We are currently building a PCI DSS Level 1 Compliant platform that will run only one application server on Elastic Beanstalk (Linux AMI). The Elastic Beanstalk instance, which will reside inside a private subnet, will be connected to AWS API Gateway through a VPC link and will communicate externally through AWS NAT Gateway.
We recently had a chat with our QSA who told us that we don't need internal vulnerability scan (PCI Req 11.2.1) and an internal pen-testing (PCI Req 11.3.2) because Elastic Beanstalk container instances cannot be operationally accessed and administered interactively e.g. by a remote administrative shell under the control of a member of staff and that there is no accessible IaaS internal infrastructure that could realistically be scanned for vulnerabilities.
Is he actually right that we won't need these internal scanning/testing (vulnerability scan and pen testing) because the Elastic Beanstalk instances are inside a private subnet and therefore no one can access the Elastic Beanstalk's EC2 instances using either EC2 Instance Connect, Session Manager or an SSH Client?
