Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing frequently is indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans.
Please complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization for penetration testing originating from any AWS resources. There are several important things to note about penetration testing requests:
- Permission is required for all penetration tests.
- To request permission, you must be logged into the AWS portal using the credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly. If you have hired a third party to conduct your testing, we suggest that you complete the form and then notify your third party when we grant approval.
- At this time, our policy does not permit testing m1.small or t1.micro instance types. This is to prevent potential adverse performance impacts on the resources you may be sharing with other customers in a multi-tenant environment.
The form requires you to submit information about the instances you wish to test, identify the expected start and end dates/times of your test, and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing. Note that the end date may not be more than 3 months from the start date
The information you share with AWS as part of this process is kept confidential within AWS. It will not be shared with third parties without your permission.
AWS is committed to being responsive and keeping you informed of our progress. You will receive a non-automated response to your initial contact within 24-48 business hours, confirming receipt of your request.
After we review the information you have submitted, we will reply to you with an authorization number. If we have questions, we will request clarification. Note that the process can take several business days, so please plan accordingly.
No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated. If you need more time for additional testing, reply to the authorization email asking to extend your test period to the new date. You are not authorized for an extension unless you receive a new authorization from us.
If you have penetration test/vulnerability scanning questions about issues not addressed on this web page, feel free to contact us at firstname.lastname@example.org.