This document outlines Amazon Web Services' (AWS) policy on penetration testing and security assessments. Customers are permitted to test many AWS services, but certain activities, like DDoS simulations and DNS attacks, require prior approval. AWS clearly defines permitted and prohibited activities, emphasizing customer responsibility for preventing denial-of-service attacks. The policy covers various testing types—red/blue/purple teaming, stress testing, and more—each with specific requirements for authorization. Finally, it underscores customer responsibility for any damages caused by testing and for reporting any vulnerabilities found in AWS services.