AWS Testing Approval Requirements
When AWS Shield Advanced is required before running a test against an AWS-hosted environment
Table of Contents
Summary
Whether AWS Shield Advanced (and AWS approval) is required for a test depends on which layer of the environment is being targeted and whether a third-party vendor sits in front of AWS.
Rule
To conduct a test directly against an AWS environment without prior AWS approval, the customer must have AWS Shield Advanced in place.
If the AWS environment sits behind a third-party vendor (for example Cloudflare or Imperva), AWS approval is not required for L7 vectors that pass through that vendor — only the third-party vendor's approval is required for those vectors.
If the test targets the AWS environment directly with network-layer (L3/L4) attack vectors, AWS Shield Advanced or AWS's approval is required, regardless of any third-party vendor in front of the environment.
Approval Matrix
| Scenario | Vector Type | Approval Needed |
|---|---|---|
| AWS environment only (no 3rd-party vendor in front) | Any vector | AWS Shield Advanced required, or AWS approval |
| AWS environment behind Cloudflare, Imperva, or similar | L7 (passing through the 3rd-party vendor) | 3rd-party vendor approval only — AWS Shield Advanced not required |
| AWS environment behind Cloudflare, Imperva, or similar | Network layer (L3/L4), targeting AWS directly | AWS Shield Advanced required, or AWS approval |
Before Testing — Checklist
Identify whether the target environment sits directly on AWS or behind a 3rd-party vendor.
Identify which layer(s) the planned test vectors operate at (L7 vs. network layer).
If any network-layer vectors target AWS directly, confirm AWS Shield Advanced is active or obtain AWS approval before testing.
If all vectors are L7 and pass through a 3rd-party vendor, obtain that vendor's approval; AWS Shield Advanced is not required for those vectors.