How do I run security assessments or penetration tests on AWS?
Last updated: 2020-11-12
I want to run a security test or other simulated event on my AWS architecture.
You can carry out penetration tests against or from resources on your AWS account by following the policies and guidelines at Penetration Testing. You don't need approval from AWS to run penetration tests against or from resources on your AWS account.
If you plan to run a security test other than a penetration test, see the guidelines at Other simulated events.
Note: You aren't permitted to conduct any security assessments of AWS infrastructure that isn't on your AWS account. You also aren't permitted to conduct security assessments of AWS services themselves. If you discover a security issue within any AWS service in the course of your security assessment, contact AWS Security immediately.
To request permission for network stress-testing
Before stress-testing your network, review the Amazon EC2 Testing Policy. If your planned tests exceed the limits outlined in the policy, then submit a request using the Simulated Event form at least 14 business days before your planned test. Provide a full description of your plan, including expected risks and outcomes.
To request permission for other simulated events
For any other simulated events, submit a request using the Simulated Event form and provide a full description of your planned event, including details, risks, and desired outcomes.
Other simulated event types can include:
- Red, blue, or purple team
- Capture the flag
- Disaster recovery
- Simulated phishing
- Malware testing