With certain exceptions, you must always request authorization from Amazon Web Services before executing penetration testing or vulnerability scanning activities that relate to their properties and your assets hosted with them. This is most explicitly addressed with regard to the Amazon Elastic Compute Cloud (EC2) IaaS environment.
Their scanning policies for Amazon EC2 instances apply whenever an Amazon EC2 instance is involved as either the target or the source of a scan, including:
- Scanning from EC2/VPC instances at external targets
- Scanning from EC2/VPC instances at EC2/VPC targets
- Scanning from external systems at EC2/VPC targets
Amazon Acceptable Use
Note that targeting of Small and Micro Instance Types is currently forbidden by AWS in all cases. Small and Micro instances cannot be used as the source (i.e., virtual scanner) or be the target of a vulnerability scan, and scanning authorization will not be granted by Amazon if Small or Micro instances are included in the request. The Amazon API-integrated EC2 Scanning workflow within Qualys Vulnerability Management explicitly prevents the inclusion of Small and Micro instances in scanning jobs.
Amazon customers should complete the AWS Vulnerability/Penetration Testing Request Form (must be authenticated to AWS to view page), supplying the source and destination IP addresses and the Amazon machine Instance IDs which will be involved in the scan.
Note also that Amazon advises that it "can take 2-3 business days to evaluate your request."
Applicability to Qualys Solutions
These Amazon policies do not apply equally across Qualys' solution suite. Below is guidance on a per-Qualys-solution basis.
Must Complete AWS Vulnerability/Penetration Testing Request Form
- Vulnerability Management (unless using the EC2 Scan workflow referenced below)
- Policy Compliance
- PCI Compliance
- Web Application Scanning
Pre-Authorized by Amazon - Request Form NOT Required
EC2 Scan workflow within Vulnerability Management, which is integrated with AWS APIs to provide safeguards against abuse of AWS scanning policies. This workflow is currently only available for "internal" scanning on Amazon EC2-Classic and EC2-VPC in concert with a deployed instance of the Qualys Virtual Scanner Appliance.
For more guidance see Choosing The Correct Scanner AMI (Amazon Machine Image)