Regarding access controls, your documentation  mentions the following:
=For authenticated scans to work properly in your deployment, you must set your AWS security groups to allow full communication inside the group. Doing so allows a Cloud Insight appliance to communicate with client hosts, and the authenticated scan to run without errors.
How do you recommend configuring the security groups so that I can allow only Cloud Insight appliances access the servers but expose communication from other instances in the VPC? What does "full communication inside the group" mean? Allow all traffic from hosts in my EC2 instances to other hosts in the same SG without restricting any access to any ports? That wouldn't sound like very good idea in a cloud environment.
Is there an option to tell Cloud Insight which additional SG to use when creating the appliances? This way I can set up the SG for each VPC and not expose any unwanted traffic inside the VPC between the hosts that are being monitored.
Please sign in to leave a comment.