Hi,
I hit this practice test question:
A company has following network diagram:
VPC-A -> VPC-B -> VPC-C
Note that:
all VPCs are under the same account
‘->’ means VPC peering
Now the Security Engineer in this company would like to conduct penetration test (pentest) from VPC-A to VPC-C. He should:
A. VPN or VPC peering between VPC-A and VPC-C, proceed vulnerability scan within each VPC, and submit pentest form to AWS.
B. VPN or VPC peering every VPC, and submit pentest form to AWS.
C. Perform vulnerability scan in VPC-A. Not submit form to AWS.
D. Perform vulnerability scan in every VPC. Not submit form to AWS.
Does anybody have clue for this question? Or more specifically, should the appliance works between VPCs (check your route table for peering VPCs) should be considered as NAT gateway?
Thanks a lot.
1 Answers
""You can carry out penetration tests against resources on your AWS account per the policies and guidelines at Penetration Testing. You don’t need approval from AWS to run penetration tests against resources on your AWS account.""
Based upon the above – https://aws.amazon.com/premiumsupport/knowledge-center/penetration-testing/ , if you meet pen testing criteria as outlined – https://aws.amazon.com/security/penetration-testing/ "D" is the correct answer. Somewhat of a bad questions since a good question would qualify what you are testing.
Thanks Michael. The question here, as stated before, is how to categorize the managed appliance between VPC peering. I even fire a ticket to AWS support and there’s no clear definition.