Amazon Web Services: Permission No Longer Required to Test Security for 8 Services

By Ann Grove, Logical's President

Amazon recently changed its policies so that customers and their security consultants can perform security assessments without pre-approval on customer-owned AWS resources that make use of eight key services:

• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments

Teri Radichel alerted the security community to the change on Twitter on March 1. Amazon has since acknowledged the change.
 
Previously, penetration testers looking for security weaknesses on AWS had to request permission a week before testing, and AWS sometimes requested additional information.

This follows Microsoft's lead. Microsoft decided to drop pre-approvals in 2017 for Azure. No pre-approval is required when penetration testing Azure resources. 

Both organizations test the security of their own cloud infrastructure, and allow customers to conduct certain types of additional testing. Although pre-approvals are no longer required, testers still need to follow any other rules or conditions for testing.