Internal Vulnerability Scan and Pen testing on Elastic Beanstalk for PCI DSS

Question

We are currently building a PCI DSS Level 1 Compliant platform that will run only one application server on Elastic Beanstalk (Linux AMI). The Elastic Beanstalk instance, which will reside inside a private subnet, will be connected to AWS API Gateway through a VPC link and will communicate externally through AWS NAT Gateway.

We recently had a chat with our QSA who told us that we don't need internal vulnerability scan (PCI Req 11.2.1) and an internal pen-testing (PCI Req 11.3.2) because Elastic Beanstalk container instances cannot be operationally accessed and administered interactively eg by a remote administrative shell under the control of a member of staff and that there is no accessible IaaS internal infrastructure that could realistically be scanned for vulnerabilities.

Is he actually right that we won't need these internal scanning/testing (vulnerability scan and pen testing) because the Elastic Beanstalk instances are inside a private subnet and therefore no one can access the Elastic Beanstalk's EC2 instances using either EC2 Instance Connect, Session Manager or an SSH Client?

Answer 1

The AWS service which are PCI compliant do not need scan as these service are kept compliant by AWS - https://aws.amazon.com/compliance/services-in-scope/

If QSA mentions in writing that Scan of elastic beanstalk is not required then it should be fine. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/eb3-ssh.html