>That’s assuming your vendor was pentesting AWS systems. If you meant you hired a vendor to pentest your own systems on AWS, that’s of course a totally different matter.
Sorry for being unclear, the vendor was attacking our organization only, and any other company was expressly forbidden in the contract. As I recall it was a fake SSO sign-in page to collect credentials that they would try and social engineer our employees with.
At a minimum you should contact AWS before you launch a phishing page as a test that targets AWS customers.
I understood it as a phishing page imitating their own system, targeting their own employees. Nothing related to AWS, except for being hosted there.