Prerequisites
Before you begin, ensure you have the following:
QOP Account Deployed
Qrie engineers have set up your dedicated QOP (Qrie On-Premises) account with UI access
AWS Account IDs
12-digit AWS account IDs for accounts you want to monitor
Step 1
Generate Initial Inventory
Inventory is the foundation - policies need resources to evaluate
Important
Do nothing else until inventory generation completes. This is a bootstrap scan that establishes your baseline.
Add accounts via the Management UI:
1.Navigate to Management page
2.Click Add Accounts (at bottom of accounts list)
3.Paste one or more AWS account IDs (one per line)
4.Accounts are added with "Pending" status
5.Click info button (ℹ️) next to pending account for bootstrap instructions
6.Deploy CloudFormation stack in customer account (2 clicks via Quick Launch)
7.Click refresh button (↻) to verify bootstrap and fetch account metadata
8.Inventory scan starts automatically once bootstrap is verified
What happens:
- •Scans all supported services (S3, EC2, IAM) across all your AWS accounts
- •Stores resource configurations in the qrie_resources DynamoDB table
- •This is a bootstrap scan - drift metrics are NOT updated
Expected Duration
5-15 minutes depending on resource count
Step 2
Check Inventory Completion
Verify that inventory generation has finished successfully
Method 1: Dashboard
Navigate to the Dashboard and check:
- •Resources count should be greater than 0
- •Last Inventory Scan timestamp should be recent
Method 2: Inventory Page
Visit the Inventory page to see all discovered resources
Method 3: Command Line
aws dynamodb scan --table-name qrie_resources --select COUNT --region us-east-1 --profile qopStep 3
Launch Your First Policies
Once inventory is complete, you can start launching policies
Navigate to the Management page to:
- •Browse available policies by category (IAM, S3, EC2, etc.)
- •Click "Launch" on policies you want to activate
- •Configure scope (which accounts to monitor)
- •Optionally customize severity and remediation steps
Automatic Bootstrap Scan
When you launch a policy, qrie automatically triggers a bootstrap scan to evaluate all resources against that policy. This creates your initial findings baseline. Deleting a policy removes it and purges all associated findings.
Troubleshooting
Common issues and solutions
No resources found after inventory scan
Check:
- • CloudFormation stack deployed successfully in customer account
- • EventBridge rules are correctly forwarding events to QOP account
- • IAM role QrieReadOnly-{AccountId} exists with SecurityAudit policy
- • Account shows "Active" status in Management page (click refresh button if pending)
Inventory scan takes too long
Large AWS environments (1000+ resources) may take 15-20 minutes. This is normal. You can monitor progress in CloudWatch logs for the qrie_inventory_generator Lambda.
Permission errors during scan
Ensure the Lambda execution role has cross-account assume role permissions and the customer account IAM roles trust the QOP account.