AWS prohibits using its services to conduct unauthorized access to systems, disrupt networks, or run security scans against third-party systems without permission.
This analysis describes what Amazon's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause is operationally significant for security professionals, penetration testers, and researchers who use AWS infrastructure, as it requires documented authorization before conducting any security assessments of external systems from AWS resources.
Interpretive note: The scope of 'proper authorization' is not further defined in the document, leaving some ambiguity about what documentation or consent formats AWS would consider sufficient.
Customers who conduct security testing, vulnerability research, or network scanning from AWS services must ensure they have explicit authorization from the target system owners, or risk AUP enforcement action including service suspension.
How other platforms handle this
Avoid Professional Advice: Don't seek to receive or provide medical, legal, financial, or tax advice through the platform.
To the maximum extent permitted by applicable law, Kit shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting ...
We have implemented appropriate technical and organizational security measures designed to protect the security of any Personal Information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technolo...
Monitoring
Amazon has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You may not use the Services to: access or use any system without authorization; interfere with or disrupt the integrity or performance of any system, network, or data; or conduct or facilitate any security or vulnerability scan, penetration test, or similar assessment of third-party systems or networks without proper authorization.— Excerpt from Amazon's AWS Acceptable Use Policy
(1) REGULATORY LANDSCAPE: This provision engages the Computer Fraud and Abuse Act in the US and equivalent statutes in other jurisdictions (e.g., the UK Computer Misuse Act, EU Directive on attacks against information systems). Authorized penetration testing is a standard practice in regulated sectors such as financial services and healthcare; the AUP's authorization requirement aligns with these regulatory expectations but places the compliance burden on the customer. (2) GOVERNANCE EXPOSURE: Medium. For organizations providing managed security services or penetration testing from AWS infrastructure, the burden of maintaining documented authorization records for all target systems is a compliance and operational requirement under this clause. (3) JURISDICTION FLAGS: EU and UK security researchers should be aware of local computer misuse laws that may apply independently of the AUP. US federal contractors conducting authorized assessments should ensure AWS AUP compliance procedures align with any applicable federal testing frameworks. (4) CONTRACT AND VENDOR IMPLICATIONS: Managed security service providers using AWS as their testing infrastructure should ensure client contracts explicitly document authorization scope, as this directly maps to AUP compliance obligations. Vendor assessments for AWS-hosted security tooling should include AUP authorization documentation requirements. (5) COMPLIANCE CONSIDERATIONS: Organizations conducting security testing on AWS should maintain written authorization records for all target systems. Security teams should document that internal testing (e.g., of own AWS-hosted infrastructure) is explicitly authorized and that any third-party or client testing engagement includes clear written scope authorization.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause is operationally significant for security professionals, penetration testers, and researchers who use AWS infrastructure, as it requires documented authorization before conducting any security assessments of external systems from AWS resources.
Customers who conduct security testing, vulnerability research, or network scanning from AWS services must ensure they have explicit authorization from the target system owners, or risk AUP enforcement action including service suspension.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Amazon.