Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC has enforcement authority over inadequate security practices under FTC Act Section 5, which may be implicated where AWS customer security failures enable third-party abuse of AWS infrastructure.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Prohibition on Abuse of AWS Infrastructure for Attacks clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Prohibition on Abuse of AWS Infrastructure for Attacks — Amazon

Share 𝕏 Share in Share

What it is

You cannot use AWS to launch or assist denial-of-service attacks, generate mass unsolicited messages, or disrupt other internet systems in any way.

Consumer impact (what this means for users)

Businesses running publicly accessible services on AWS must implement adequate security controls to prevent their infrastructure from being compromised and used for attacks, because a security breach that results in their AWS resources being weaponized could trigger AUP violations and account suspension even though they were the victim.

How other platforms handle this

Google Gemini Medium

Don't enter confidential information in your Gemini Apps conversations. For example, if you're using a Gemini app to help with code, don't paste confidential source code into the conversation. To the extent possible, please don't share information in your Gemini Apps conversations that you wouldn't ...

Google Medium

Other than the rights and responsibilities described in this section (Settling disputes, governing law, and courts), Google doesn't make any specific promises about the services. For example, we don't make any commitments about the content within the services, the specific functions of the services,...

Peloton Medium

THE PELOTON SERVICE OFFERS HEALTH AND FITNESS INFORMATION AND IS DESIGNED FOR EDUCATIONAL AND ENTERTAINMENT PURPOSES ONLY. YOU SHOULD CONSULT YOUR PHYSICIAN OR GENERAL PRACTITIONER BEFORE BEGINNING A NEW FITNESS PROGRAM. YOU SHOULD NOT RELY ON THIS INFORMATION AS A SUBSTITUTE FOR, NOR DOES IT REPLAC...

See all platforms with this clause type →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This provision creates broad liability for any AWS customer whose infrastructure is compromised and used by attackers to conduct DDoS attacks or spam campaigns — even if the customer did not initiate the attack, inadequate security leading to compromise could be construed as 'enabling' prohibited activity.

View original clause language

No Abuse. You may not use the Services to engage in, foster, or promote illegal, abusive, or irresponsible behavior, including: carrying out or enabling denial of service attacks; generating, distributing, publishing or facilitating unsolicited mass email or other messages; or otherwise causing disruption to the operation of the Services or other systems.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: DDoS attacks constitute violations of CFAA (18 U.S.C. § 1030(a)(5), DOJ enforcement), UK Computer Misuse Act 1990 s.3, and EU Directive 2013/40/EU Art. 5. Enabling or facilitating such attacks through inadequate security may also implicate FTC Act Section 5 (unfair security practices) per FTC's LabMD and Wyndham precedents establishing that inadequate security constitutes an unfair practice. NIS2 Directive Art. 21 requires operators of essential services to implement security measures proportionate to risks, including DDoS protection. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC has enforcement authority over inadequate security practices under FTC Act Section 5, which may be implicated where AWS customer security failures enable third-party abuse of AWS infrastructure.
File a complaint →

Provision details

Document information

Document

AWS Acceptable Use Policy

Entity

Amazon

Document last updated

March 24, 2026

Tracking information

First tracked

March 6, 2026

Last verified

April 9, 2026

Record ID

CA-P-002552

Document ID

CA-D-00028

Evidence Provenance

Source URL

https://aws.amazon.com/aup/

Wayback Machine

View archived versions →

SHA-256

c61af89c19589f506fd3fc8bbb8010407f0052d2e845554c876b99cc2495d2ce

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Amazon | Document: AWS Acceptable Use Policy | Record: CA-P-002552
Captured: 2026-03-06 20:03:12 UTC | SHA-256: c61af89c19589f50…
URL: https://conductatlas.com/platform/amazon/aws-acceptable-use-policy/prohibition-on-abuse-of-aws-infrastructure-for-attacks/
Accessed: April 28, 2026

Classification

Severity

Medium

Prohibition on Abuse of AWS Infrastructure for Attacks