Per guidelines on Vulnerability and Penetration Testing from AWS, customers can carry out security assessments or penetration tests against their Amazon Web Services (AWS) infrastructure without prior approval for eight AWS services, such as EC2 instances. Customers are only allowed to scan their own instances; they are not permitted to do testing against any AWS service itself (i.e. you cannot scan S3 or the EC2 API endpoints). Amazon suggests excluding M1.small, T1.micro, T2.nano, and T3.instances from scanning to prevent impact to these hosts; therefore, Alert Logic® does not recommend scanning of these instance types.
Alert Logic Cloud Insight™ and Alert Logic Essentials, Professional, and Enterprise automatically scan protected EC2 instances and do not scan any other AWS infrastructure when performing internal vulnerability scanning.
External and PCI vulnerability scanning may target other Internet-exposed AWS services such as Cloud Front, Elastic Load Balancers, API Gateways, NAT Gateways, etc. Please contact AWS for approval of other scanning or penetration testing activity that target anything besides the eight approved services.