@shinyaz

Security Agent pentest works via VPC Config even when CLI domain verification returns UNREACHABLE

1 min read
#aws#security-agent#vpc

Tried to pentest a private endpoint (*.compute.internal) with Security Agent. Running verify-target-domain returned UNREACHABLE — HTTP_ROUTE verification is performed from AWS public infrastructure, so it can't reach private DNS.

Thought the test was blocked, but running start-pentest-job with --vpc-config passed PREFLIGHT successfully. CloudWatch Logs showed:

Output (CloudWatch Logs)
Setting up pentest infrastructure
Setting up pentest networking infrastructure
Connecting to pentest test environment container
Verifying ownership of private network domains
Completed pentest test environment setup

The CLI's verify-target-domain (public access) and PREFLIGHT's VPC-internal verification are separate mechanisms. When using VPC Config, the CLI domain verification status being UNREACHABLE doesn't block test execution — as long as the Target Domain is registered.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more