Amazon Web Services is on a roll lately. They have been announcing variety of features, both big and small, and they even announced their datacenters in Asia-Pacific. Being a runaway leader in marketshare and poster boy for cloud computing, AWS has been receiving lot of positive press and some flak. Usually, the criticism is about the lack of transparency on their side and lack of enterprise grade security and control they wanted. This lead to the mushrooming of Private Cloud providers who wanted to grab the market opportunity and make some money. Looks like Amazon is slowly understanding the market demands. At least, two of the recent announcements show that they are moving in the right direction to address the enterprise needs.
After launching Virtual Private Cloud in 2009, Amazon has been slowly improving their offering with some features enterprises will love to have including the ability to use your own kernel, a way to use your own IP address while launching VPC, etc.. But they remained somewhat silent on penetration testing. In fact, blogosphere was full of discussion on how cloud providers face difficulty in allowing vulnerability scanning and possible alternative approaches to the issue, etc.. The wait is finally over.
Yesterday, Amazon announced that AWS users can now request permission from Amazon in a straight forward manner. They have put up two pages in AWS Security Center, one about how they report vulnerabilities and the other is a page outlining the procedure to get Amazon’s permission to do external penetration testing without violating AWS Acceptable Use policy.
Security is a top priority for Amazon Web Services. Providing a trustworthy infrastructure for you to develop and deploy applications is a responsibility we take very seriously. One important aspect of gaining your trust is being open and transparent about our security processes and continually working toward achieving industry-recognized certifications. Other important aspects include providing you with mechanisms for contacting us about potential security issues and enabling you to conduct security tests of the applications you deploy on AWS. I’m pleased to announce today two new policies: one that outlines our vulnerability reporting process and one that describes how to receive permission to conduct penetration tests of the applications running on your EC2 instances.
This is a good first step but they have to do more before they can become the darling of the enterprises. It will be interesting to watch where they go in the next year on the security front. 
CloudAve is exclusively sponsored by
Krishnan Subramanian

Krish dons several avatars including entrepreneur in exile, analyst cum researcher, technology evangelist, blogger, ex-physicist, social/political commentator, etc.. My main focus is research and analysis on various high impact topics in the fields of Open Source, Cloud Computing and the interface between them. I also evangelize Open Source and Cloud Computing in various media outlets, blogs and other public forums. I offer strategic advise to both Cloud Computing and Open Source providers and, also, help other companies take advantage of Open Source and Cloud Computing. In my opinion, Open Source commoditized software and Cloud Computing commoditized computing resources. A combination of these two developments offers a strong competitive advantage to companies of all sizes and shapes. Due to various factors, including fear, the adoption of both Open Source and Cloud Computing are relatively slow in the business sector. So, I take it upon myself to clear any confusion in this regard and educate, enrich and advise users/customers to take advantage of the benefits offered by these technologies. I am also a managing partner in two consulting companies based in India. I blog about Open Source topics at http://open.krishworld.com and Cloud Computing related topics at http://www.cloudave.com.

Leave a Reply