Metasploit Pro is available as an Amazon Machine Image (AMI) so it can easily be run in the Amazon cloud to conduct external penetration tests. This is especially useful since several team members can use the same instance of Metasploit Pro in the cloud at the same time through Metasploit Pro's web-based user interface, even if team members are working on different projects at the same time.

Before you start a penetration test, there are a few things to notice so you don't violate the Amazon policies. Amazon requires customers to obtain authorization for penetration testing (or vulnerability assessments) both from or to their AWS resources. Amazon offers a form (linked from this page - requires login) to streamline this process.

AWS Security will then add your source and destination addresses to a white list for the duration of your penetration test. As always, you need to have the legal permission from the owners of the assets your are conducting your security tests on. AWS Security will revoke your white list privileges if they receive any complaints or reports about DoS attacks. Amazon currently doesn't permit testing m1.small or t1.micro instance types to prevent performance impacts on the resources shared with others.

If you'd like to find out more, read Amazon's full policies about penetration testing and vulnerability management .

Have you conducted penetration tests on or from the Amazon cloud? Please comment on this blog to share your experience!

To try out Metasploit Pro, get the free trial!