Trying to address the excessive lack of transparency that plagues today’s public cloud computing offerings, Amazon has just published a new policy that allows customers (or security researchers) to perform penetration testing inside EC2.
The company already defines what is considered a security attack, or a network abuse, in its Acceptable User Policy. An EC2 customer that wants to simulate a real-world attack without violating that policy has to require permission to do a penetration test. Amazon keeps this request confidential and answers within 24 hours in a non-automated fashion.
In its reply Amazon requires specific information about the penetration test, like the targeted Amazon Machine Images (AMIs) and the attack timeframe. The company also lists the security tools that customers are allowed to use during the attack (but the published policy doesn’t include this list).
Amazon also published the policy to report about discovered vulnerabilities in any of its Amazon Web Services (AWS) platforms, including EC2 of course.
Once a customer submits a potential vulnerability and receives an acknowledgment from the cloud provider that his alert has been received, he continues to receive updates from Amazon at least every five days.
Amazon will try to reproduce the issue following the reports provided, but the customer must be ready to assist providing additional information if needed.
Once the company verifies the vulnerability, a report is sent to the customer along with a plan to fix it and a public disclosure.
If the vulnerability affects a 3rd party product on top of EC2, Amazon will notify the ISV and will coordinate any additional communication between the customer and the ISV.
Amazon uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential reported vulnerabilities. The resulting score helps quantify the severity of the vulnerability and to prioritize our response. In addition, the company includes CVSS base and temporal scores in our security advisories, helping customers to understand their risk and to prioritize their own responses.