Amazon allows penetration testing against EC2
 |
Trying to address the excessive lack of transparency that plagues today’s public cloud computing offerings, Amazon has just published a new policy that allows customers (or security researchers) to perform penetration testing inside EC2.
The company already defines what is considered a security attack, or a network abuse, in its Acceptable User Policy. An EC2 customer that wants to simulate a real-world attack without violating that policy has to require permission to do a penetration test. Amazon keeps this request confidential and answers within 24 hours in a non-automated fashion.
In its reply Amazon requires specific information about the penetration test, like the targeted Amazon Machine Images (AMIs) and the attack timeframe. The company also lists the security tools that customers are allowed to use during the attack (but the published policy doesn’t include this list).
Amazon also published the policy to report about discovered vulnerabilities in any of its Amazon Web Services (AWS) platforms, including EC2 of course.
Once a customer submits a potential vulnerability and receives an acknowledgment from the cloud provider that his alert has been received, he continues to receive updates from Amazon at least every five days.
Amazon will try to reproduce the issue following the reports provided, but the customer must be ready to assist providing additional information if needed.
Once the company verifies the vulnerability, a report is sent to the customer along with a plan to fix it and a public disclosure.
If the vulnerability affects a 3rd party product on top of EC2, Amazon will notify the ISV and will coordinate any additional communication between the customer and the ISV.
Amazon uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential reported vulnerabilities. The resulting score helps quantify the severity of the vulnerability and to prioritize our response. In addition, the company includes CVSS base and temporal scores in our security advisories, helping customers to understand their risk and to prioritize their own responses.
cloudcomputing.info Newest articles
June 1st, 2012
Yesterday VMTurbo announced that Dennis Hoffman, currently Senior Vice President, Service Provider at EMC Corporation, has joined the company’s Board of Directors.
With more than 20 years of industry experience…
May 30th, 2012
Today Amazon announced the availability, with no additional charge, of VM Export, the counterpart of VM Import, that allows the export EC2 instances to costumers on-premise infrastructures.
This new features…
May 30th, 2012
Yesterday the Fedora Project announced the general availability of Fedora 17, the latest version of Red Hat sponsored free open source operating system distribution.
In the rich set of new…
May 24th, 2012
Today Milan hosted the VMware Forum 2012, during the opening keynote Brian Gammage, VMware’s Chief Market Technologist, tried to collect all the news and declarations we heard in the last…
May 23rd, 2012
Yesterday VMware announced the acquisition of Wanova Inc. a company whose main product is called Mirage.
Mirage is a centralized management and recovery solution for physical desktop images over the…
May 23rd, 2012
Yesterday VMware published a paper focused on VMware vMSC (vSphere Metro Storage Cluster), a new configuration within the VMware Hardware Compatibility List intended for environments where disaster/downtime avoidance is a…
May 22nd, 2012
Last week Flexiant announced release 2.0 of its Cloud Orchestrator software previously called Extility.
Flexiant Cloud Orchestrator 2.0 enables service providers to build a multi-level reseller model, the key…
May 22nd, 2012
Yesterday, during its annual conference in Las Vegas, EMC announced the acquisition of Syncplicity, a cloud-storage privately held startup founded in 2008 and based in Menlo Park, California.
Terms…
May 21st, 2012
On May 18th Oracle announced the general availability of version 3.1 of its x86 enterprise virtualization solution VM Server.
This release follows 3.0 announced on August 24th 2011.
All the new…
May 21st, 2012
In this post, published on May 18 in VROOM! Blog, the VMware’s Performance Team presented some of the most significant enhancements and optimizations brought to Teradici‘s PCoIP protocol in the…
May 17th, 2012
On May 15th NVIDIA unveiled the NVIDIA® VGX™ platform that will be available later this year through NVIDIA’s hardware OEM and VDI partners.
This new platform promises to deliver…
May 17th, 2012
Microsoft announced this week the new Beta version of its capacity planning tool Microsoft Assessment and Planning (MAP) 7.0 Beta.
The Beta program opened on May 15th and the review…
May 15th, 2012
Today VMware announced VMware vFabric Suite 5.1, expected to be generally available in Q2 2012.
vFabric Suite 5.1 includes vFabric Application Director, to automate the deployment and management of vFabric…
May 15th, 2012
On April 4 Stephen Herrod, VMware’s CTO, has attended, as guest speaker, at a VMUG meeting in Italy.
One of the key point of the speech, documented in one hour-long…
Copyright © 2010-2012 cloudcomputing.info. All rights reserved.