AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-03-07 · Documentation low

File: securityagent/latest/userguide/enable-penetration-test.md

Summary

Restructured penetration testing documentation into fewer steps with clearer domain verification process, added one-click verification for Route 53 domains, and consolidated optional configurations

Security assessment

Changes improve documentation clarity but don't address specific vulnerabilities. The enhanced verification process (one-click for Route 53) improves security posture by reducing manual configuration errors, but this is a usability improvement rather than a direct response to a security issue. No CVEs, vulnerabilities, or security incidents are referenced.

Diff

diff --git a/securityagent/latest/userguide/enable-penetration-test.md b/securityagent/latest/userguide/enable-penetration-test.md
index 988613c0d..d53ee69e1 100644
--- a//securityagent/latest/userguide/enable-penetration-test.md
+++ b//securityagent/latest/userguide/enable-penetration-test.md
@@ -5 +5 @@
-PrerequisitesStep 1: Add and verify target domainsStep 2: (Optional) Configure VPC settingsStep 3: (Optional) Configure CloudWatch loggingStep 4: (Optional) Configure Secrets for test credentialsStep 5: (Optional) Configure Lambda functions for test credentialsStep 6: (Optional) Configure S3 bucketStep 7: (Optional) Configure service accessStep 8: Enable penetration testingNext steps
+PrerequisitesStep 1: Configure domainStep 2: Verify domainsStep 3: (Optional) Configure additional capabilitiesStep 4: Save and enable penetration testingNext steps
@@ -32 +32 @@ Before you begin, ensure you have:
-## Step 1: Add and verify target domains
+## Step 1: Configure domain
@@ -34 +34 @@ Before you begin, ensure you have:
-AWS Security Agent requires verified ownership of all target domains before enabling penetration testing. This section is required and displays expanded by default.
+In the first step of the wizard, specify the target domains you want to test and how AWS Security Agent should verify ownership.
@@ -40 +40 @@ AWS Security Agent requires verified ownership of all target domains before enab
-     * **DNS txt record** – Add a TXT record to your domain’s DNS configuration
+     * **DNS_TXT** – Prove domain ownership by adding a TXT record to your domain’s DNS configuration.
@@ -42 +42 @@ AWS Security Agent requires verified ownership of all target domains before enab
-     * **HTTP record** – Host a verification file at a specific URL on your domain
+     * **HTTP_ROUTE** – Prove domain ownership by hosting a verification file at a specific URL on your domain.
@@ -46 +46 @@ AWS Security Agent requires verified ownership of all target domains before enab
-  3. Click **Add new domain** to add additional domains.
+  3. Choose **Add another domain** to add additional domains (up to 5 total).
@@ -48 +48,20 @@ AWS Security Agent requires verified ownership of all target domains before enab
-  4. Complete the verification process for each domain according to the method you selected. NOTE: Sub-domains that belong to your verified target domain do not require individual verification. You may perform penetration testing on all sub-domains that are part of your verified target domain.
+  4. Choose **Next** to proceed to domain verification.
+
+
+
+
+## Step 2: Verify domains
+
+In the second step of the wizard, verify ownership of each domain you configured. AWS Security Agent requires verified ownership before it can perform penetration testing.
+
+  1. Review the domains listed in the **Target domains** table.
+
+  2. For each domain, select it and trigger verification based on your chosen method:
+
+     * **Route 53 domains (same AWS account)** : Choose **One-click verification**. AWS Security Agent automatically creates the DNS record and completes verification.
+
+     * **DNS TXT (other DNS providers)** : Copy the verification token, add the TXT record with your DNS registrar, then select the domain and choose **Verify**.
+
+     * **HTTP route** : Place the verification token at the required route path on your web server, then select the domain and choose **Verify**. For details, see [Enable an application domain for penetration testing](./enable-test-domain.html).
+
+  3. Choose **Next** to proceed to optional configuration.
@@ -55 +74,5 @@ AWS Security Agent requires verified ownership of all target domains before enab
-All target domains must be verified before AWS Security Agent can perform penetration testing on them. Once a domain is verified, you can also add subdomains of that domain to your penetration test scope without requiring further verification. For private domains inside a VPC, you would also be able to create or update pentests if the domain verification status is UNREACHABLE. AWS Security Agent will try to perform domain verification for the private endpoint at the start of a pentest run again.
+Sub-domains of a verified domain do not require individual verification. For private domains inside a VPC, you can proceed even if the domain verification status is UNREACHABLE. AWS Security Agent will attempt domain verification for private endpoints at the start of each pentest run.
+
+## Step 3: (Optional) Configure additional capabilities
+
+The third step of the wizard lets you configure optional AWS resources to expand your penetration testing scope. All sections in this step are optional and collapsed by default.
@@ -57 +80 @@ All target domains must be verified before AWS Security Agent can perform penetr
-## Step 2: (Optional) Configure VPC settings
+### (Optional) Configure VPC settings
@@ -80 +103 @@ Ensure your security groups allow outbound connections for AWS Security Agent to
-## Step 3: (Optional) Configure CloudWatch logging
+### (Optional) Configure CloudWatch logging
@@ -97 +120 @@ Ensure your IAM role has permissions to write to the selected CloudWatch log gro
-## Step 4: (Optional) Configure Secrets for test credentials
+### (Optional) Configure Secrets for test credentials
@@ -114 +137 @@ Credentials are encrypted and stored in AWS Secrets Manager. Ensure your IAM rol
-## Step 5: (Optional) Configure Lambda functions for test credentials
+### (Optional) Configure Lambda functions for test credentials
@@ -131 +154 @@ Ensure your IAM role has permissions to invoke the specified Lambda functions. L
-## Step 6: (Optional) Configure S3 bucket
+### (Optional) Configure S3 bucket
@@ -146 +169 @@ You can also connect GitHub repositories later or upload files directly in the w
-## Step 7: (Optional) Configure service access
+### (Optional) Configure service access
@@ -175 +198 @@ The default IAM role includes permissions for accessing VPC resources, CloudWatc
-## Step 8: Enable penetration testing
+## Step 4: Save and enable penetration testing