CreatePentest
Creates a new pentest configuration in an agent space. A pentest defines the security test parameters, including target assets, risk type exclusions, and logging configuration.
Request Syntax
POST /CreatePentest HTTP/1.1
Content-type: application/json
{
"agentSpaceId": "string",
"assets": {
"actors": [
{
"authentication": {
"providerType": "string",
"value": "string"
},
"description": "string",
"identifier": "string",
"uris": [ "string" ]
}
],
"documents": [
{
"artifactId": "string",
"s3Location": "string"
}
],
"endpoints": [
{
"uri": "string"
}
],
"integratedRepositories": [
{
"integrationId": "string",
"providerResourceId": "string"
}
],
"sourceCode": [
{
"s3Location": "string"
}
]
},
"codeRemediationStrategy": "string",
"excludeRiskTypes": [ "string" ],
"logConfig": {
"logGroup": "string",
"logStream": "string"
},
"networkTrafficConfig": {
"customHeaders": [
{
"name": "string",
"value": "string"
}
],
"rules": [
{
"effect": "string",
"networkTrafficRuleType": "string",
"pattern": "string"
}
]
},
"serviceRole": "string",
"title": "string",
"vpcConfig": {
"securityGroupArns": [ "string" ],
"subnetArns": [ "string" ],
"vpcArn": "string"
}
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- agentSpaceId
-
The unique identifier of the agent space to create the pentest in.
Type: String
Required: Yes
- assets
-
The assets to include in the pentest, such as endpoints, actors, documents, and source code.
Type: Assets object
Required: No
- codeRemediationStrategy
-
The code remediation strategy for the pentest. Valid values are AUTOMATIC and DISABLED.
Type: String
Valid Values:
AUTOMATIC | DISABLEDRequired: No
- excludeRiskTypes
-
The list of risk types to exclude from the pentest.
Type: Array of strings
Valid Values:
CROSS_SITE_SCRIPTING | DEFAULT_CREDENTIALS | INSECURE_DIRECT_OBJECT_REFERENCE | PRIVILEGE_ESCALATION | SERVER_SIDE_TEMPLATE_INJECTION | COMMAND_INJECTION | CODE_INJECTION | SQL_INJECTION | ARBITRARY_FILE_UPLOAD | INSECURE_DESERIALIZATION | LOCAL_FILE_INCLUSION | INFORMATION_DISCLOSURE | PATH_TRAVERSAL | SERVER_SIDE_REQUEST_FORGERY | JSON_WEB_TOKEN_VULNERABILITIES | XML_EXTERNAL_ENTITY | FILE_DELETION | OTHER | GRAPHQL_VULNERABILITIES | BUSINESS_LOGIC_VULNERABILITIES | CRYPTOGRAPHIC_VULNERABILITIES | DENIAL_OF_SERVICE | FILE_ACCESS | FILE_CREATION | DATABASE_MODIFICATION | DATABASE_ACCESS | OUTBOUND_SERVICE_REQUEST | UNKNOWNRequired: No
- logConfig
-
The CloudWatch Logs configuration for the pentest.
Type: CloudWatchLog object
Required: No
- networkTrafficConfig
-
The network traffic configuration for the pentest, including custom headers and traffic rules.
Type: NetworkTrafficConfig object
Required: No
- serviceRole
-
The IAM service role to use for the pentest.
Type: String
Required: No
- title
-
The title of the pentest.
Type: String
Required: Yes
- vpcConfig
-
The VPC configuration for the pentest.
Type: VpcConfig object
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"agentSpaceId": "string",
"assets": {
"actors": [
{
"authentication": {
"providerType": "string",
"value": "string"
},
"description": "string",
"identifier": "string",
"uris": [ "string" ]
}
],
"documents": [
{
"artifactId": "string",
"s3Location": "string"
}
],
"endpoints": [
{
"uri": "string"
}
],
"integratedRepositories": [
{
"integrationId": "string",
"providerResourceId": "string"
}
],
"sourceCode": [
{
"s3Location": "string"
}
]
},
"createdAt": "string",
"excludeRiskTypes": [ "string" ],
"logConfig": {
"logGroup": "string",
"logStream": "string"
},
"pentestId": "string",
"serviceRole": "string",
"title": "string",
"updatedAt": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- agentSpaceId
-
The unique identifier of the agent space that contains the pentest.
Type: String
- assets
-
The assets included in the pentest.
Type: Assets object
- createdAt
-
The date and time the pentest was created, in UTC format.
Type: Timestamp
- excludeRiskTypes
-
The list of risk types excluded from the pentest.
Type: Array of strings
Valid Values:
CROSS_SITE_SCRIPTING | DEFAULT_CREDENTIALS | INSECURE_DIRECT_OBJECT_REFERENCE | PRIVILEGE_ESCALATION | SERVER_SIDE_TEMPLATE_INJECTION | COMMAND_INJECTION | CODE_INJECTION | SQL_INJECTION | ARBITRARY_FILE_UPLOAD | INSECURE_DESERIALIZATION | LOCAL_FILE_INCLUSION | INFORMATION_DISCLOSURE | PATH_TRAVERSAL | SERVER_SIDE_REQUEST_FORGERY | JSON_WEB_TOKEN_VULNERABILITIES | XML_EXTERNAL_ENTITY | FILE_DELETION | OTHER | GRAPHQL_VULNERABILITIES | BUSINESS_LOGIC_VULNERABILITIES | CRYPTOGRAPHIC_VULNERABILITIES | DENIAL_OF_SERVICE | FILE_ACCESS | FILE_CREATION | DATABASE_MODIFICATION | DATABASE_ACCESS | OUTBOUND_SERVICE_REQUEST | UNKNOWN - logConfig
-
The CloudWatch Logs configuration for the pentest.
Type: CloudWatchLog object
- pentestId
-
The unique identifier of the created pentest.
Type: String
- serviceRole
-
The IAM service role used for the pentest.
Type: String
- title
-
The title of the pentest.
Type: String
- updatedAt
-
The date and time the pentest was last updated, in UTC format.
Type: Timestamp
Errors
For information about the errors that are common to all actions, see Common Error Types.
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
