AnsweredAssumed Answered

PCI Scan through CDN

Question asked by Joshua Bartholomew on Jun 26, 2018
Latest reply on Jul 9, 2018 by Shyam Raj

I have multiple websites that fall under SAQ-A scope for PCI compliance.  I'm trying to use the Qualys PCI module to scan these sites externally.  In most cases, the websites sit behind a CloudFlare redirect.  In one instance, the website sits behind an AWS CloudFront redirect.  As the CloudFlare and CloudFront IPs have the ability to change without notice, I need a way to have Qualys PCI resolve the domain name prior to scanning.  I have not found an option to do this, but only to input static IPs and schedule scans based on those.

 

In the case of the CloudFlare sites, I've managed to work around this by allowing Qualys to directly access the public IP of the origin server.  This is not ideal, but it is functional.  However, in the case of the CloudFront redirect, the app is serverless and integrated into AWS' environment.  There is no option to allow Qualys direct access to the origin, but I'd still like to scan the site for compliance.  Is there a way to configure Qualys PCI to deal with these situations?  

Outcomes