Skip to main content

Penetration Testing

AWS Customer Support Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the next section under “Permitted Services.” Additionally, AWS permits customers to host their security assessment tooling within the AWS IP space or other cloud provider for on-prem, in AWS, or third party contracted testing. All security testing that includes Command and Control (C2) requires prior approval.

Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately.

If AWS receives an abuse report for activities related to your security testing, we will forward it to you. When responding, please provide us with approved language detailing your use case, including a point of contact that we can share with any third party reporters. Learn more here.

Resellers of AWS services are responsible for their customers’ security testing activity.

Customer Service Policy for Penetration Testing

Permitted Services

  • Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS AppSync
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments
  • Amazon Elastic Container Service
  • AWS Fargate
  • Amazon OpenSearch Service
  • Amazon FSx
  • Amazon Transit Gateway

Customers seeking to test non approved services will need to work directly with AWS Support or your account representative.

Prohibited Activities

Customers seeking to test non approved services will need to work directly with AWS Support or your account representative.

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • DNS hijacking via Route 53
  • DNS Pharming via Route 53
  • Denial of Service (DoS), Distributed Denial of Service (DDoS),
  • Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)
  • S3 bucket takeover
  • Subdomain Takeover

Prohibited Services for Outbound Penetration Testing

  • Amazon API Gateway

Other Simulated Events

Open all

Red/Blue/Purple Team tests are adversarial security simulations designed to test an organization’s security awareness and response times.

Customers seeking to perform covert adversarial security simulations and/or hosting Command and Control (C2) must submit a Simulated Events form for review.

Network Stress Testing or Load testing  is a performance test that sends a large volume of legitimate or test traffic to a specific intended target application to ensure efficient operational capacity. Customers wishing to perform a Network Stress Test should review our Stress Test policy.

Distributed Denial of Service (DDoS) attacks occur when attackers use a flood of traffic from multiple sources to attempt to impact the availability of a targeted application. Customers wishing to perform a DDoS simulation test should review our DDoS Simulation Testing policy.

iPerf is a tool for network performance measurement and tuning. Customers seeking to perform iPerf testing must submit a Simulated Events form for review.

Simulated Phishing is the simulation of an attempted social engineering attack which tries to obtain sensitive information from users. The goal is to identify users and educate them on the difference between valid emails and phishing emails to increase organizational security.

Customers seeking to perform Simulated Phishing campaigns must submit a Simulated Events form for review.

Malware Testing is the practice of subjecting malicious files or programs to applications or antivirus programs to improve security features.

Customers seeking to perform Malware Testing must submit a Simulated Events form for review.

AWS is committed to being responsive and keeping you informed of our progress. Please submit a Simulated Events form  to contact us directly. (For customers operating in the AWS China (Ningxia & Beijing) Region, please use this Simulated Events form.)

Be sure to include dates, account ID’s involved, assets involved, and contact information, including phone number and detailed description of planned events. You should expect to receive a non-automated response to your initial contact within 2 business days confirming receipt of your request.

All Simulated Event requests must be submitted to AWS at least two (2) weeks in advance of the start date.

No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated.