Trying to address the excessive lack of transparency that plagues today’s public cloud computing offerings, Amazon has just published a new policy that allows customers (or security researchers) to perform penetration testing inside EC2.
The company already defines what is considered a security attack, or a network abuse, in its Acceptable User Policy. An EC2 customer that wants to simulate a real-world attack without violating that policy has to require permission to do a penetration test. Amazon keeps this request confidential and answers within 24 hours in a non-automated fashion.
In its reply Amazon requires specific information about the penetration test, like the targeted Amazon Machine Images (AMIs) and the attack timeframe. The company also lists the security tools that customers are allowed to use during the attack (but the published policy doesn’t include this list).
Amazon also published the policy to report about discovered vulnerabilities in any of its Amazon Web Services (AWS) platforms, including EC2 of course.