I want to run a penetration test or other simulated event on my AWS architecture. How do I get permission from AWS to do that?

Before performing security testing on AWS resources, you must obtain approval from AWS. After you submit your request, AWS will reply in about two business days.

AWS might have additional questions about your test, which can extend the approval process, so plan accordingly and be sure that your initial request is as detailed as possible.

If your request is approved, you'll receive an authorization number.

To request permission for vulnerability and penetration testing

Sign in to your AWS account using root credentials, and then fill out the Vulnerability / Penetration Testing Request Form.

Submit your request at least seven business days before your planned test. The more detailed your request, the more likely it will be quickly approved. If you don't provide enough detail, AWS might deny your request.

If you have questions about vulnerability or penetration testing, contact aws-security-cust-pen-test@amazon.com.

To request permission for network stress-testing

Before stress-testing your network, review the Amazon EC2 Testing Policy. If your planned tests exceed the limits outlined in the policy, contact aws-security-simulated-event@amazon.com at least 14 business days before your planned test and provide a full description of your plan, including expected risks and outcomes.

To request permission for other simulated events

For any other simulated events, contact aws-security-simulated-event@amazon.com and provide a full description of your planned event, including details, risks, and desired outcomes. Other simulated event types can include:

  • Red, blue, or purple team
  • Capture the flag
  • Disaster recovery
  • Simulated phishing
  • Malware testing

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-04-01

Updated: 2018-05-21