Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment.

Please complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization for penetration testing to or originating from any AWS resources. There are several important things to note about penetration testing requests:

  • Permission is required for all penetration tests.
  • To request permission, you must be logged into the AWS portal  using the root credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly. If you have hired a third party to conduct your testing, we suggest that you complete the form and then notify your third party when we grant approval.
  • Our policy only permits testing of EC2 and RDS instances that you own. Tests against any other AWS services or AWS-owned resources are prohibited
  • At this time, our policy does not permit testing small or micro RDS instance types. Testing of m1.small or t1.micro EC2 instance types is not permitted. This is to prevent potential adverse performance impacts on resources that may be shared with other customers.

The form requires you to submit information about the instances you wish to test, identify the expected start and end dates/times of your test, and requires you to read and agree to Terms and Conditions specific to penetration testing and to the use of appropriate tools for testing. Note that the end date may not be more than 90 days from the start date.

The information you share with AWS as part of this process is kept confidential within AWS. It will not be shared with third parties without your permission.

We will reply to your request once it has been reviewed, which can take up to two business days. If your request has been approved, you will receive an authorization number. If we have questions, we will request clarification. Note that requests for more information can delay this process, so please plan accordingly and ensure that your initial request is as detailed as possible.

The following is a non-inclusive list of activities that may be considered Simulated Events:

• Security simulations or security game days

• Support simulations or support game days

• War game simulations

• White cards

• Red team and blue team testing

• Disaster recovery simulations.

• Other simulated events

Please email us directly at aws-security-simulated-event@amazon.com. When communicating your event, please be sure to provide details on the event including:

• Dates

• Accounts involved

• Assets involved

• Contact information including phone number

• Detailed description of the planned events

AWS is committed to being responsive and keeping you informed of our progress. You should expect to receive a non-automated response to your initial contact within 2 business days, confirming receipt of your request.

After we review the information you have submitted with your request, we will pass it on to the appropriate teams to evaluate. Due to the nature of these requests, each submission is manually reviewed and a reply may take up to 7 days. A final decision may take longer depending on whether additional information is needed to complete our evaluation.

No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated.

If you have simulated event questions about issues not addressed on this web page, feel free to contact us at aws-security-cust-pen-test@amazon.com.