Amazon Web Services strives to provide a robust and trustworthy platform for our customers. We take security very seriously and continually monitor our services for suspected attack. We also understand that security is a partnership between us and our customers. A critical phase of any secure application deployment involves testing applications for potential vulnerabilities.
Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing frequently is indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests.
Communicating with AWS
Appropriate Use and Your Privacy
The information you share with AWS as part of this process is kept confidential within AWS. It will not be shared with third parties without your permission.
Please complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization for penetration testing of your resources. You must be logged into the portal using the credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly. If you have hired a third party to conduct your testing, we suggest that you complete the form and then notify your third party when we grant approval.
AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response to your initial contact within one business day, confirming receipt of your request.
The form you will submit requests various information about the instances you wish to test, the expected start and end dates and times of your test, and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing.
Please note: At this time, our policy does not permit testing m1.small or t1.micro instance types. This is to prevent potential adverse performance impacts on the resources you may be sharing with other customers.
We will review the information you have submitted. If we do not have any questions, we will reply to you with authorization along with an authorization number. If we do have questions, we will reply to you requesting clarification. Note that the process can take several business days, so please plan accordingly.
No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated. If you need more time for additional testing, reply to the authorization email asking to extend your test period to the new date. You are not authorized for an extension unless you receive a new authorization from us.