Amazon Web Services FAQs

Is a Scan Engine required in each VPC, or can a Scan Engine in one VPC be routed to cover many VPCs?

A single Scan Engine can scan multiple VPCs as long as there is a connection between them. This is usually accomplished with VPC peering. If VPCs cannot communicate with each other, you must deploy a Scan Engine to each VPC.

Can the AWS Scan Engine be used to scan external-facing on-premises assets? Can it be routed out to scan the elastic IP of AWS assets from an external perspective?

No, the AWS Scan Engine offered by the AWS Marketplace can only scan private IPs associated with EC2 instances. Users that want to scan external assets from an engine based in AWS can deploy a standard distributed Scan Engine into their AWS environment. Customers should be sure that any scanning is compliant with AWS security testing policies.

Is it possible to initiate an ad hoc scan by IP address against an AWS host using the Scan Engine AMI?

No, since the AWS Scan Engine can only scan assets that have been imported through Dynamic Discovery. You can technically run a scan by IP address if you install a standard distributed Scan Engine in your AWS environment, but this is not recommended. The IP addresses of some assets in AWS change frequently enough that scanning by IP address could result in you inadvertently scanning an asset that your organization doesn't own.

Are there restrictions for the methods used to authenticate to the Amazon API?

The Security Console can authenticate with the AWS EC2 API using IAM user credentials which are composed of an access key and a secret key. If you run your Security Console on an EC2 instance inside your AWS account, you can authenticate using IAM user credentials or an IAM role. We recommend using an IAM role if possible, as secret keys are automatically rotated.

Can the Scan Engine scan small or micro instances?

To avoid potential issues, the AWS Scan Engine automatically avoids scanning the following EC2 instance types:

  • .nano
  • .micro
  • .small

Is there any way to get a different instance size for the AWS Scan Engine that's available from the AWS Marketplace?

Yes, you can deploy the AWS Scan Engine to any EC2 instance size that meets the Scan Engine's system requirements. However, note that AWS often releases new instance types that may not be whitelisted for the Scan Engine. Rapid7 normally whitelists new instance types each time we publish an update to the AWS Marketplace. Contact Rapid7 Support to request the addition of a new instance size.

How many API calls does the discovery connection make? Do Scan Engines make API calls themselves?

The discovery connection calls the following API resources:

  • ec2:DescribeInstances
  • ec2:DescribeImages
  • ec2:DescribeAddresses
  • ec2:DescribeNetworkInterfaces
  • cloudtrail:LookupEvents
  • cloudtrail:DescribeTrails

It may make multiple calls to these APIs depending on the number of discovered assets. The Scan Engine does not make any API calls.

How are the AWS Scan Engine and the standard distributed Scan Engine different?

The AWS Scan Engine that's available from the AWS Marketplace has two differences from a standard distributed Scan Engine:

  • The AWS Scan Engine can only scan assets that have been returned by the EC2 API. This ensures that only assets belonging to your AWS accounts get scanned.
  • The AWS Scan Engine does not run any services to promote the smallest possible attack surface. Users cannot SSH into the AWS Scan Engine and you cannot configure the AWS Scan Engine with the Console-to-Engine communication method. If you need to access the instance that's running the AWS Scan Engine, you can do so securely with the SSM agent.