Effective immediately, AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services.

Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure, or the AWS services themselves. If you discover a security issue within any AWS services in the course of your security assessment, please contact AWS Security immediately.

Private Preview and NDA – We're currently operating a preview program for security assessments of the services below. Before conducting such assessments, please contact pen-test-nda@amazon.com to complete an NDA:

  • Amazon Cloudfront

Permitted Services – You're welcome to conduct security assessments against AWS resources that you own if they make use of the services listed below. We're constantly updating this list; click here to leave us feedback, or request for inclusion of additional services:

  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments

Prohibited Activities – The following activities are prohibited at this time:

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)

Abuse Reports – If AWS receives an abuse report for activities related to your security testing, we will forward it to you. You must respond to these reports within 24 hours of notification. When responding, please provide the root cause of the reported activity, and detail what you've done to prevent the reported issue from recurring. You can learn more about the abuse report process here.

Reseller Responsibility – Resellers of AWS services are responsible for their customer's security testing activity.

All Security Testing must be in line with the AWS Security Testing Term and Conditions (see below).

We want your security testing to be a positive experience that efficiently gathers the objective evidence you need, without errors or interruptions. The following are some helpful tips that when followed will likely improve that experience, while also being appreciated by your provider, AWS, and other AWS customers.

Rate limits – To ensure your testing is successful, please limit your scanning to 1Gbps or 10,000 RPS.

Instance Types – We recommend excluding the following EC2 instance types from your security assessments to minimize potential disruption to your environment

  • T3.nano
  • T2.nano
  • T1.micro
  • M1.small

Testing IP Addresses – Because of the dynamic nature of a cloud environment, all IP addresses should be verified prior to the beginning of a test to ensure current ownership of the IP address.

Please contact aws-security-simulated-event@amazon.com with any questions you may have.

Security Testing (the "Testing"):
(a) will be limited to the services, network bandwidth, requests per minute, and instance-type, outlined on the AWS website: 

https://aws.amazon.com/security/penetration-testing/

(b) is subject to the terms of the Amazon Web Services Customer Agreement between you and AWS (available at http://aws.amazon.com/agreement/) (the "Agreement"), and

(c) will abide by AWS's policy regarding the use of security assessment tools and services (included below).

Any discoveries of vulnerabilities or other issues that are the direct result of AWS's tools or services must be conveyed to aws-security@amazon.com within 24 hours of completion of the Testing.

AWS's policy regarding the use of security assessment tools and services allows significant flexibility for performing security assessments of your AWS assets while protecting other AWS customers and ensuring quality-of-service across AWS.

AWS understands there are a variety of public, private, commercial, and/or open-source tools and services to choose from for the purposes of performing a security assessment of your AWS assets. The term "security assessment" refers to all activity engaged in for the purposes of determining the efficacy or existence of security controls amongst your AWS assets, e.g., port-scanning, vulnerability scanning/checks, penetration testing, exploitation, web application scanning, as well as any injection, forgery, or fuzzing activity, either performed remotely against your AWS assets, amongst/between your AWS assets, or locally within the virtualized assets themselves.

You are NOT limited in your selection of tools or services to perform a security assessment of your AWS assets. However, you ARE prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such against ANY AWS asset, yours or otherwise. Prohibited activities include, but may not be limited to:

  • Protocol flooding (eg. SYN flooding, ICMP flooding, UDP flooding)
  • Resource request flooding (eg. HTTP request flooding, Login request flooding, API request flooding)

A security tool that solely performs a remote query of your AWS asset to determine a software name and version, such as "banner grabbing," for the purpose of comparison to a list of versions known to be vulnerable to DoS, is NOT in violation of this policy.

Additionally, a security tool or service that solely crashes a running process on your AWS asset, temporary or otherwise, as necessary for remote or local exploitation as part of the security assessment, is NOT in violation of this policy. However, this tool may NOT engage in protocol flooding or resource request flooding, as mentioned above.

A security tool or service that creates, determines the existence of, or demonstrates a DoS condition in ANY other manner, actual or simulated, is expressly forbidden.

Some tools or services include actual DoS capabilities as described, either silently/inherently if used inappropriately or as an explicit test/check or feature of the tool or service. Any security tool or service that has such a DoS capability, must have the explicit ability to DISABLE, DISARM, or otherwise render HARMLESS, that DoS capability. Otherwise, that tool or service may NOT be employed for ANY facet of the security assessment.

It is the sole responsibility of the AWS customer to: (1) ensure the tools and services employed for performing a security assessment are properly configured and successfully operate in a manner that does not perform DoS attacks or simulations of such, and (2) independently validate that the tool or service employed does not perform DoS attacks, or simulations of such, PRIOR to security assessment of any AWS assets. This AWS customer responsibility includes ensuring contracted third-parties perform security assessments in a manner that does not violate this policy.

Furthermore, you are responsible for any damages to AWS or other AWS customers that are caused by your Testing or security assessment activities.



AWS is committed to being responsive and keeping you informed of our progress. You should expect to receive a non-automated response to your initial contact within 2 business days, confirming receipt of your request.

After we review the information you have submitted with your request, we will pass it on to the appropriate teams to evaluate. Due to the nature of these requests, each submission is manually reviewed and a reply may take up to 7 days. A final decision may take longer depending on whether additional information is needed to complete our evaluation.

  • Security simulations or security game days
  • Support simulations or support game days
  • War game simulations
  • White cards
  • Red team and blue team testing
  • Disaster recovery simulations.
  • Other simulated events

Please email us directly at aws-security-simulated-event@amazon.com. When communicating your event, please be sure to provide details on the event including:

  • Dates
  • Accounts involved
  • Assets involved
  • Contact information including phone number
  • Detailed description of the planned events

AWS is committed to being responsive and keeping you informed of our progress. You should expect to receive a non-automated response to your initial contact within 2 business days, confirming receipt of your request.

After we review the information you have submitted with your request, we will pass it on to the appropriate teams to evaluate. Due to the nature of these requests, each submission is manually reviewed and a reply may take up to 7 days. A final decision may take longer depending on whether additional information is needed to complete our evaluation.

No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated.

Customers wishing to perform a Network Stress Test should review our Stress Test policy.  

Customers wishing DDoS simulation are supported via pre-approved vendors noted below—please re-direct your request accordingly.

Current Approved

Vendors Red Wolf Security

NCC Group

AWS ProServ

 

 

Contact Us