AWS prohibits using its services to conduct unauthorized access to systems, disrupt networks, or run security scans against third-party systems without permission.
This analysis describes what Amazon's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause is operationally significant for security professionals, penetration testers, and researchers who use AWS infrastructure, as it requires documented authorization before conducting any security assessments of external systems from AWS resources.
Interpretive note: The scope of 'proper authorization' is not further defined in the document, leaving some ambiguity about what documentation or consent formats AWS would consider sufficient.
Customers who conduct security testing, vulnerability research, or network scanning from AWS services must ensure they have explicit authorization from the target system owners, or risk AUP enforcement action including service suspension.
How other platforms handle this
You may not use Runway's tools to create content that promotes, glorifies, or facilitates acts of terrorism, mass violence, or genocide, or that could be used to provide material support to individuals or organizations engaged in such activities.
Customer will not, and will not permit any other person (including any End User) to: ... (d) attempt to reverse engineer, decompile, or otherwise attempt to discover the source code or underlying components (e.g., algorithms, weights, or systems) of the Mistral AI Products, including using the Outpu...
You may not use the Services to attempt to circumvent, disable, or otherwise interfere with safety-related features of the Services, including features that prevent or restrict the generation of certain types of content.
Monitoring
Amazon has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You may not use the Services to: access or use any system without authorization; interfere with or disrupt the integrity or performance of any system, network, or data; or conduct or facilitate any security or vulnerability scan, penetration test, or similar assessment of third-party systems or networks without proper authorization.— Excerpt from Amazon's AWS Acceptable Use Policy
(1) REGULATORY LANDSCAPE: This provision engages the Computer Fraud and Abuse Act in the US and equivalent statutes in other jurisdictions (e.g., the UK Computer Misuse Act, EU Directive on attacks against information systems). Authorized penetration testing is a standard practice in regulated sectors such as financial services and healthcare; the AUP's authorization requirement aligns with these regulatory expectations but places the compliance burden on the customer. (2) GOVERNANCE EXPOSURE: Medium. For organizations providing managed security services or penetration testing from AWS infrastructure, the burden of maintaining documented authorization records for all target systems is a compliance and operational requirement under this clause. (3) JURISDICTION FLAGS: EU and UK security researchers should be aware of local computer misuse laws that may apply independently of the AUP. US federal contractors conducting authorized assessments should ensure AWS AUP compliance procedures align with any applicable federal testing frameworks. (4) CONTRACT AND VENDOR IMPLICATIONS: Managed security service providers using AWS as their testing infrastructure should ensure client contracts explicitly document authorization scope, as this directly maps to AUP compliance obligations. Vendor assessments for AWS-hosted security tooling should include AUP authorization documentation requirements. (5) COMPLIANCE CONSIDERATIONS: Organizations conducting security testing on AWS should maintain written authorization records for all target systems. Security teams should document that internal testing (e.g., of own AWS-hosted infrastructure) is explicitly authorized and that any third-party or client testing engagement includes clear written scope authorization.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause is operationally significant for security professionals, penetration testers, and researchers who use AWS infrastructure, as it requires documented authorization before conducting any security assessments of external systems from AWS resources.
Customers who conduct security testing, vulnerability research, or network scanning from AWS services must ensure they have explicit authorization from the target system owners, or risk AUP enforcement action including service suspension.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Amazon.