Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Contact Us
  • Login
  • Home
  • Articles

AWS Testing Approval Requirements

When AWS Shield Advanced is required before running a test against an AWS-hosted environment

Written by I. Solomon

Updated at July 16th, 2026

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • White Papers
  • Articles
  • DDoS Attack Vectors
  • DDoS Attack Groups
  • AI - DDoS
+ More

Table of Contents

Summary Rule Approval Matrix Before Testing — Checklist

Summary

Whether AWS Shield Advanced (and AWS approval) is required for a test depends on which layer of the environment is being targeted and whether a third-party vendor sits in front of AWS.

Rule

To conduct a test directly against an AWS environment without prior AWS approval, the customer must have AWS Shield Advanced in place.

If the AWS environment sits behind a third-party vendor (for example Cloudflare or Imperva), AWS approval is not required for L7 vectors that pass through that vendor — only the third-party vendor's approval is required for those vectors.

If the test targets the AWS environment directly with network-layer (L3/L4) attack vectors, AWS Shield Advanced or AWS's approval is required, regardless of any third-party vendor in front of the environment.

Approval Matrix

 

Scenario Vector Type Approval Needed
AWS environment only (no 3rd-party vendor in front) Any vector AWS Shield Advanced required, or AWS approval
AWS environment behind Cloudflare, Imperva, or similar L7 (passing through the 3rd-party vendor) 3rd-party vendor approval only — AWS Shield Advanced not required
AWS environment behind Cloudflare, Imperva, or similar Network layer (L3/L4), targeting AWS directly AWS Shield Advanced required, or AWS approval

 

Before Testing — Checklist

Identify whether the target environment sits directly on AWS or behind a 3rd-party vendor.

Identify which layer(s) the planned test vectors operate at (L7 vs. network layer).

If any network-layer vectors target AWS directly, confirm AWS Shield Advanced is active or obtain AWS approval before testing.

If all vectors are L7 and pass through a 3rd-party vendor, obtain that vendor's approval; AWS Shield Advanced is not required for those vectors.

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Basic Rate Limit Configuration for DDoS Protection
[email protected]

Services

  • DDoS Testing
  • DDoS 360
  • Technology Hardening
  • DDOS Training
  • Incident Response

Resources

  • Resource Library
  • DDoS Resiliency Score (DRS)
  • DDoS Glossary
  • DDoS Day Conferences

Company

  • About Us
  • Careers
  • Contact
Red Button Inc. All rights reserved
  • Privacy policy
  • Site Terms
Expand