Traditional scanning is not really required in the cloud if you follow best practices. Establishing a defense-in-depth posture will frustrate most of the script kiddies. Rotation of sensitive material diminishes the likelihood of an Advanced Persistent Threat (APT) getting a foothold. However, your product is software and odds are that it uses some open source code (who has time to rewrite everything?). Moving security into the early stages of the SDLC allows us to catch problems before they can be exploited in a production system. We also need to ensure the contents of the Terraform state file are consistent.
Vulnerability scanning
Instance-level scanning
We are not huge fans of instance-level scanning, but if you...