In short, if you use a "blessed" partner, you can scan at any time.
Took exam today and fought what I learned: "always need approval" and went back at the end to correct two answers. Phew..thanks for posting and confirming.
What is blessed partner meaning here?
I would assume the question wording would some how indicate the ami is blessed / pre approved and only then no approval is required. I am not sure if the question hints on this or makes a blanket query ?
According to AWS Developer Support, there is one distinction and caveat included below, which may make the training video accurate:
"If you are testing between different VPC’s and depending on the type of testing you’ll be conducting, it is best to submit a penetration test request even when making use of a pre-approved scanner."
Team, if we all remember during the exam the options available about the Pen Testing question and what to do.
Where the 2 viable answers that were already mentioned in this discussion thread and others
a) to ask Amazon for authorization for the test
b) use a pre-aproved pen.
These 2 answers should cover the "2 sides of the coin" since the other 2 or 3 answers available did not make too much sense.
IMHO Amzn would need to update their pen test / request papers since they have the OFFICIAL last word what is possible or not. Not the vendor.
Until then Amzn has the last word which at this time is to request Amzn permission to do pen testing.