I’ve been asked to ensure that our vulnerability scanning tools (like Qualys, Nexpose) are able to reach all of our AWS EC2 instances, on all ports and protocols.
Today they are limited by the current security groups (which generally allow either no traffic, or well-defined protocols such as HTTPS). We could implement a new security group scope to the CIDR range in which the vulnerability scanning engines reside, allowing the range unfettered access.
I don’t believe this is a good idea. Is there any official, written guidance (by a well-respected authority) making the case one way or the other, for disabling network, port and protocol filtering to allow vulnerability scanners full access?