AWS Acceptable Use Policy

This is Amazon Web Services' rulebook for what you are and are not allowed to do when using AWS cloud services — covering everything from running websites to processing data to sending emails through AWS infrastructure. The single most important thing to know is that AWS can suspend or terminate your account immediately and without advance notice if it determines you have violated any of these rules, which could take down any application or business you run on AWS. If you rely on AWS for critical services, you should maintain backups and understand which activities are prohibited so you are not caught off guard by an unexpected suspension.

The AWS Acceptable Use Policy (AUP) governs permissible and prohibited uses of Amazon Web Services cloud infrastructure, services, and APIs, operating as a binding addendum to the AWS Customer Agreement or equivalent enterprise agreement. Its most significant obligation is an absolute prohibition on using AWS services for illegal, harmful, or abusive activities, including unauthorized system access, distribution of malicious code, violations of intellectual property rights, and content that exploits minors — with AWS retaining unilateral authority to suspend or terminate access for violations without notice. Notably, AWS reserves the right to investigate suspected violations and cooperate with law enforcement, and it may modify the AUP at any time with changes effective upon posting, placing the burden on users to monitor updates — a provision that creates asymmetric contractual risk. The AUP engages the Computer Fraud and Abuse Act (18 U.S.C. § 1030), CAN-SPAM Act (15 U.S.C. § 7701), COPPA (15 U.S.C. § 6501), and intersects with international frameworks including the EU Network and Information Security Directive (NIS2) and GDPR Article 28 processor obligations for AWS customers acting as data controllers. Compliance teams operating regulated workloads on AWS must ensure their own use cases do not inadvertently trigger AUP prohibitions, particularly in contexts involving security testing, AI-generated content, healthcare data, and financial services where regulatory overlap creates heightened enforcement exposure.