AWS Pentesting Requirements

Amazon lifted the requirement for permission seeking in April 2019 before a pentest. Amazon now allows the following 8 services to be tested without seeking explicit permission.

• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers

• Amazon RDS

• Amazon CloudFront

• Amazon Aurora

• Amazon API Gateways

• AWS Lambda and Lambda Edge functions

• Amazon Lightsail resources

• Amazon Elastic Beanstalk environments

The following is a list of prohibited activities

• Prohibited Activities

• DNS zone walking via Amazon Route 53 Hosted Zones

• Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS

• Port flooding

• Protocol flooding

• Request flooding (login request flooding, API request flooding)

Limitations

• There are some limitations that need to be kept in mind when testing, especially security tests that could lead to a potential Denial of Service.

Appsecco asked AWS to clarify some of the vagueness in their testing policy and AWS responded to our questions. The exchange can be seen here - https://blog.appsecco.com/aws-changes-its-pentesting-permission-requirement-appsecco-found-out-exactly-what-is-allowed-and-b3603b85de7

Additional references

• AWS Penetration Testing

• Submit a Penetration Testing request FAQ

• AWS Changes its pentesting permission requirement