AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-05-01 · Documentation low

File: devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.md

Summary

Added a note clarifying that when selecting a private connection for OAuth authentication (Client Credentials or 3LO), the connection applies to both the capability provider endpoint and token exchange endpoint, requiring proper routing configuration.

Security assessment

This change adds documentation about secure network routing for OAuth authentication endpoints. It clarifies that private connections must be configured to route traffic to both authentication endpoints, which is important for maintaining secure connectivity in private network environments. No evidence of addressing a specific vulnerability.

Diff

diff --git a/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.md b/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.md
index 85c486c0b..aaff3a4e3 100644
--- a//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.md
+++ b//devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.md
@@ -222,0 +223,4 @@ In the AWS DevOps Agent console, private connections can be linked to a capabili
+###### Note
+
+ __When you select a private connection for a capability provider that uses OAuth authentication (Client Credentials or 3LO), the private connection applies to both the capability provider endpoint and the token exchange endpoint. Ensure the private connection is configured with a host address that can route traffic to both endpoints.
+