Scanning in AWS EC2 Environments
Let us get familiar with a few terms in networking basics.
VPC: enables you to launch AWS resources into a virtual network that you have defined. This closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalability of AWS.
VPC Peering: a networking connection between two VPCs that enables you to route traffic between them.
Transit Gateway: A network transit hub that you can use to interconnect your virtual private clouds (VPC) and on-premises networks.
Let us now see the various scenarios for scanning in AWS EC2 environment.
A Single scanner scans MULTIPLE instances in a VPC
Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment.Cloud-agents are preferred method for scanning them.
Multiple scanners to scan MULTIPLE instances in VPC
Based on number of instances and scan frequency, multiple scanners might be required to scan MULTIPLE instances in a VPC. Require at least one scanner per VPC. You can add more based on requirements. Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints (via security groups and internet gateways)
AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
A Single scanner scans MULTIPLE instances across the subnets within a VPC
Scanners can typically work across the subnets within a VPC, unless there are restrictions in networks introduced Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups or internet gateways) AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud agents are the preferred method for scanning them.
A Single scanner scans MULTIPLE instances across Peered VPCs in a region
You can add more based on requirements. Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them
Multiple scanners might be required to scan MULTIPLE instances across Peered VPCs
Based on a number of instances and scan frequency, multiple scanners might be required to scan MULTIPLE instances across Peered VPCs in a region. You can add more based on requirements to ALLOW Scanning across VPC boundaries. Scanners need to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways).
AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
The scanner cannot scan instances in non-peered VPCs
You can add more based on requirements to ALLOW Scanning across VPC boundaries. Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
The scanner cannot scan instances in VPCs with overlapping IP addresses
A single scanner cannot scan instances in VPCs with overlapping IP addresses due to reachability to a single subnet. You can add more based on requirements to ALLOW Scanning across VPC boundaries. Note: Albeit VPC peering can be configured between VPC A & C, due to overlapping subnets between B & C, scanners can only reach one of them based on the route table.
Scanners need to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways). AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
Single Scanner Scans MULTIPLE Instances Across Peered VPCs in Different Regions
You can add more scanners based on requirements to ALLOW Scanning across Region across VPC boundaries. Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro, and M1.small) from your security assessments to minimize potential disruption to your environment. Cloudagents are the preferred method for scanning them.
Since a network transit hub allows interconnectivity between virtual private clouds (VPC), a single scanner can be used to scan multiple instances across VPCs in a region connected by Transit gateway. Scanners need to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways)
AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro, and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud agents are the preferred method for scanning them.
Single Scanner Scans Multiple Instances Across VPCs in Region Connected by Transit
Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) Scanners residing on your on-prem network should not be used to scan your cloud instances as they are not cloud aware and has traditional workflow for scanning.
Instance types of t2.micro and t2.nano are NOT scanned as per AWS pen testing rules. Cloud-agents are preferred method for scanning them.
Since a network transit hub allows interconnectivity between virtual private clouds (VPC), a single scanner can be used to scan multiple instances across VPCs in a region connected by Transit gateway. Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways)
AWS recommends excluding the following EC2 instance types (T3.nano, T2.nano, T1.micro and M1.small) from your security assessments to minimize potential disruption to your environment. Cloud-agents are preferred method for scanning them.
On-premises Scanners not Recommended for Scans of Cloud Instances
Scanners needs to be configured to communicate to Qualys Enterprise TruRisk™ Platform and AWS EC2 & STS endpoints over https (via security groups and internet gateways) Scanners residing on your on-prem network should not be used to scan your cloud instances as they are not cloud aware and has traditional workflow for scanning.
Instance types of t2.micro and t2.nano are NOT be scanned as per AWS pen testing rules. Cloud-agents are preferred method for scanning them.