Cloud Provider Authorization
When conducting security services, such as a Cloud Configuration Review, it’s essential to understand and comply with the security testing policies of cloud providers like AWS, Azure, and GCP.
It is the Customer’s responsibility for securing all required authorizations and permissions. By submitting an engagement or pentest for review, Customer represents and warrants that it has obtained any and all such authorizations and permissions, including those from cloud hosting providers, network owners, and any other relevant parties.
For more information on each cloud provider, see below.
Amazon AWS:
Amazon AWS no longer requires explicit authorization to conduct penetration tests against systems hosted in their cloud.
For details, refer to Amazon AWS Customer Support Policy.
Google GCP:
Google GCP does not require prior authorization for security testing, but it emphasizes adherence to its Acceptable Use Policy and Terms of Service, and that testing must be confined to your own projects.
For details, refer to Cloud Security FAQ.
Microsoft Azure:
Pre-approval is not required by Microsoft Azure to conduct testing on resources hosted within their cloud environment.
For details, refer to Microsoft Cloud Rules of Engagement.