How do I run security assessments or penetration tests on AWS?
Last updated: 2019-05-14
I want to run a security test or other simulated event on my AWS architecture.
You can carry out penetration tests against resources on your AWS account per the policies and guidelines at Penetration Testing. You don't need approval from AWS to run penetration tests against resources on your AWS account.
If you plan to run a security test other than a penetration test, see the guidelines at Other Simulated Events.
If you have questions about vulnerability or penetration testing, contact firstname.lastname@example.org.
Note: You are not permitted to conduct any security assessments of AWS infrastructure that is not on your AWS account. You are also not permitted to conduct security assessments of AWS services themselves. If you discover a security issue within any AWS services in the course of your security assessment, contact AWS Security immediately.
To request permission for network stress-testing
Before stress-testing your network, review the Amazon EC2 Testing Policy. If your planned tests exceed the limits outlined in the policy, contact email@example.com at least 14 business days before your planned test and provide a full description of your plan, including expected risks and outcomes.
To request permission for other simulated events
For any other simulated events, contact firstname.lastname@example.org and provide a full description of your planned event, including details, risks, and desired outcomes. Other simulated event types can include:
- Red, blue, or purple team
- Capture the flag
- Disaster recovery
- Simulated phishing
- Malware testing