AWS securityagent medium security documentation change
Summary
Replaced region processing details with a table clarifying data residency rules, added specific handling for Code Remediation feature, and noted cross-region inference bypasses customer SCPs/Control Tower.
Security assessment
Clarifies critical data residency requirements (especially for Australia/Japan where Code Remediation data routes to EU) and explicitly states that security controls (SCPs/Control Tower) cannot restrict cross-region inference. This impacts compliance and data sovereignty security postures.
Diff
diff --git a/securityagent/latest/userguide/security-best-practices.md b/securityagent/latest/userguide/security-best-practices.md index 649e1ef40..9e80727bd 100644 --- a//securityagent/latest/userguide/security-best-practices.md +++ b//securityagent/latest/userguide/security-best-practices.md @@ -108,20 +108 @@ Accessible URLs specify additional endpoints that the penetration testing enviro -AWS Security Agent will automatically select the optimal region within your geography to process your inference requests. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data will remain stored only in the region where the request originated, however, input prompts and output results may be processed outside that region. All data will be transmitted encrypted across Amazon’s secure network. - -AWS Security Agent will securely route your inference requests to available compute resources within the geographic area where the request originated, as follows: - - * Inference requests originating in the European Union will be processed within the European Union. - - * Inference requests originating in the United States will be processed within the United States. - - * Inference requests originating in Australia will be processed within Australia. - - * Inference requests originating within Japan will be processed within Japan. - - - - -Cross-Region inference is always enabled and cannot be opted out of. - - * **Data residency** – All data processing occurs within your geographic area. If your organization requires data processing within a specific single region, evaluate whether processing across the broader geographic boundary satisfies your compliance obligations. - - * **IAM and Service Control Policies** – Ensure your IAM policies and Service Control Policies (SCPs) allow access to regions within your geography used for cross-Region inference operations. +AWS Security Agent will automatically select the optimal region to process your inference requests. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data will remain stored only in the region where the request originated, however, input prompts and output results may be processed outside that region. All data will be transmitted encrypted across Amazon’s secure network. @@ -128,0 +110 @@ Cross-Region inference is always enabled and cannot be opted out of. +The following table describes where your inference requests are processed based on the geography where the request originated and the feature used. @@ -129,0 +112,6 @@ Cross-Region inference is always enabled and cannot be opted out of. +Request origin | All features except Code Remediation | [Code Remediation](remediate-code-scan-findings.html) +---|---|--- +European Union | European Union | European Union +United States | United States | United States +Australia | Australia | European Union +Japan | Japan | European Union @@ -130,0 +119 @@ Cross-Region inference is always enabled and cannot be opted out of. +Cross-Region inference is always enabled and cannot be opted out of. Cross-region inference is not impacted by customer policies in Service Control Policies (SCPs) or Control Tower that restrict customer content to specific regions.