AWS securityagent documentation change
Summary
Updated cross-region inference documentation to clarify data processing locations across multiple geographic regions (EU, US, Australia, Japan) and state that cross-region inference is always enabled
Security assessment
This change clarifies data residency and processing boundaries for AWS Security Agent, which is important for compliance and data sovereignty. It adds security documentation about where data is processed and stored, but does not address a specific security vulnerability or incident. The change provides transparency about data flow across regions within geographic boundaries.
Diff
diff --git a/securityagent/latest/userguide/security-best-practices.md b/securityagent/latest/userguide/security-best-practices.md index 3b09488a9..0990263c0 100644 --- a//securityagent/latest/userguide/security-best-practices.md +++ b//securityagent/latest/userguide/security-best-practices.md @@ -106 +106 @@ Accessible URLs specify additional endpoints that the penetration testing enviro -AWS Security Agent uses Amazon Bedrock’s geographic cross-Region inference to increase throughput while keeping data processing within the same geographic region. +AWS Security Agent will automatically select the optimal region within your geography to process your inference requests. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data will remain stored only in the region where the request originated, however, input prompts and output results may be processed outside that region. All data will be transmitted encrypted across Amazon’s secure network. @@ -108 +108 @@ AWS Security Agent uses Amazon Bedrock’s geographic cross-Region inference to -Your input prompts (including design documents, code, and application context) and output results (including security findings and remediation guidance) may be processed across multiple US regions during inference operations. Data storage remains in your source region, and all data transmission is encrypted in transit over Amazon’s secure network. +AWS Security Agent will securely route your inference requests to available compute resources within the geographic area where the request originated, as follows: @@ -110 +110 @@ Your input prompts (including design documents, code, and application context) a - * **Data residency** – All data processing occurs within US regions. If your organization requires data processing within a specific single US region, evaluate whether processing across the broader US geographic boundary satisfies your compliance obligations. + * Inference requests originating in the European Union will be processed within the European Union. @@ -112 +112,14 @@ Your input prompts (including design documents, code, and application context) a - * **IAM and Service Control Policies** – Ensure your IAM policies and Service Control Policies (SCPs) allow access to US regions used for cross-Region inference operations. + * Inference requests originating in the United States will be processed within the United States. + + * Inference requests originating in Australia will be processed within Australia. + + * Inference requests originating within Japan will be processed within Japan. + + + + +Cross-Region inference is always enabled and cannot be opted out of. + + * **Data residency** – All data processing occurs within your geographic area. If your organization requires data processing within a specific single region, evaluate whether processing across the broader geographic boundary satisfies your compliance obligations. + + * **IAM and Service Control Policies** – Ensure your IAM policies and Service Control Policies (SCPs) allow access to regions within your geography used for cross-Region inference operations.