After launching Virtual Private Cloud in 2009, Amazon has been slowly improving their offering with some features enterprises will love to have including the ability to use your own kernel, a way to use your own IP address while launching VPC, etc.. But they remained somewhat silent on penetration testing. In fact, blogosphere was full of discussion on how cloud providers face difficulty in allowing vulnerability scanning and possible alternative approaches to the issue, etc.. The wait is finally over.
Yesterday, Amazon announced that AWS users can now request permission from Amazon in a straight forward manner. They have put up two pages in AWS Security Center, one about how they report vulnerabilities and the other is a page outlining the procedure to get Amazon’s permission to do external penetration testing without violating AWS Acceptable Use policy.
Security is a top priority for Amazon Web Services. Providing a trustworthy infrastructure for you to develop and deploy applications is a responsibility we take very seriously. One important aspect of gaining your trust is being open and transparent about our security processes and continually working toward achieving industry-recognized certifications. Other important aspects include providing you with mechanisms for contacting us about potential security issues and enabling you to conduct security tests of the applications you deploy on AWS. I’m pleased to announce today two new policies: one that outlines our vulnerability reporting process and one that describes how to receive permission to conduct penetration tests of the applications running on your EC2 instances.
This is a good first step but they have to do more before they can become the darling of the enterprises. It will be interesting to watch where they go in the next year on the security front.
