AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-02-19 · Documentation low

File: securityagent/latest/userguide/provide-testing-credentials.md

Summary

Updated credential configuration instructions: changed 'Access domain' to 'Access URL' dropdown, renamed 'Agent login prompt' to 'Agent Space login prompt', expanded Secrets Manager guidance to support dynamic credential formats, added API key example, clarified Lambda integration, and noted lack of 2FA/OAuth support.

Security assessment

Changes enhance documentation about security features (Secrets Manager/Lambda credential retrieval) but show no evidence of addressing a specific vulnerability. The added warnings about unsupported auth methods improve security awareness without fixing existing flaws.

Diff

diff --git a/securityagent/latest/userguide/provide-testing-credentials.md b/securityagent/latest/userguide/provide-testing-credentials.md
index a5bddc248..e1d142d81 100644
--- a//securityagent/latest/userguide/provide-testing-credentials.md
+++ b//securityagent/latest/userguide/provide-testing-credentials.md
@@ -43 +43 @@ If you select **Advanced setting** , you can choose from three credential strate
-  3. In the **Access domain** dropdown, select the domain where these credentials will be used.
+  3. In the **Access URL** dropdown, select the URL where these credentials will be used. This must be selected from the list of target endpoints.
@@ -45 +45 @@ If you select **Advanced setting** , you can choose from three credential strate
-  4. (Optional) Expand **Agent login prompt** to provide specific login instructions if your application has a complex authentication flow.
+  4. (Optional) Expand **Agent Space login prompt** to provide specific login instructions if your application has a complex authentication flow.
@@ -71 +71,5 @@ Use this option to retrieve credentials securely from AWS Secrets Manager with e
-Format your secret with `username` and `password` fields:
+The IAM role must have `secretsmanager:GetSecretValue` and `secretsmanager:DescribeSecret` permissions.
+
+Use the **Agent Space login prompt** to provide detailed instructions on how to interpret and use the credentials stored in the secret. You may use any format to store your secret, as the agent will dynamically interpret the format using these instructions.
+
+For example, if the agent is to submit a username/password login form at https://example.com/login, you may format your secret as JSON with `username` and `password` fields:
@@ -75 +79 @@ Format your secret with `username` and `password` fields:
-      "username": "[email protected]",
+      "username": "test-user",
@@ -79 +83 @@ Format your secret with `username` and `password` fields:
-The IAM role must have `secretsmanager:GetSecretValue` and `secretsmanager:DescribeSecret` permissions.
+Then, configure the authentication instructions: . Enable **Allow agent to perform browser login using this credential**. . Set **Access URL** to `https://example.com` (or any other URL selected from the list of target endpoints). . Enter the following into **Agent Space login prompt** : "Navigate to https://example.com/login and enter the provided username and password into the form."
@@ -81 +85 @@ The IAM role must have `secretsmanager:GetSecretValue` and `secretsmanager:Descr
-### Select available Lambda function to retrieve credentials dynamically
+As another example, if you instead have an API key to be provided in an HTTP header, you may store it as plaintext:
@@ -83 +86,0 @@ The IAM role must have `secretsmanager:GetSecretValue` and `secretsmanager:Descr
-Use this option for complex authentication systems, dynamic credential generation, or integration with external identity providers.
@@ -85 +88 @@ Use this option for complex authentication systems, dynamic credential generatio
-Your Lambda function must return credentials in this format:
+    "api-key-here"
@@ -86,0 +90 @@ Your Lambda function must return credentials in this format:
+Then, configure the authentication instructions: . Disable **Allow agent to perform browser login using this credential**. . Enter the following into **Agent Space login prompt** : "Set the X-API-Key header to the provided API key for all requests."
@@ -88,4 +92,7 @@ Your Lambda function must return credentials in this format:
-    {
-      "username": "[email protected]",
-      "password": "dynamic-password"
-    }
+###### Important
+
+We currently do not support 2FA or OAuth-based authentication.
+
+### Select available Lambda function to retrieve credentials dynamically
+
+Use this option for complex authentication systems, dynamic credential generation, or integration with external identity providers.
@@ -94,0 +102,2 @@ The IAM role must have `lambda:InvokeFunction` permissions and the function must
+Like with Secrets Manager, the agent will dynamically interpret your Lambda function’s output using any login instructions provided in the **Agent Space login prompt**. Refer to Select static credential from connected AWS Secrets Manager for examples of how to format the output of your Lambda function and supported authentication types.
+