Amazon Web Services recently changed a policy that required security researchers to get permission before testing applications running on some of its most important services for security flaws, allowing customers to run tests against its services without having to fill out a form.
Teri Radichel, CEO of Seattle security firm 2nd Sight Labs, posted an email noting the change on Twitter Thursday afternoon, and multiple AWS employees including Matt Wilson, vice president/distinguished engineer and leader of the bedrock EC2 compute service, acknowledged the update was legit. The official AWS penetration testing site had yet to be updated as of Friday morning, but the email said that security professionals will now be able to conduct penetration tests on apps using core services such as EC2, RDS databases, and the AWS Lambda serverless service without first registering their intentions with the company.
Behold…Rules for pentesting on AWS just changed… pic.twitter.com/oXNr6mJZZb
— Teri Radichel (@TeriRadichel) February 28, 2019
Penetration testing is a common security technique that looks for flaws in a company’s security defenses, where friendly hackers use common attack protocols to find weak areas before criminal hackers do. Lots of companies conduct this research on their own networks or hire outside firms, but authorized penetration tests can look the same to cloud providers as unauthorized attempts to breach the security of the service itself.
Microsoft changed its Azure penetration testing policy in 2017 to allow customers to test their applications without first getting permission. For both companies, getting permission was not all that difficult, but nobody likes filling out forms and AWS told would-be penetration testers that they could expect to wait up to a week before getting the go-ahead to proceed.
An AWS representative did not have an immediate update on the details of the change.