AWS Security ChangesHomeSearch

AWS securityagent medium security documentation change

Service: securityagent · 2026-05-07 · Security-related medium

File: securityagent/latest/userguide/provide-testing-credentials.md

Summary

Added same-account requirement for Secrets Manager/Lambda, clarified credential application via login prompts

Security assessment

Explicitly prohibits cross-account credential access (security boundary enforcement) and refines instructions for secure credential handling. Mitigates risks of credential leakage/misconfiguration by documenting access constraints.

Diff

diff --git a/securityagent/latest/userguide/provide-testing-credentials.md b/securityagent/latest/userguide/provide-testing-credentials.md
index c3ad86f2f..feaaf4494 100644
--- a//securityagent/latest/userguide/provide-testing-credentials.md
+++ b//securityagent/latest/userguide/provide-testing-credentials.md
@@ -65,0 +66,6 @@ Use test accounts with representative access rather than personal or administrat
+When you select an advanced credential strategy (Secrets Manager, Lambda, or IAM role), AWS Security Agent retrieves your credentials directly from the configured AWS resource using the service role. Use the **Agent Space login prompt** to provide the agent with instructions on how to apply those credentials to your application - for example, which login URL to navigate to and which form fields to fill in.
+
+###### Note
+
+Secrets Manager secrets and Lambda functions must be in the same AWS account as your AWS Security Agent setup. Cross-account credentials are not currently supported.
+
@@ -83 +89 @@ The IAM role must have `secretsmanager:GetSecretValue` and `secretsmanager:Descr
-Use the **Agent Space login prompt** to provide detailed instructions on how to interpret and use the credentials stored in the secret. You may use any format to store your secret, as the agent will dynamically interpret the format using these instructions.
+The agent retrieves the secret value directly from Secrets Manager. Use the **Agent Space login prompt** to tell the agent how to apply those credentials to your application’s login flow - for example, which URL to navigate to and which form fields to fill in. You may use any format to store your secret, as the agent will interpret the format using the instructions you provide in the login prompt.
@@ -113 +119 @@ The IAM role must have `lambda:InvokeFunction` permissions and the function must
-Like with Secrets Manager, the agent will dynamically interpret your Lambda function’s output using any login instructions provided in the **Agent Space login prompt**. Refer to Select static credential from connected AWS Secrets Manager for examples of how to format the output of your Lambda function and supported authentication types.
+The agent invokes your Lambda function and receives its output as credentials. Use the **Agent Space login prompt** to tell the agent how to apply those credentials to your application, just as with Secrets Manager. Refer to Select static credential from connected AWS Secrets Manager for examples of how to format the output of your Lambda function and supported authentication types.