Pre-authorized scan engine still a requirement in AWS?

I have an AWS site that’s slowly growing in size and the option of fitting scans into a window is no longer viable. I was told the other day in a support session that AWS no longer requires the use of the “pre-authorized” scan engine, and that I can spin up my own Linux instances, install the engine, and establish an engine pool to get more overall scan bandwidth.

The problem I’m facing is that I can’t get an engine to pair (in either direction) out of AWS to save my life. I’m wondering if AWS is actually blocking 40815/out and 40814/in from everything but an authorized AMI so they can somehow force the use of it. Conspiracy, perhaps, but I wouldn’t put it past them.

Wondering if anyone has been able to pair/use an engine that’s not the pre-auth AMI?

This is true, and AWS is going to block everything by default, so you’ll need to set up Security Groups within your VPC to allow the traffic for the pairing to occur.

Problem ended up being a subnet that was set up to use NAT Gateway rather than an Internet Gateway. Had to add a route for my engine to reach the console via the Internet Gateway.