Penetration Testing

AWS Customer Support Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the next section under “Permitted Services.” Additionally, AWS permits customers to host their security assessment tooling within the AWS IP space or other cloud provider for on-prem, in AWS, or third party contracted testing. All security testing that includes Command and Control (C2) requires prior approval.

Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately.

If AWS receives an abuse report for activities related to your security testing, we will forward it to you. When responding, please provide us with approved language detailing your use case, including a point of contact that we can share with any third party reporters. Learn more here.

Resellers of AWS services are responsible for their customers’ security testing activity.