By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Meeting Pentesting Requirements in AWS GovCloud

2

For those of you using AWS GovCloud, how do you meet the pentesting requirements laid out in the NIST SP 800-171? On our office network, our company uses Nessus to meet the requirement but that seems against AWS's policy.

I just came across Amazon Inspector today but I haven't run it past my IA department yet. Anyone have any experience with Amazon Inspector satisfying those 800-171 requirements?

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAmazon Inspector
Language
English
allthephotons
asked 2 years ago364 views
1 Answer
3
Accepted Answer

Distinction Between Penetration Testing and Vulnerability Management

First it is important to make a distinction between penetration testing and vulnerability management (and scanning). As that distinction is important to ensuring you are approaching compliance. Excerpts of the NIST definitions below:

Penetration Testing "Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers."

Vulnerability Management "capability that identifies vulnerabilities Common Vulnerabilities and Exposures (CVEs) on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

Nessus and Amazon Inspector are Vulnerability Management Tools

You mention both Tenable Nessus and Amazon Inspector. Both of these systems are actually vulnerability management and scanning tools. Therefore, they won't directly help you meet any penetration testing requirements, but they will help you meet vulnerability management, assessment and scanning requirements. As Amazon Inspector's site says the service assists with "Automated and continual vulnerability management at scale".

800-171 Requirements Are Light on Pen Testing and Heavy on Vuln Management

In my brief search, I didn't see any specific 800-171 requirements regarding penetration testing, however there are plenty of requirements around vulnerability management, assessment and control assessment. See 3.11.2, 3.12.1, 3.12.3, 3.14.1 and others. Amazon Inspector or similar vulnerability management platforms could help you meet those requirements. See documentation for Amazon ECR scanning, Amazon Inspector, AWS Security Hub. These are all AWS components that can help out with vuln management and security assessment efforts.

I only found one mention of the word "penetration" in the CMMC L2 guidance document. That mention is under req 3.11.2 Vulnerability Scan. The focus for 800-171 seems to be more on vulnerability management, but there is a mention that penetration testing could support the test and validation of findings.

What AWS Allows

Amazon AWS policy does allow for both penetration testing and vulnerability scanning inside your GovCloud environment within certain constraints. Those constraints are detailed in the policy you mentioned towards the bottom.

Check out official CMMC documentation for authoritative perspectives on how to assess compliance against 800-171.

Edit: My colleagues provided additional helpful link below:

AWS
newrust
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content