AWS Security ChangesHomeSearch

AWS securityagent medium security documentation change

Service: securityagent · 2026-06-13 · Security-related medium

File: securityagent/latest/userguide/perform-penetration-test.md

Summary

Relocated security warning about out-of-scope paths and added clarification about accessible domains not requiring ownership verification

Security assessment

Added explicit warning about security risks of excluding paths and clarified domain verification requirements to prevent misconfiguration. Directly addresses potential security gaps in penetration testing setup.

Diff

diff --git a/securityagent/latest/userguide/perform-penetration-test.md b/securityagent/latest/userguide/perform-penetration-test.md
index 30cd95d0d..4e877ced8 100644
--- a//securityagent/latest/userguide/perform-penetration-test.md
+++ b//securityagent/latest/userguide/perform-penetration-test.md
@@ -119,0 +120,4 @@ Specify URL paths that should not be tested during the penetration test. AWS Sec
+###### Warning
+
+Out-of-scope paths will not be tested for vulnerabilities. Ensure you only exclude paths that should not be accessed during testing, such as destructive operations or sensitive administrative functions.
+
@@ -131,4 +134,0 @@ Specify URL paths that should not be tested during the penetration test. AWS Sec
-###### Warning
-
-Out-of-scope paths will not be tested for vulnerabilities. Ensure you only exclude paths that should not be accessed during testing, such as destructive operations or sensitive administrative functions.
-
@@ -145 +145 @@ Specify domains that are required for the test but are not targets for vulnerabi
-Add accessible domains for third-party services (such as Okta, Auth0, Stripe) that are outside your target domain. This is required so AWS Security Agent can access these URLs for login and navigation during testing. AWS Security Agent does NOT penetration test these domains—they are used solely for access purposes.
+Add accessible domains for third-party services (such as Okta, Auth0, Stripe) that are outside your target domain. This is required so AWS Security Agent can access these URLs for login and navigation during testing. AWS Security Agent does NOT penetration test these domains—they are used solely for access purposes. Accessible domains do not require ownership verification, even if they belong to a different domain than your target. Only target domains require verified ownership.