You cannot use AWS to spread computer viruses, ransomware, or any other software designed to damage or compromise other people's computers or networks.
Security researchers and cybersecurity firms hosting malware samples or conducting threat research on AWS must implement strict isolation controls and ensure their activities are clearly authorized, as unintended distribution of malicious code from AWS-hosted infrastructure could trigger immediate account termination.
Cross-platform context
See how other platforms handle Prohibition on Malicious Code Distribution and similar clauses.
Compare across platforms →This prohibition applies to cybersecurity vendors, researchers, and threat intelligence firms that may host malware samples or conduct research on AWS — such activities require specific precautions and authorization to avoid violating the AUP.
1) REGULATORY FRAMEWORK: Distribution of malicious code implicates the CFAA (18 U.S.C. § 1030(a)(5)), which criminalizes intentional damage to protected computers. The EU Directive 2013/40/EU on cybercrime offenses and the Budapest Convention on Cybercrime create parallel international obligations. GDPR Article 32 requires appropriate technical measures to prevent unauthorized processing, including malware propagation affecting personal data. NIS2 Directive requires essential entities to implement cybersecurity measures that would preclude malware distribution as a side effect of cloud operations. Primary enforcement is through DOJ CCIPS, FBI Cyber Division, and EU national cybercrime units. 2)
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.