Amazon Web Services is on a roll lately. They have been announcing variety of features, both big and small, and they even announced their datacenters in Asia-Pacific. Being a runaway leader in marketshare and poster boy for cloud computing, AWS has been receiving lot of positive press and some flak. Usually, the criticism is about the lack of transparency on their side and lack of enterprise grade security and control they wanted. This lead to the mushrooming of Private Cloud providers who wanted to grab the market opportunity and make some money. Looks like Amazon is slowly understanding the market demands. At least, two of the recent announcements show that they are moving in the right direction to address the enterprise needs.
After launching Virtual Private Cloud in 2009, Amazon has been slowly improving their offering with some features enterprises will love to have including the ability to use your own kernel, a way to use your own IP address while launching VPC, etc.. But they remained somewhat silent on penetration testing. In fact, blogosphere was full of discussion on how cloud providers face difficulty in allowing vulnerability scanning and possible alternative approaches to the issue, etc.. The wait is finally over.
Yesterday, Amazon announced that AWS users can now request permission from Amazon in a straight forward manner. They have put up two pages in AWS Security Center, one about how they report vulnerabilities and the other is a page outlining the procedure to get Amazon’s permission to do external penetration testing without violating AWS Acceptable Use policy.
Security is a top priority for Amazon Web Services. Providing a trustworthy infrastructure for you to develop and deploy applications is a responsibility we take very seriously. One important aspect of gaining your trust is being open and transparent about our security processes and continually working toward achieving industry-recognized certifications. Other important aspects include providing you with mechanisms for contacting us about potential security issues and enabling you to conduct security tests of the applications you deploy on AWS. I’m pleased to announce today two new policies: one that outlines our vulnerability reporting process and one that describes how to receive permission to conduct penetration tests of the applications running on your EC2 instances.
This is a good first step but they have to do more before they can become the darling of the enterprises. It will be interesting to watch where they go in the next year on the security front.