Security is a top priority for Amazon Web Services. Providing a trustworthy infrastructure for you to develop and deploy applications is a responsibility we take very seriously. One important aspect of gaining your trust is being open and transparent about our security processes and continually working toward achieving industry-recognized certifications. Other important aspects include providing you with mechanisms for contacting us about potential security issues and enabling you to conduct security tests of the applications you deploy on AWS. I'm pleased to announce today two new policies: one that outlines our vulnerability reporting process and one that describes how to receive permission to conduct penetration tests of the applications running on your EC2 instances.
A new page in the AWS Security Center describes our vulnerability reporting process. The process is high-priority for us, it's human-driven, and is governed by a service level commitment. Like other technology providers, we believe in the concept of responsible disclosure: let's work together to protect everyone.
Another page in the Security Center describes our penetration testing procedure. Normally, conducting such tests violates our Acceptable Use Policy because these tests are often indistinguishable from real attacks. However, to ensure higher degrees of application security, external testing is an important phase of development and deployment. We put the procedure in place so that we won't respond to your testing as if your instances were under attack.
The e-mail address aws-security@amazon.com is your single point of contact for all things security-related. If you need to contact us about a particularly sensitive issue, you can encrypt your message with our PGP public key. And, of course, if you suspect abuse of EC2 or other AWS services, our abuse reporting process remains in place.
Finally, a small navigational change. We've moved the bulletins off the main page and onto a separate security bulletin list and changed the format so that all bulletins are displayed rather than just the most recent five.
As always, we welcome your comments and feedback. We're here to help you succeed!
> Steve <
Steve,
"...we won't respond to your testing as if your instances were under attack."
So how do I test my application to see how it will really behave if it was under attack? AWS's DDoS and attack mitigation are a part of my application delivery path and I want to test the real thing as well, not just my application "naked" to the internet with AWS's stuff turned off - though I will test that, too.
If I specify in my penetration testing request that I want AWS to leave in place its attack responses, will you honor that request?
Thanks.
Posted by: Shlomo Swidler | July 23, 2010 at 08:33 AM
Good question, Shlomo. We’re honored that you trust our incident response procedures enough to account for them in your development. However, we can’t allow random on-demand testing of that because, as I’m sure you’d understand, it would place undue burden on our personnel -- which could prevent them from responding real attacks that need addressed.
Posted by: Account Deleted | July 27, 2010 at 10:32 AM