Certified Security - Specialty

Sign Up Free or Log In to participate!

Correction: You do not need to request permission if you use a pre-approved AMI


In short, if you use a "blessed" partner, you can scan at any time.

Felipe Cavalcanti

Agree! Is there an AWS whitepaper on penetration testing that has this information and the resources that are within scope (VPCs, etc.)?


Will look for whitepaper. In this context, the "pre approved" scanners are "hardcoded" to behave properly and will only scan items in ways that are allowed by Amazon.

5 Answers

Took exam today and fought what I learned: "always need approval" and went back at the end to correct two answers. Phew..thanks for posting and confirming.


What is blessed partner meaning here?


It has to be marked as "Pre-Authorized Scanning".


Example wording: This "Pre-Authorized Scanning" version of the virtual scanner is for use with the "EC2 Scanning" workflow within the Qualys Vulnerability Management solution. In collaboration with Amazon, Qualys has built safeguards into this EC2 Scanning capability which connect to the Amazon APIs to ensure that scanning will not adversely affect other customers’ instances and that all Amazon policies for vulnerability scanning are adhered to. Based upon this, customers may scan at their convenience, as EC2 Scanning using Qualys has been pre-authorized by Amazon, negating the need to obtain explicit permission from Amazon before proceeding with scanning as is typically required.

What is blessed partner meaning here?

I would assume the question wording would some how indicate the ami is blessed / pre approved and only then no approval is required. I am not sure if the question hints on this or makes a blanket query ?


That’s what I am trying to say. In the training video, the claim is "you always need to request permission". This is the exception, which is something that may be asked during the exam.

Felipe Cavalcanti

Yes, the current lecture at acloudguru is misleading.

According to AWS Developer Support, there is one distinction and caveat included below, which may make the training video accurate:

"If you are testing between different VPC’s and depending on the type of testing you’ll be conducting, it is best to submit a penetration test request even when making use of a pre-approved scanner."


Not really. There are more than zero ways to scan without asking permission. Ergo "always need permission" is incorrect.

Team, if we all remember during the exam the options available about the Pen Testing question and what to do.

Where the 2 viable answers that were already mentioned in this discussion thread and others 

a) to ask Amazon for authorization for the test
b) use a pre-aproved pen.

These 2 answers should cover the "2 sides of the coin" since the other 2 or 3 answers available did not make too much sense.

IMHO Amzn would need to update their pen test / request papers since they have the OFFICIAL last word what is possible or not. Not the vendor.

Until then Amzn has the last word which at this time is to request Amzn permission to do pen testing.


Good point. I will poke the documentation team.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?