I came across the following guidance from AWS on performing vulnerability scans / assessments on customer assets on hosted on the platform -
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”
One of the 8 permitted services is EC2 instances - does anyone know if this removes the need for having pre-authorized Qualys scanners deployed in customer AWS environments? I.e. is it now simply possible to conduct scans using an externally hosted Qualys scanner without explicit permission from AWS as long as it's only scanning EC2 instances?
Any pointers on this would be appreciated.