Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
A.
May be performed by AWS, and will be performed by AWS upon customer request.
B.
May be performed by AWS, and is periodically performed by AWS.
C.
Are expressly prohibited under all circumstances.
D.
May be performed by the customer on their own instances with prior authorization from AWS.
E.
May be performed by the customer on their own instances, only if performed from EC2 instances.
Explanation:
http://aws.amazon.com/security/penetration-testing/