, or read reports, you can use the newly introduced permissions.
We also have introduced the two new global roles: “Reporting Manager” and “Reporting Reader”. Those roles are used by multiple Qualys applications. The role “CloudView – only Reports” is specific to CloudView and will help you use Global Permissions/Roles.
You must use reporting global roles in conjunction with “CloudView – only Reports”.