Penetration Testing
AWS Customer Support Policy for Penetration Testing
AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the next section under “Permitted Services.” Additionally, AWS permits customers to host their security assessment tooling within the AWS IP space or other cloud provider for on-prem, in AWS, or third party contracted testing. All security testing that includes Command and Control (C2) requires prior approval.
Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately.
If AWS receives an abuse report for activities related to your security testing, we will forward it to you. When responding, please provide us with approved language detailing your use case, including a point of contact that we can share with any third party reporters. Learn more here.
Resellers of AWS services are responsible for their customers’ security testing activity.
Customer Service Policy for Penetration Testing
Permitted Services
- Amazon EC2 instances, WAF, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS AppSync
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
- Amazon Elastic Container Service
- AWS Fargate
- Amazon OpenSearch Service
- Amazon FSx
- Amazon Transit Gateway
Customers seeking to test non approved services will need to work directly with AWS Support or your account representative.
Prohibited Activities
Customers seeking to test non approved services will need to work directly with AWS Support or your account representative.
- DNS zone walking via Amazon Route 53 Hosted Zones
- DNS hijacking via Route 53
- DNS Pharming via Route 53
- Denial of Service (DoS), Distributed Denial of Service (DDoS),
- Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)
- S3 bucket takeover
- Subdomain Takeover
Prohibited Services for Outbound Penetration Testing
- Amazon API Gateway