We have vulnerability scanning software in a shared subnet our on-prem network. We are now adding VMs hosted on the public cloud and need to perform vulnerability scanning on them. One option is to open one-way traffic from on-prem to public cloud so that the scanner can reach all VMs. So all ports will be open to VMs (in one direction). Is this desirable? Would it not be better to run vul scan software within the subnets so that no traffic needs to be allowed at all between on-prem and cloud? The scanner running in the same subnet as VMs could push results to the central scanner server in a dmz for example. How do companies adapting public cloud solve this?
It's becoming more common to leverage existing scanner software in the cloud. On platforms like AWS, many commercial products will also have an AMI for this purpose. For example: https://community.tenable.com/s/article/Amazon-Machine-Image-Deployment-AMI
The real answer here depends on some of the following:
It's also worth considering adopting a product or toolset that can integrate with your cloud environment to scan new assets as they are created. If your cloud stack use non-VM services (like AWS S3) require their own very specific types of scanning as well.