Use non-production environments for penetration testing Validate AI-generated security findings Review and test generated remediation code Code repository access Allowed URLs Cross Region Inference

Security best practices for AWS Security Agent

AWS Security Agent provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Use non-production environments for penetration testing

AWS Security Agent uses a comprehensive suite of penetration testing tools from the Kali Linux distribution. These tools are designed to identify security vulnerabilities and may perform actions that modify application state, data, or system configurations.

Best practice: Conduct penetration tests against non-production environments that mirror your production setup. These test environments should:

Not contain live customer data or sensitive production information
Be isolated from production systems
Have similar configurations and security controls as production
Not use credentials with access to production systems

Testing in production environments may result in:

Data modification or deletion
Service disruptions or performance degradation
Unintended state changes
Triggering of security alerts or incident response procedures

Validate AI-generated security findings

AWS Security Agent performs security analysis using AI agents. Due to the non-deterministic nature of AI systems, penetration test runs may produce varying results across different executions.

Best practice: Validate security findings before taking remediation action:

Review the verification scripts generated by AWS Security Agent for each finding
Execute verification scripts in your test environment to confirm the vulnerability
Consider running multiple penetration tests to ensure comprehensive coverage
Apply professional security judgment to assess finding severity and exploitability

Not all identified issues may represent exploitable vulnerabilities in your specific deployment context.

Review and test generated remediation code

AWS Security Agent can generate code fixes and security improvements for identified vulnerabilities. These AI-generated fixes require verification before deployment.

Best practice: Review all generated code changes:

Examine proposed fixes for completeness and correctness
Test fixes thoroughly in non-production environments
Verify that fixes don’t introduce new vulnerabilities or break functionality
Use AWS Security Agent to retest after applying fixes, or run the provided verification scripts
Follow your organization’s code review and approval processes

Code repository access

AWS Security Agent can provide security guidance on code changes through pull request comments and code review integration. To protect sensitive security information, this functionality operates under specific constraints.

Limitation: Code security guidance is restricted to private repositories only. This ensures that:

Security findings remain confidential to your organization
Potential vulnerabilities are not publicly disclosed before remediation
Generated fix recommendations don’t expose exploitation details

AWS Security Agent does not provide code security guidance for public repositories. It will not comment on public repositories or open-source projects where security findings would be publicly visible.

Allowed URLs

Allowed URLs specify additional endpoints that the penetration testing environment can access during testing. These are necessary when your application depends on external services such as third-party authentication providers or CDNs. All network dependencies required for testing must be specified as either target URLs or allowed URLs. The network blocks access to any unspecified endpoints.

Security implications: AWS Security Agent is not instructed to perform security testing on allowed URLs. By specifying allowed URLs, you indicate trust in these dependencies. Penetration test data, including credentials, may be transmitted to these allowed URL endpoints during testing.

Cross Region Inference

AWS Security Agent uses Amazon Bedrock’s geographic cross-Region inference to increase throughput while keeping data processing within the United States. At launch, AWS Security Agent is deployed in the US geographic region only.

Your input prompts (including design documents, code, and application context) and output results (including security findings and remediation guidance) may be processed across multiple US regions during inference operations. Data storage remains in your source region, and all data transmission is encrypted in transit over Amazon’s secure network.

Data residency – All data processing occurs within US regions. If your organization requires data processing within a specific single US region, evaluate whether processing across the broader US geographic boundary satisfies your compliance obligations.
IAM and Service Control Policies – Ensure your IAM policies and Service Control Policies (SCPs) allow access to US regions used for cross-Region inference operations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-service confused deputy prevention

Service Quotas