AWS makes itself a home for penetration testing

Penetration-testing companies can base their operations on the Amazon Web Services cloud, but they need to go through a verification process to get around its automated security measures, according to the cloud provider

Amazon's cloud contains automated security measures, but penetration-testing companies can get around these by going through a verification process, according to its chief information security officer.

Companies that carry out penetration-testing-as-a-service, or other activities that Amazon's security policies may flag, need to fill out a validation form. Amazon Web Services (AWS) then checks and verifies this before letting them run from its cloud, Steve Schmidt told ZDNet UK on Wednesday.

"For common inappropriate activities, we have automated responses to it. So there are a series of things we can identify that are inappropriate regardless of what the customer is doing, [like] port scanning [or] brute forcing SSH," said Schmidt, a former section chief at the FBI. "Moreover we have a process by which legitimate customers can request exceptions to our automated responses."

When Amazon detects inappropriate activity, it typically lowers the bandwidth available to the computer instance, he said. However, customers can get around this by first going through a screening process with Amazon.

By way of example, Schmidt pointed to Soasta, which does load testing for mobile applications, and Core Security, which does penetration testing, as the types of companies that usually need to go through the process.

Chris Addis, who heads up Soasta in EMEA, said the cloud is "fundamental" to how it does business, as it is much more cost effective and allows for greater geographical reach.

"We grew up around AWS as they grew up, [though we now use] 17 different cloud providers to generate load externally," Addis said on Thursday. "What the cloud allows us to do is build global test grids very quickly. We can build a test grid of maybe 200 servers in the space of five minutes, and have that grid up and ready to test the customer's site. We can tear it down in an hour's time."

Legitimate activities in the cloud

However, Amazon cannot automate all of its security checks, because that risks blocking legitimate activities, according to Schmidt. For example, when Michael Jackson passed away, AWS saw a huge spike in access to a series of customer data. It turned out Jackson's record company had created a tribute site on AWS.

"If we had an automated distributed-denial-of-service response system, we would have locked off legitimate impressions," Schmidt said.

For common inappropriate activities, we have automated responses to it.

– Steve Schmidt, AWS

In a speech at an AWS event on Tuesday, Schmidt said the cloud provider is responsible for the security of its physical facilities, network infrastructure and virtualisation infrastructure. Customers are responsible for the security of their operating systems, applications, network configuration, network access control lists (ACLs), account management and security groups.

This can lead to problems when some of a legitimate customer's instances are being used to perform activities that seem inappropriate, he said.

"Where it's difficult is when the activity is within a company, so a company has legitimate users who are using the machine, but they also have somebody who is doing something inappropriate on a machine," he said. "We can't tell them what's legitimate activity and what's not, so the customer has to tell us."

However, though Schmidt referenced the automated security policies in his keynote and when talking to ZDNet UK, he did not give a precise technical description of how the processes work.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.