Anecdote:
A friend of my runs a consulting business. He does webapps, but generally has to set up the webserver if he doesn't have to provide hosting. He's a fantastic programmer. I came to find out that he hadn't disallowed root SSH yet or implemented SSH keys.
With that said, I would say most probably don't unless they have someone with sysadmin experience or likes infosec.
Perceived value? Certainly, if you can convince them that if the data gets corrupted or stolen or you get haxx0red by script kiddies there's going to be a financial consequence.
Will they pay? I don't know. It's risk management between site/data loss and paying to set it up.
I'd be interested in having AMIs that cut down on the boot time as much as possible. For example most cluster compute AMIs need at least 3 minutes to boot, by slimming the image and maybe intelligently ordering the filesystem it should be possible to speed this up.
I agree with you on this. If I was starting something in a space with regulations I would love to buy something that's guaranteed rather than figuring it out myself. It would allow me to work on my product rather than compliance.
The problem is that it can't really be guaranteed because there is no knowing what you are going to do with it. I could give you a hardened AMI and then you could totally open in up in the course of your development. So it would have to be something like "Here is what has been done to it. Here is how it currently satisfies X accreditation. It is your responsibility to keep it secure"
With that said, I would say most probably don't unless they have someone with sysadmin experience or likes infosec.
Perceived value? Certainly, if you can convince them that if the data gets corrupted or stolen or you get haxx0red by script kiddies there's going to be a financial consequence.
Will they pay? I don't know. It's risk management between site/data loss and paying to set it up.