AWS Security ChangesHomeSearch

AWS securityagent high security documentation change

Service: securityagent · 2026-03-04 · Security-related high

File: securityagent/latest/userguide/connect-agent-vpc.md

Summary

Added network security restrictions: private IP ranges for VPC testing and ENI configuration details without public IPs

Security assessment

Explicitly defining allowed private IP ranges and prohibiting public IP communication prevents accidental exposure of sensitive endpoints during penetration testing, addressing network security boundaries.

Diff

diff --git a/securityagent/latest/userguide/connect-agent-vpc.md b/securityagent/latest/userguide/connect-agent-vpc.md
index 694152398..61c056adb 100644
--- a//securityagent/latest/userguide/connect-agent-vpc.md
+++ b//securityagent/latest/userguide/connect-agent-vpc.md
@@ -10,0 +11,14 @@ If the application you want to run a penetration test on is not available on the
+###### Note
+
+When testing endpoints in a private VPC, only endpoints resolving to IPs in known private IP ranges are allowed (see [VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html) for more information). The following IPv4 and IPv6 ranges are allowed:
+    
+    
+    10.0.0.0/16
+    172.31.0.0/16
+    192.168.0.0/20
+    fd00::/8
+
+###### Note
+
+When connecting to a subnet, AWS Security Agent will create an ENI ([Elastic Network Interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html)) in the subnet configured for the penetration test. This ENI does not have an associated public IP address, meaning that it cannot communicate with [VPC Internet Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) in public subnets. If your penetration test requires open internet access, please use a private subnet with an associated [VPC NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) instead
+