Dealing with third parties
Today, many businesses are utilizing cloud services. There is a high probability that you will encounter cloud servers within your penetration scope. It's important to keep in mind who owns the server. In the case of a cloud environment, the server is not owned by the business that the penetration test is being conducted for, but rather the cloud provider.
Big players in the cloud space, such as Microsoft, Amazon, and Google, all have penetration testing rules-of-engagement documents. These documents detail what you are allowed to do and what you are not allowed to do.
Amazon defines its rules of engagement here: https://aws.amazon.com/security/penetration-testing/ .
Google defines its rules of engagement here: https://cloud.google.com/security/overview/ .
Make sure that you obtain the correct approvals from the cloud provider if you have any cloud services within your penetration scope; failure to do so might lead to legal consequences.