Amazon allows penetration testing against EC2
 |
Trying to address the excessive lack of transparency that plagues today’s public cloud computing offerings, Amazon has just published a new policy that allows customers (or security researchers) to perform penetration testing inside EC2.
The company already defines what is considered a security attack, or a network abuse, in its Acceptable User Policy. An EC2 customer that wants to simulate a real-world attack without violating that policy has to require permission to do a penetration test. Amazon keeps this request confidential and answers within 24 hours in a non-automated fashion.
In its reply Amazon requires specific information about the penetration test, like the targeted Amazon Machine Images (AMIs) and the attack timeframe. The company also lists the security tools that customers are allowed to use during the attack (but the published policy doesn’t include this list).
Amazon also published the policy to report about discovered vulnerabilities in any of its Amazon Web Services (AWS) platforms, including EC2 of course.
Once a customer submits a potential vulnerability and receives an acknowledgment from the cloud provider that his alert has been received, he continues to receive updates from Amazon at least every five days.
Amazon will try to reproduce the issue following the reports provided, but the customer must be ready to assist providing additional information if needed.
Once the company verifies the vulnerability, a report is sent to the customer along with a plan to fix it and a public disclosure.
If the vulnerability affects a 3rd party product on top of EC2, Amazon will notify the ISV and will coordinate any additional communication between the customer and the ISV.
Amazon uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential reported vulnerabilities. The resulting score helps quantify the severity of the vulnerability and to prioritize our response. In addition, the company includes CVSS base and temporal scores in our security advisories, helping customers to understand their risk and to prioritize their own responses.
cloudcomputing.info Newest articles
May 21st, 2013
In March this year cloudcomputing.info reported that VMware was set to announce the vCloud Hybrid Service. vCloud Hybrid Service provides Infrastructure as a Service (IaaS) from the cloud providing a…
May 14th, 2013
From China a new wind of changes came to stay, Beijing-based cloud startup focusing on “IDE” for Amazon Web Services MadeiraCloud developer of a graphical monitoring and management product,…
May 14th, 2013
Amazon last week released a management pack for use with System Center 2012 Operations Manager (OpsMgr). By importing the management pack into OpsMgr, customers can monitor their EC2 instances (Windows…
May 13th, 2013
Since its announcement Google Compute Engine is in the spotlight as a potential competitor of Amazon AWS.
Up to now Compute Engine has been based on customized versions of Ubuntu and CentOS…
May 6th, 2013
Dell today announced that it has acquired Enstratius, which used to be known as enStratus. Enstratius delivers a private and public cloud management product either available via Software-as-a-Service (SaaS) or…
May 6th, 2013
Microsoft has released a paper titled: "Infrastructure-as-a-Service Product Line Architecture Fabric Management Architecture Guide". The paper which contains 69 pages provides guidance to develop solutions for a Microsoft private cloud…
May 6th, 2013
Microsoft has released a paper titled:”Infrastructure-as-a-Service Product Line Architecture Fabric Architecture Guide“. The paper which contains 112 pages provides guidance to develop solutions for a Microsoft private cloud infrastructure in…
May 3rd, 2013
On May 1, Canadian Embotics Corporation announced to have joined the OpenStack community.
Founded in 2006 and headquartered in Ottawa, Canada, Embotics focuses on virtualization and private cloud management software…
May 2nd, 2013
Microsoft is building a Desktop as a Service offering running on top of its Cloud platform Azure, Mary Jo Foley from ZDNet reports. The Desktop as a Service offering is…
April 29th, 2013
The Pivotal Initiative, a single virtual organization created by the partnership of EMC and VMware, now have a new entry in the join venture, General Electric, which announced to have…
April 26th, 2013
On April 24, Citrix announced its financial results for first quarter of fiscal 2013, ended March 31, 2013.
Citrix announced a total revenue of $683 million, for an increase of…
April 26th, 2013
On April 23, VMware released the results about its growth for Q1 2013.
VMware, announced a total revenue growth of $1.19 billion, for an increase of 13 percent compared to Q1…
April 22nd, 2013
On April 18 Rackspace published a video where Jim Curry, OpenStack Co-Founder and Rackspace Senior Vice President of Private Cloud; Steve Kirk, Senior Director of Global IT for Sony…
April 19th, 2013
RightScale offering a multi-cloud management solution has announced that it now officially supports Windows Azure Infrastructure Services, which was released earlier this week. In January 2011 cloudcomputing.info already reported about…
Copyright © 2010-2013 cloudcomputing.info. All rights reserved.