Qualys Container Security Registry Sensor - Multi-Cloud Deployment

Deploy Qualys Container Security Registry Sensor across AWS, Azure, and GCP with Terraform.

Overview

Terraform configurations for deploying Qualys Container Security Registry Sensor on:

• AWS ECS: EC2-based ECS cluster with optional VPC creation
• AWS EKS: Managed Kubernetes with EC2 node groups
• Azure AKS: Managed Kubernetes with Azure Container Registry
• GCP GKE: Managed Kubernetes with Google Container Registry

---

Quick Start

Interactive Deployment (Recommended)

./deploy.sh

This wizard will:

• Check prerequisites
• Prompt for Qualys credentials
• Configure cloud-specific settings
• Deploy infrastructure and sensor

Using Make Commands

make help              # Show all commands
make deploy-aws        # Deploy to AWS ECS
make deploy-aws-eks    # Deploy to AWS EKS
make deploy-azure      # Deploy to Azure AKS
make deploy-gcp        # Deploy to GCP GKE

---

AWS ECS Deployment

Terraform configuration for ECS cluster on EC2 instances with optional VPC creation.

Prerequisites

• AWS CLI configured with appropriate credentials
• Terraform >= 1.0
• Private ECR repository with Qualys container image

Configuration

Copy and edit the example configuration:

cp aws/terraform.tfvars.example aws/terraform.tfvars

Edit aws/terraform.tfvars:

region           = "us-east-1"
cluster_name     = "qualys-registry-cluster"
instance_type    = "t3.medium"
desired_capacity = 2

create_vpc = true

qualys_image         = "123456789012.dkr.ecr.us-east-1.amazonaws.com/qualys/qcs-sensor:latest"
qualys_activation_id = "YOUR_ACTIVATION_ID"
qualys_customer_id   = "YOUR_CUSTOMER_ID"
qualys_pod_url       = "https://qualysapi.qualys.com"

To use an existing VPC instead, set create_vpc = false and provide vpc_id and subnet_ids.

Deploy

# Using Make (recommended)
make deploy-aws

# Or manually
cd aws
terraform init
terraform plan
terraform apply

Architecture

With create_vpc=true:

• VPC: 172.20.250.0/24
• 2x Public subnets with NAT gateways
• 2x Private subnets for ECS instances
• Auto-scaling group with EC2 instances
• One Qualys Container Security Registry Sensor task per instance

With create_vpc=false:

• Uses existing VPC and subnets
• Requires NAT gateway or internet access for ECR

Outputs

terraform output cluster_name
terraform output cluster_arn
terraform output task_definition_arn

---

AWS EKS Deployment

Terraform configuration for EKS cluster with managed node groups and optional VPC creation.

Prerequisites

• AWS CLI configured with appropriate credentials
• Terraform >= 1.0
• kubectl
• Private ECR repository with Qualys container image

Configuration

Copy and edit the example configuration:

cp aws-eks/terraform.tfvars.example aws-eks/terraform.tfvars

Edit aws-eks/terraform.tfvars:

region           = "us-east-1"
cluster_name     = "qualys-registry-cluster"
instance_type    = "t3.medium"
desired_capacity = 2

create_vpc = true

qualys_image         = "123456789012.dkr.ecr.us-east-1.amazonaws.com/qualys/qcs-sensor:latest"
qualys_activation_id = "YOUR_ACTIVATION_ID"
qualys_customer_id   = "YOUR_CUSTOMER_ID"
qualys_pod_url       = "https://qualysapi.qualys.com"

Deploy

# Using Make (recommended) - deploys infra + k8s resources
make deploy-aws-eks

# Or manually
cd aws-eks
terraform init
terraform plan
terraform apply

Configure kubectl

aws eks update-kubeconfig --name qualys-registry-cluster --region us-east-1

Deploy Registry Sensor DaemonSet

Update image in kubernetes/qualys-daemonset.yaml with your ECR location, then:

kubectl apply -f kubernetes/qualys-daemonset.yaml
kubectl get pods -n qualys-sensor

Architecture

• EKS cluster with managed node groups (auto-scaling 1-10 nodes)
• VPC: 172.20.0.0/16 with public and private subnets
• NAT gateways for outbound internet access
• OIDC provider for IAM Roles for Service Accounts
• KMS encryption for secrets
• DaemonSet deployment (one Registry Sensor pod per node)

Outputs

terraform output cluster_name
terraform output cluster_endpoint
terraform output get_credentials_command

---

Azure AKS Deployment

Terraform configuration for AKS cluster with managed node pools and optional ACR.

Prerequisites

• Azure CLI configured with valid subscription
• Terraform >= 1.0
• kubectl

Configuration

Copy and edit the example configuration:

cp azure/terraform.tfvars.example azure/terraform.tfvars

Edit azure/terraform.tfvars:

resource_group_name = "qualys-registry-sensor-rg"
location            = "eastus"
cluster_name        = "qualys-registry-cluster"
node_count          = 2
node_vm_size        = "Standard_B2s"

create_acr = true

qualys_activation_id = "YOUR_ACTIVATION_ID"
qualys_customer_id   = "YOUR_CUSTOMER_ID"
qualys_pod_url       = "https://qualysapi.qualys.com"

Deploy

# Using Make (recommended) - deploys infra + k8s resources
make deploy-azure

# Or manually
cd azure
terraform init
terraform plan
terraform apply

Configure kubectl

az aks get-credentials \
  --resource-group qualys-registry-sensor-rg \
  --name qualys-registry-cluster

Create Namespace and Secrets

Edit kubernetes/qualys-namespace-secret.yaml with your credentials, then:

kubectl apply -f ../kubernetes/qualys-namespace-secret.yaml

Deploy Registry Sensor DaemonSet

Update image in kubernetes/qualys-daemonset.yaml with your ACR location, then:

kubectl apply -f ../kubernetes/qualys-daemonset.yaml
kubectl get pods -n qualys-sensor

Architecture

• AKS cluster with auto-scaling node pools (1-10 nodes)
• VNet: 10.1.0.0/16 with dedicated subnet
• Azure Container Registry for Qualys Container Security Registry Sensor images
• Log Analytics workspace for monitoring
• DaemonSet deployment (one Registry Sensor pod per node)

Outputs

terraform output aks_cluster_name
terraform output acr_login_server
terraform output get_credentials_command

---

GCP GKE Deployment

Terraform configuration for GKE regional cluster with multi-zone node pools.

Prerequisites

• Google Cloud SDK configured with valid project
• Terraform >= 1.0
• kubectl

Configuration

Copy and edit the example configuration:

cp gcp/terraform.tfvars.example gcp/terraform.tfvars

Edit gcp/terraform.tfvars:

project_id   = "your-gcp-project-id"
region       = "us-central1"
cluster_name = "qualys-registry-cluster"
node_count   = 1
machine_type = "e2-medium"

create_gcr = true

qualys_activation_id = "YOUR_ACTIVATION_ID"
qualys_customer_id   = "YOUR_CUSTOMER_ID"
qualys_pod_url       = "https://qualysapi.qualys.com"

Authenticate

gcloud auth login
gcloud auth application-default login
gcloud config set project YOUR_PROJECT_ID

Deploy

# Using Make (recommended) - deploys infra + k8s resources
make deploy-gcp

# Or manually
cd gcp
terraform init
terraform plan
terraform apply

Configure kubectl

gcloud container clusters get-credentials qualys-registry-cluster \
  --region us-central1 \
  --project YOUR_PROJECT_ID

Create Namespace and Secrets

Edit kubernetes/qualys-namespace-secret.yaml with your credentials, then:

kubectl apply -f ../kubernetes/qualys-namespace-secret.yaml

Deploy Registry Sensor DaemonSet

Update image in kubernetes/qualys-daemonset.yaml with your GCR location, then:

kubectl apply -f ../kubernetes/qualys-daemonset.yaml
kubectl get pods -n qualys-sensor

Architecture

• Regional GKE cluster with multi-zone node pools
• Custom VPC with dedicated subnet ranges
• Google Container Registry for Qualys Container Security Registry Sensor images
• Cloud Monitoring and Logging integration
• Workload Identity enabled
• DaemonSet deployment (one Registry Sensor pod per node)

Outputs

terraform output cluster_name
terraform output cluster_endpoint
terraform output get_credentials_command

---

Common Operations

View Registry Sensor Logs

# Using Make
make logs-aws      # AWS ECS
make logs-aws-eks  # AWS EKS
make logs-azure    # Azure
make logs-gcp      # GCP

# Or manually (Kubernetes)
kubectl logs -n qualys-sensor -l app=qualys-container-sensor --tail=100
kubectl logs -n qualys-sensor <pod-name> -f

Check Status

make status-aws        # AWS ECS
make status-aws-eks    # AWS EKS
make status-azure      # Azure
make status-gcp        # GCP

Update Registry Sensor Image

kubectl set image daemonset/qualys-container-sensor \
  qualys-container-sensor=<new-image> \
  -n qualys-sensor

Verify DaemonSet

kubectl describe daemonset qualys-container-sensor -n qualys-sensor
kubectl get secret qualys-credentials -n qualys-sensor

---

Security Considerations

Credentials:

• Store Qualys credentials securely (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager)
• Never commit credentials to version control
• Rotate credentials regularly

Network:

• Registry Sensor requires outbound internet access to Qualys platform
• Use private subnets with NAT gateway
• Configure appropriate security groups and firewall rules

Permissions:

• Registry Sensor requires elevated capabilities for container scanning
• Review required permissions before deployment
• Follow principle of least privilege

Images:

• Store Qualys Container Security Registry Sensor images in private registries
• Keep Registry Sensor images updated
• Scan images for vulnerabilities

---

Cleanup

# Using Make
make destroy-aws
make destroy-aws-eks
make destroy-azure
make destroy-gcp

# Or manually
cd <cloud> && terraform destroy

---

Support

For issues related to:

• Qualys Container Security Registry Sensor: Contact Qualys Support
• Deployment Templates: Open an issue in this repository
• Cloud Providers: Consult respective cloud provider documentation