Is Penetration Testing Allowed for Customers in AWS?

Table of Contents

You may be considering AWS as an option for hosting its critical applications. As part of your due diligence, you decide to carry out a penetration test against an AWS environment. You may not realize that, in doing so, you may violate the AWS Acceptable Use Policy.

AWS does not permit customers to conduct cloud security assessments of AWS infrastructure or the AWS services themselves. Though, there are 8 permitted services where AWS customers are welcome to carry out penetration tests without prior approval, which we will discuss below. And what are some prohibited activities that one should take note of?

What is AWS Penetration Testing?

AWS penetration testing is a way to evaluate the security of your system or application. By simulating an attack, you can identify any potential vulnerabilities and fix them before malicious actors exploit them. AWS permits security testing for User-Operated Services, which establish private cloud access management that can be configured by the user. This allows organizations to test their systems without disrupting business continuity fully.

AWS penetration testing is important to securing your data and applications in the cloud. By using penetration testing tools, you can simulate an attack and find any vulnerabilities in your system.

Is penetration testing allowed for AWS cloud customers?

AWS Provides over 90 Different Cloud hosting Services, Including Compute and Storage, Content Delivery, Security Management, Network Infrastructure, and Physical Hosting for Tenant Organizations. The wide selection of these services generally falls into the categories of (IaaS), (PaaS), and (SaaS). Internal organizational purposes are one of the most frequent uses for these virtual environments. In addition, there are also various types of cloud services offered by AWS, such as networking, data storage, web application providers, and many more.

AWS allows customers to perform penetration tests on their own cloud environments using the tools and services they are already familiar with.

Organizations must ensure that their penetration testing activities do not violate laws or regulations.

What AWS services does amazon permit for penetration testing?

Customers of Amazon Web Services (AWS) may do security assessments or penetration testing on their AWS infrastructure “without prior permission” for the following 8 services:

  • Amazon Aurora
  • Amazon RDS
  • Amazon CloudFront
  • AWS Fargate
  • Amazon EC2 instances, Elastic Load Balancers, and NAT Gateways
  • Amazon API Gateways
  • Amazon Elastic Beanstalk environments
  • Amazon Lightsail resources
  • AWS Lambda and Lambda Edge functions

Please be aware that other activities, such as penetrating the security of AWS Core Infrastructure itself or other AWS services, are not allowed. If you find a security vulnerability while conducting a pentest on an AWS service, please submit it to this email: [email protected].

On the other hand, many AWS services are built on the Software-as-a-Service (SaaS) model, which implies that the end user does not have complete control over the cloud environment and, therefore, cannot be pen tested in the same way as a traditional on-premises or Infrastructure-as-a-Service (IaaS) environment. However, one is not allowed to test the AWS Infrastructure or services, with some prohibited activities such as:

Some prohibited activities include:

  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS/DDoS (These are subject to the DDoS Simulation Testing policy)
  • DNS zone walking through Amazon Route 53 Hosted Zones
  • Protocol flooding
  • Port flooding
  • Request flooding (login request flooding, API request flooding)

These activities are not permitted under the AWS Platform Acceptable Use Policy and may result in your account being suspended or terminated.

If you want to conduct a penetration test against an AWS environment, you must first get approval from AWS support. Once you have approval, you can proceed with your testing.

How do I run AWS penetration testing?

AWS penetration testing can be a complex process, but with the right planning, it can be a valuable tool for assessing your security posture. Here are some general steps to take before starting a pentest:

  1. Define the scope of the pentest, including the AWS configuration and target systems.
  2. Run preliminary tests to determine the type of pentest you would like conducted.
  3. Outline expectations for both internal stakeholders and the pen-testing company.
  4. Establish a timeline for performing security assessments, formal reports, and potential remediation and follow-up testing.
  5. Develop the protocol and rules of engagement if the pentest reveals the client may already have been breached or is under an ongoing (live) attack.
  6. Obtain written approval to conduct the test from the client (and other third parties that may be involved).

Not all of these matters are simple to answer and may lead to further questions. It’s crucial to clearly establish the scope, goals, and regulations for the AWS Pentesting assignment. This will aid you in avoiding costly, time-consuming blunders by allowing you to choose the correct pen-testing business.

What to do after successful AWS pen testing?

The AWS pentest process is not completed after the security assessment and execution. The next steps are just as critical:

  • Review all findings and prioritize based on risk.
  • Develop a remediation plan and track progress.
  • Conduct regular follow-up tests to ensure that remediation efforts are effective.
  • Update policies, procedures, and training programs based on lessons learned from the pentest.

Following a penetration test, a documented report of findings and remedy recommendations will be given to the organization. The higher the danger to the major AWS resources, the more probable an exploit is and the greater the potential impact on the company. Of course, you should address the biggest threats first. However, it’s also vital for the security experts to perform a retest verification before closing the security audit. A retest is required under specific legislation, rules, and standards if the pen-testing firm makes “Critical” or “High” discoveries.

Furthermore, remediation information should be included if any pentest reports are sent to an auditor, a customer of the business, or another third party. Safe transmission of these security test reports must be considered to prevent a malicious attacker from intercepting the data and learning how to carry out an attack on the business.


Conducting a penetration test on your AWS environment can help you identify security vulnerabilities and mitigate them before they are exploited. However, it is important to follow best practices and get approval from the AWS security team before starting any testing.

Do you need help conducting a pentest on your AWS Account? Our team of experts can help you throughout the process.

AWS Pentesting may seem daunting, but it can be a valuable tool for assessing your security posture with the right planning.

By following this guide, you can ensure that your next AWS Pentesting experience is a success! Our team of experts is always here to help if you have any questions or need assistance.

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Share this article on social media:

Recent Blog Posts

Featured Services


The Latest Blog Articles From Vumetric

From industry trends,  to recommended best practices, read it here first:


Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g:,, etc.)



Everything You Need to Know

Gain confidence in your future cybersecurity assessments by learning to effectively plan, scope and execute projects.
This site is registered on as a development site. Switch to a production site key to remove this banner.