By Ann Grove, Logical's President
Amazon recently changed its policies so that customers and their security consultants can perform security assessments without pre-approval on customer-owned AWS resources that make use of eight key services:
Teri Radichel alerted the security community to the change on Twitter on March 1. Amazon has since acknowledged the change.
Previously, penetration testers looking for security weaknesses on AWS had to request permission a week before testing, and AWS sometimes requested additional information.
This follows Microsoft's lead. Microsoft decided to drop pre-approvals in 2017 for Azure. No pre-approval is required when penetration testing Azure resources.
Both organizations test the security of their own cloud infrastructure, and allow customers to conduct certain types of additional testing. Although pre-approvals are no longer required, testers still need to follow any other rules or conditions for testing.