How Amazon Can Make AWS More Secure

As a certified AWS architect and SysOps engineer, I've spent a lot of time learning the ins and outs of cloud computing on their platform.

And in that time I've come to understand that done right, cloud computing on AWS is FAR MORE SECURE than most corporate implementations.

In my opinion, if you put in the same amount of time on AWS as you do for your on-premise network and app security, you'll be significantly more secure on AWS than you would be on your own datacenter!

Why? Because of the vast array of cutting edge security tools (both AWS-native and 3rd  party vendor apps and appliances) that offer deep and useful security insights that were just pipe dreams a few short years ago.

You owe it to yourself to go check them out.

I believe this "security is better in the cloud" stance holds true for Microsoft's Azure as well, which is a platform I am currently getting certified on, but back to AWS - I spotted a glaring and simple way that Amazon could make their security even better, and it relates to penetration testing and vulnerability scanning.

Penetration testing is widely understood to be one of the best ways to find security vulnerabilities before the bad guys do, and every organization should be doing it - regularly.

And yes, AWS let's you do penetration testing. However, it requires their approval first, and herein lies the problem. When I "subscribed" to a Sophos UTM 9 appliance that I wanted to learn, and use to do some scanning on my test network, I had to fill out a form. And in that process, I had to list out the hosts and the IP addresses of both the  scanning tool, and the scanner appliance, and list the times of the tests, etc.

This makes sense because AWS needs to (presumably) disable alarms and "reactive" technologies so you don't get shut down when they detect the scanning / pen testing taking place on their network.

BUT, this process could be significantly streamlined, and made much easier so that more customers commit the time and energy to conduct penetration tests.

In short, it was a clunky, time consuming process to fill out a form to request permission to do the scan.

I had to go look up I.P. addresses, and gather info on the specific instance ID's of my servers and list them out. And while not a horrible process, it definitely introduced "friction" and would discourage some people from bothering with the process in the first place. And that's not good.


A recent pen-test email confirmation from AWS

My recommendation (are you listening, Amazon?) is to allow cloud administrators to request port scanning by simply adding a checkbox next to the the instance names, so that all hosts to be scanned simply have their box checked. It would be easy to add a date/time feature where the admin could select a time window for scanning the "checked" hosts, etc. Let's call this an "in-line pen testing request".

My logic is that by reducing the amount of effort required to conduct pen testing on AWS, more customers would take advantage of this ability.

They could even "up the anty" by integrating this request with the products or appliances of some 3rd party security vendors, like Sophos, so security-conscious AWS customers could try out new tools with ease.

This could be a boon to those vendors, and give customers access to an array of tools that they are unfamiliar with.

I'm sure there are numerous other ways to facilitate pen testing on AWS, and I'd love to hear your ideas!

-Ryan

PS: If you have an Amazon account, here's the link to learn more about pen testing, and to submit the form to do your own penetration testing. Use it! Find (and fix) your network weaknesses, even if it's a clunky process.

PPS: If you know anyone inside Amazon who might like to hear this idea, please share the link with them.