Penetration Testing

Test the AWS environment against defined security standards

AWS Customer Support Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.”

Please ensure that these activities are aligned with the policy set out below. Note: Customers are not permitted to conduct any security assessments of AWS infrastructure, or the AWS services themselves. If you discover a security issue within any AWS services in the course of your security assessment, please contact AWS Security immediately.

If AWS receives an abuse report for activities related to your security testing, we will forward it to you. When responding, please provide the root cause of the reported activity, and detail what you’ve done to prevent the reported issue from recurring. Learn more here.

Resellers of AWS services are responsible for their customer’s security testing activity.

Customer Service Policy for Penetration Testing

Permitted Services

  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments

Prohibited Activities

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)

Other Simulated Events

Requesting Authorization for Other Simulated Events

AWS is committed to being responsive and keeping you informed of our progress. Please email us directly at aws-security-simulated-event@amazon.com. Be sure to include dates, accounts involved, assets involved, and contact information, including phone number and detailed description of planned events. You should expect to receive a non-automated response to your initial contact within 2 business days confirming receipt of your request.

After we review the information you have submitted with your request, we will pass it on to the appropriate teams to evaluate. Due to the nature of these requests, each submission is manually reviewed and a reply may take up to 7 days. A final decision may take longer depending on whether additional information is needed to complete our evaluation.

Testing Conclusion

No further action on your part is required after you receive our authorization. You may conduct your testing through the conclusion of the period you indicated. 

Network Stress Testing

Customers wishing to perform a Network Stress Test should review our Stress Test policy. Customers wishing DDoS simulation are supported via pre-approved vendors noted below. Please re-direct your request accordingly.

Terms and Conditions

All Security Testing must be in line with these AWS Security Testing Terms and Conditions.

Security Testing:

  • Will be limited to the services, network bandwidth, requests per minute, and instance type
  • Is subject to the terms of the Amazon Web Services Customer Agreement between you and AWS
  • Will abide by AWS’s policy regarding the use of security assessment tools and services, included in the next section

Any discoveries of vulnerabilities or other issues are the direct result of AWS’s tools or services must be conveyed to AWS Security within 24 hours of completion of testing.

AWS Policy Regarding the Use of Security Assessment Tools and Services

AWS's policy regarding the use of security assessment tools and services allows significant flexibility for performing security assessments of your AWS assets while protecting other AWS customers and ensuring quality-of-service across AWS.

AWS understands there are a variety of public, private, commercial, and/or open-source tools and services to choose from for the purposes of performing a security assessment of your AWS assets. The term "security assessment" refers to all activity engaged in for the purposes of determining the efficacy or existence of security controls amongst your AWS assets, e.g., port-scanning, vulnerability scanning/checks, penetration testing, exploitation, web application scanning, as well as any injection, forgery, or fuzzing activity, either performed remotely against your AWS assets, amongst/between your AWS assets, or locally within the virtualized assets themselves.

You are NOT limited in your selection of tools or services to perform a security assessment of your AWS assets. However, you ARE prohibited from utilizing any tools or services in a manner that perform Denial-of-Service (DoS) attacks or simulations of such against ANY AWS asset, yours or otherwise. Prohibited activities include, but may not be limited to:

  • Protocol flooding (e.g., SYN flooding, ICMP flooding, UDP flooding)
  • Resource request flooding (e.g., HTTP request flooding, Login request flooding, API request flooding)

A security tool that solely performs a remote query of your AWS asset to determine a software name and version, such as "banner grabbing," for the purpose of comparison to a list of versions known to be vulnerable to DoS, is NOT in violation of this policy.

Additionally, a security tool or service that solely crashes a running process on your AWS asset, temporary or otherwise, as necessary for remote or local exploitation as part of the security assessment, is NOT in violation of this policy. However, this tool may NOT engage in protocol flooding or resource request flooding, as mentioned above.
A security tool or service that creates, determines the existence of, or demonstrates a DoS condition in ANY other manner, actual or simulated, is expressly forbidden.

Some tools or services include actual DoS capabilities as described, either silently/inherently if used inappropriately or as an explicit test/check or feature of the tool or service. Any security tool or service that has such a DoS capability, must have the explicit ability to DISABLE, DISARM, or otherwise render HARMLESS, that DoS capability. Otherwise, that tool or service may NOT be employed for ANY facet of the security assessment.

It is the sole responsibility of the AWS customer to: (1) ensure the tools and services employed for performing a security assessment are properly configured and successfully operate in a manner that does not perform DoS attacks or simulations of such, and (2) independently validate that the tool or service employed does not perform DoS attacks, or simulations of such, PRIOR to security assessment of any AWS assets. This AWS customer responsibility includes ensuring contracted third-parties perform security assessments in a manner that does not violate this policy.

Furthermore, you are responsible for any damages to AWS or other AWS customers that are caused by your Testing or security assessment activities.

Contact an AWS Business Representative
Have Questions? Connect with an AWS Business Representative
Exploring security roles?
Apply today »
Want AWS Security updates?
Follow us on Twitter »