Scanning Peered VPC's

Document created by Shyam Raj Employee on Jul 15, 2018
Version 1Show Document
  • View in full screen mode

This document outlines the steps to scan peered VPC's.


The network topology looks like this:




- VPC-A and VPC-B belong to different AWS accounts.

- VPC-A is in Mumbai and has two instances - one is Server-A and the other one is a Qualys Scanner labeled as vScanner.

- VPC-B is in Singapore and has one instance labeled as Server-B.


Goal: Scan Server-B using vScanner.


The VPC peering connections have already been established.


Step 1: Create the required connectors

In this case, both VPC's belong to different AWS accounts. So two connectors are needed, one for each account. The steps remain the same even if both VPC's belong to the same AWS account.


Connector for VPC-A is labeled as VPC-A-Connector and for VPC-B it is labeled as VPC-B-Connector.


The steps to create a connector are outlined in this video:


I've got the required connector's created:



Assets discovered by VPC-A-Connector are tagged as VPC-A, while those discovered by VPC-B-Connector are tagged as VPC-B.




Step 2: Launch an EC2 Scan


Under the VM application, navigate to Scans > Scans and click on New > EC2 Scan.


Start by proving a Title and an Option Profile.



Under Target Hosts, select the Connector where your target is hosted. In this case, VPC-B-Connector.



Under Platform, choose EC2-VPC (Selected VPC) and select your VPC.


Next, select the Tag to which the target is associated. In this case, VPC-B.


If you'd like to scan only specific instances, use the option Scan specific Instance IDs, applicable typically for scanning instances in build or AMI testing phase.



Under Scanner Appliance, when you try to select a scanner, your Scanner Appliance won't show up because it's in a different VPC (see image below). In this case, the scanner is in VPC-A while the target is in VPC-B.



Use the Show All option. This will display all available scanners. 



Next, click on Launch. This will cause the Tag to resolve and will show you the instances that will be scanned.



The security group of the target instance should allow traffic on all ports on which the scan needs to be performed.

1 person found this helpful