DDoS Simulation Testing Policy

What is DDoS Simulation Testing?

Distributed Denial of Service (DDoS) attacks occur when attackers use a flood of traffic from multiple sources to attempt to impact the availability of a targeted application. DDoS simulation testing uses a controlled DDoS attack to enable the owner of an application to evaluate the resiliency of the application and to practice event response. DDoS simulation testing is permitted on AWS, subject to the following Terms and Conditions.

Terms and Conditions

  • All testing is subject to the terms of the AWS Customer Agreement or any other agreement governing your purchase and use of Amazon Web Services.
  • DDoS simulation testing must be performed by an AWS Partner Network (APN) Partner that has been pre-approved by AWS to conduct DDoS simulation tests (AWS DDoS Test Partner).
  • The target of the DDoS simulation test must be either registered as a Protected Resource in an AWS account you own that is subscribed to AWS Shield Advanced or an Amazon API Gateway edge-optimized API endpoint that resides in an account you own subscribed to AWS Shield Advanced.
  • The bit volume of the DDoS simulation test may not exceed 20 gigabits per second.
  • The packet volume of the DDoS simulation test may not exceed 5 million packets per second when testing an Amazon CloudFront distribution and may not exceed 50,000 packets per second when testing any other type of AWS resource.
  • The request volume of the DDoS simulation test may not exceed 50,000 requests per second.
  • The DDoS simulation test may not originate from an AWS resource and may not use an AWS resource in an attempt to simulate an amplification attack.
  • You assume the risk of all DDoS simulation testing and are responsible for the actions of the test vendor.
  • AWS may instruct the test vendor to terminate the simulation testing at any time.
  • Your performance of the testing and the results of the testing are AWS Confidential Information, as defined in the AWS Customer Agreement.

Security is a shared responsibility between AWS and the customer. The success of your DDoS simulation test will depend on your application architecture and your own control implementation within your use of AWS services. Prior to conducting DDoS simulation testing, your application should be well-architected according to the best practices described in the AWS Best Practices for DDoS Resiliency.

AWS DDoS Test Partners

AWS DDoS Test Partners are authorized to conduct DDoS simulation tests on behalf of AWS customers without prior approval from AWS. For information on becoming an AWS DDoS Test Partner, please contact aws-ddos-testing@amazon.com. The following DDoS test vendors are currently authorized to conduct DDoS simulation tests in accordance with this policy:

Exception Requests

AWS DDoS Test Partners wishing to perform DDoS simulation tests that do not comply with the technical restrictions set forth in this policy, or DDoS test vendors that are not approved AWS DDoS Test Partners, may request approval to perform DDoS simulation tests by submitting the form at least 14 days before the proposed test date. For any questions, please send an email to aws-ddos-testing@amazon.com.

Contact an AWS Business Representative
Have Questions? Connect with AWS Support
Exploring security roles?
Apply today »
Want AWS Security updates?
Follow us on Twitter »