Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
May be performed by AWS, and will be performed by AWS upon customer request.
May be performed by AWS, and is periodically performed by AWS.
Are expressly prohibited under all circumstances.
May be performed by the customer on their own instances with prior authorization from AWS.
May be performed by the customer on their own instances, only if performed from EC2 instances
Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of
prohibited security violations and network abuse. However, because penetration testing and other simulated
events are frequently indistinguishable from these activities, we have established a policy for customers to
request permission to conduct penetration tests and vulnerability scans to or originating from the AWS