What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?
The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company’s IP range.
If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload.
Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.
AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.
Explanations:
AWS does not permit security scans that could impact the infrastructure or service operation without prior approval. Modifying the security group to allow scanning from an external company’s IP address may violate AWS’s Acceptable Use Policy, as unapproved external scans may be considered penetration testing.
AWS Marketplace vendors are not automatically authorized to perform vulnerability scans. Notification of the IP address change does not grant permission to scan the environment unless the testing is specifically approved through the proper AWS channels.
AWS requires permission for penetration testing in its environment. A penetration testing request must be submitted and approved every 90 days. Once approved, the external company can perform their testing in compliance with AWS’s policies.
While AWS does perform vulnerability management and patching behind the scenes, this solution does not fulfill the requirement for third-party vulnerability scans and does not align with the mandate for third-party testing to occur monthly.
I scheme that the answer is:
Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.