AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-06-19 · Documentation low

File: securityagent/latest/userguide/security-requirements.md

Summary

Restructured documentation to introduce security requirement packs, including creating custom packs, adding requirements manually or by uploading documents, customizing AWS-managed requirements, and managing packs (enable/disable/delete).

Security assessment

The changes reorganize and expand documentation about defining security requirements but contain no references to vulnerabilities, CVEs, or incident responses. The modifications focus on feature enhancements (pack management and document-based requirement generation) rather than addressing security flaws.

Diff

diff --git a/securityagent/latest/userguide/security-requirements.md b/securityagent/latest/userguide/security-requirements.md
index 844cf0279..40d0523ba 100644
--- a//securityagent/latest/userguide/security-requirements.md
+++ b//securityagent/latest/userguide/security-requirements.md
@@ -7 +7 @@
-OverviewEnable or disable managed security requirementsCustomize a managed security requirementCreate a custom security requirementEdit a custom security requirementEnable or disable custom security requirementsBest practices for defining security requirementsNext steps
+OverviewEnable or disable a managed packCreate a custom packAdd a security requirement manuallyCustomize an AWS-managed security requirementGenerate requirements by uploading documentsEdit a custom security requirementEnable or disable a packDelete a custom security requirementBest practices for defining security requirementsNext steps
@@ -11 +11 @@ OverviewEnable or disable managed security requirementsCustomize a managed secur
-Configure security requirements that AWS Security Agent uses to analyze your applications during design reviews and code reviews. You can enable AWS-managed requirements, customize them to fit your organization’s standards, or create custom requirements from scratch.
+Organize the security requirements that AWS Security Agent uses to analyze your applications into security requirement packs. A pack is a collection of security requirements. You can enable AWS-managed packs, create your own custom packs, and generate requirements for a custom pack by uploading your security documentation.
@@ -15 +15 @@ Configure security requirements that AWS Security Agent uses to analyze your app
-Security requirements define the security standards and policies that AWS Security Agent enforces when analyzing your applications. When you conduct design reviews or code reviews, AWS Security Agent evaluates your application against these requirements and identifies potential compliance issues.
+A security requirement defines a security standard or policy that AWS Security Agent evaluates your application against during design reviews and code reviews. When a design or code does not meet a requirement, AWS Security Agent reports a finding. Every security requirement belongs to a security requirement pack. Security requirements are shared across all Agent Spaces and evaluated during design and code reviews.
@@ -17 +17 @@ Security requirements define the security standards and policies that AWS Securi
-AWS Security Agent provides two types of security requirements:
+AWS Security Agent provides two types of packs, shown on separate tabs:
@@ -19 +19 @@ AWS Security Agent provides two types of security requirements:
-  * **Managed security requirements** – AWS-provided requirements based on industry standards and best practices. These requirements are ready to use and maintained by AWS.
+  * **Managed security requirements packs** – AWS-provided packs of security requirements based on industry standards and best practices. You can enable these packs instantly to evaluate against common security policies without custom configuration. The requirements in a managed pack are read-only. You can use an AWS-managed requirement as a template for a custom requirement. For the list of available managed packs, see [AWS managed security requirement packs](./security-requirement-managed-packs.html).
@@ -21 +21 @@ AWS Security Agent provides two types of security requirements:
-  * **Custom security requirements** – Requirements you define and maintain to address your organization’s specific security policies and standards.
+  * **Custom security requirements packs** – Packs that you create to enforce your organization’s specific policies and standards. You build the requirements in a custom pack from scratch, customize AWS-managed requirements as a starting point, or generate them by uploading your security documentation.
@@ -26 +26 @@ AWS Security Agent provides two types of security requirements:
-You can customize managed requirements by creating a copy that you can modify, or create entirely new requirements tailored to your needs.
+###### Note
@@ -28 +28,3 @@ You can customize managed requirements by creating a copy that you can modify, o
-###### Tip
+The compliance framework packs are designed to help identify security requirements that may be relevant for compliance with certain frameworks. They do not assess your compliance or guarantee that you will pass an audit.
+
+You enable and disable packs as a unit. When a pack is enabled, AWS Security Agent evaluates your applications against the requirements in that pack during design and code reviews.
@@ -30 +32,3 @@ You can customize managed requirements by creating a copy that you can modify, o
-Click on any managed security requirement to view its full definition, including applicability criteria, compliance evaluation details, and remediation guidance.
+###### Note
+
+Enabling or disabling a pack applies to new design reviews and code reviews. Existing reviews are not affected.
@@ -32 +36 @@ Click on any managed security requirement to view its full definition, including
-## Enable or disable managed security requirements
+## Enable or disable a managed pack
@@ -34 +38 @@ Click on any managed security requirement to view its full definition, including
-Enable AWS-managed security requirements to enforce industry-standard security policies in your design and code reviews. You can enable multiple requirements at once and disable them when they’re no longer needed.
+Enable an AWS-managed pack to evaluate your applications against a set of AWS-maintained security requirements. Disable it when you no longer need it.
@@ -40 +44 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-  3. Choose the **Managed security requirements** tab.
+  3. Choose the **Managed security requirements packs** tab.
@@ -42 +46 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-  4. Select the checkbox next to one or more security requirements you want to enable or disable.
+  4. Select the pack you want to enable or disable.
@@ -46 +50,3 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-    1. To enable the selected requirements, choose **Enable**.
+    1. To enable the pack, choose **Enable pack**.
+
+    2. To disable the pack, choose **Disable pack**.
@@ -48 +53,0 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-    2. To disable the selected requirements, choose **Disable**.
@@ -50 +55,21 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-  6. Verify the change in the **Status** column, which displays **Enabled** or **Disabled**.
+
+
+###### Tip
+
+Choose a pack to view the security requirements it contains. Choose a requirement to view its full definition, including its applicability, compliance criteria, and remediation guidance.
+
+## Create a custom pack
+
+Create a custom pack to group security requirements that are specific to your organization. After you create the pack, add requirements to it manually, customize an AWS-managed requirement, or upload documents to generate requirements.
+
+  1. In the AWS console, navigate to AWS Security Agent.
+
+  2. In the navigation pane, choose **Security requirements**.
+
+  3. Choose the **Custom security requirements packs** tab.
+
+  4. Choose **Create security requirements pack**.
+
+  5. Enter a **Security requirement pack name** and an optional description.
+
+  6. Choose **Create security requirement pack**.
@@ -57 +82 @@ Enable AWS-managed security requirements to enforce industry-standard security p
-Enabled security requirements are immediately applied to new design reviews and code reviews. Existing reviews are not affected.
+After you create a pack, you can add or upload source documents to generate the security requirements for your pack.
@@ -59 +84 @@ Enabled security requirements are immediately applied to new design reviews and
-## Customize a managed security requirement
+## Add a security requirement manually
@@ -61 +86 @@ Enabled security requirements are immediately applied to new design reviews and
-Create a customized copy of an AWS-managed security requirement when you want to modify it to match your organization’s specific standards. The customized requirement becomes a custom security requirement that you can edit and maintain.
+Add a security requirement to a custom pack to define a security standard that AWS Security Agent enforces.
@@ -67 +92 @@ Create a customized copy of an AWS-managed security requirement when you want to
-  3. Choose the **Managed security requirements** tab.
+  3. Choose the **Custom security requirements packs** tab, and then choose the pack you want to add a requirement to.
@@ -69 +94 @@ Create a customized copy of an AWS-managed security requirement when you want to
-  4. Select the checkbox next to the security requirement you want to customize.
+  4. Choose **Add requirement manually**.
@@ -71 +96 @@ Create a customized copy of an AWS-managed security requirement when you want to
-###### Tip
+  5. Configure the following fields:
@@ -73 +98 @@ Create a customized copy of an AWS-managed security requirement when you want to
-You can only customize one requirement at a time. To customize multiple requirements, repeat this procedure for each one.
+    1. **Security requirement name** – Enter a descriptive name that identifies the security control, for example `enforce-encryption-at-rest` (maximum 80 characters).
@@ -75 +100 @@ You can only customize one requirement at a time. To customize multiple requirem
-  5. Choose **Customize**.
+    2. **Description** – Provide a brief description of what this security requirement checks (maximum 500 characters).
@@ -77 +102 @@ You can only customize one requirement at a time. To customize multiple requirem
-  6. AWS Security Agent opens a **Create custom security requirement** form pre-populated with the managed requirement’s content.
+    3. **Applicability** – Describe the scenarios, system types, or conditions where this security requirement should be evaluated. Include the scenarios where the requirement should be marked NOT_APPLICABLE (maximum 10,000 characters).
@@ -79 +104 @@ You can only customize one requirement at a time. To customize multiple requirem
-  7. (Optional) Edit any fields to customize the requirement for your organization’s needs.
+    4. **Compliance criteria** – Define what constitutes compliance versus non-compliance for this security requirement. Provide the indicators, examples, and technical details that AWS Security Agent looks for when it evaluates compliance (maximum 10,000 characters).
@@ -81 +106,3 @@ You can only customize one requirement at a time. To customize multiple requirem
-  8. Do one of the following:
+    5. **Remediation guidance** (Optional) – Provide guidance on how to fix violations, including links to your organization’s internal documentation or standards (maximum 10,000 characters).
+
+  6. Do one of the following:
@@ -85 +112 @@ You can only customize one requirement at a time. To customize multiple requirem
-    2. To create and immediately enable the requirement for all future security reviews, choose **Create and enable security requirement**.
+    2. To create the requirement and enable it, choose **Create and enable security requirement**.
@@ -92 +119 @@ You can only customize one requirement at a time. To customize multiple requirem
-Customizing a managed requirement creates an independent custom security requirement. Changes to the original managed requirement by AWS do not affect your custom version. Both the managed requirement and your custom version can be enabled simultaneously.
+A requirement is evaluated during security reviews only when the pack that contains it is enabled. To control whether a pack is evaluated, enable or disable the pack.
@@ -94 +121 @@ Customizing a managed requirement creates an independent custom security require
-## Create a custom security requirement
+## Customize an AWS-managed security requirement
@@ -96 +123 @@ Customizing a managed requirement creates an independent custom security require
-Create a custom security requirement from scratch to enforce security policies unique to your organization that aren’t covered by AWS-managed requirements.
+Create a custom security requirement that uses an AWS-managed requirement as its starting point. AWS Security Agent pre-populates the requirement details from the managed requirement, and you edit them to fit your organization.
@@ -102 +129 @@ Create a custom security requirement from scratch to enforce security policies u
-  3. Choose the **Custom security requirements** tab.
+  3. Choose the **Custom security requirements packs** tab, and then choose the custom pack to add the requirement to.
@@ -104 +131 @@ Create a custom security requirement from scratch to enforce security policies u
-  4. Choose **Create security requirement**.
+  4. Choose **Create custom security requirement**.
@@ -106 +133 @@ Create a custom security requirement from scratch to enforce security policies u
-  5. (Optional) To use a managed requirement as a template, in the **Customize a managed security requirement** section, search for and select a managed requirement.
+  5. To pre-populate the form, in the **Customize an AWS-managed security requirement** section, search for and select an AWS-managed requirement to use as a template.
@@ -108 +135 @@ Create a custom security requirement from scratch to enforce security policies u
-###### Tip
+  6. Edit any of the fields to fit your organization’s needs.
@@ -110 +137,3 @@ Create a custom security requirement from scratch to enforce security policies u
-Selecting a managed requirement pre-populates the form fields with that requirement’s details, which you can then modify to fit your needs.
+  7. Do one of the following:
+
+    1. To create the requirement without enabling it, choose **Create security requirement**.
@@ -112 +141 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-  6. In the **Security requirement details** section, configure the following fields:
+    2. To create and immediately enable the requirement, choose **Create and enable security requirement**.
@@ -114 +142,0 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    1. **Security requirement name** – Enter a descriptive name that clearly identifies the security control (maximum 80 characters).
@@ -116 +143,0 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    2. **Description** – Provide a concise summary of what this security requirement enforces and why it matters (maximum 500 characters).
@@ -118 +144,0 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    3. **Applicability** – Define when this requirement applies by specifying the types of workloads, systems, or conditions where it’s relevant. Include specific scenarios where the requirement should be marked NOT_APPLICABLE (maximum 10,000 characters).
@@ -120 +146 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    4. **Compliance criteria** – Define what makes a design or code compliant versus non-compliant. Provide specific indicators, examples, and technical details that AWS Security Agent should look for when evaluating compliance (maximum 10,000 characters).
+###### Note
@@ -122 +148 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    5. **Remediation guidance** (Optional) – Provide step-by-step instructions for fixing violations, including specific technical details, configuration examples, and links to your organization’s internal documentation or standards (maximum 10,000 characters).
+Customizing an AWS-managed requirement creates an independent custom security requirement. Later changes to the AWS-managed requirement do not affect your custom version.
@@ -124 +150 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-  7. Do one of the following:
+## Generate requirements by uploading documents
@@ -126 +152 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    1. To create the requirement without enabling it, choose **Create security requirement**.
+Generate the security requirements for a custom pack from your existing security documentation instead of writing each requirement by hand. AWS Security Agent reads the documents you upload, identifies the security-relevant content, and generates structured requirements that you can review and edit. For the full procedure, see [Generate security requirements from documents](./import-security-requirements.html). For guidance on what to include in the documents you upload, see [Prepare documents for requirement generation](./prepare-import-documents.html).
@@ -128 +154,19 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-    2. To create and immediately enable the requirement for all future security reviews, choose **Create and enable security requirement**.
+###### Important
+
+Uploading new source documents regenerates all requirements for the pack. Any existing requirements, including ones you added manually, are replaced.
+
+## Edit a custom security requirement
+
+Modify a custom security requirement to update its definition, criteria, or remediation guidance. You cannot edit the requirements in an AWS-managed pack.
+
+  1. In the AWS console, navigate to AWS Security Agent.
+
+  2. In the navigation pane, choose **Security requirements**.
+
+  3. Choose the **Custom security requirements packs** tab, and then choose the pack that contains the requirement.
+
+  4. Select the requirement you want to edit, and then choose **Edit custom security requirement**.
+
+  5. Update the requirement fields as needed. The security requirement name cannot be changed after creation.
+
+  6. Choose **Update security requirement**.
@@ -135 +179 @@ Selecting a managed requirement pre-populates the form fields with that requirem
-If you choose **Create security requirement** without enabling, the requirement appears in the Custom security requirements tab with a disabled status. You must manually enable it through the Custom security requirements tab before AWS Security Agent applies it to design and code reviews.
+Changes to a security requirement apply to new design reviews and code reviews. Existing reviews are not affected.
@@ -137 +181 @@ If you choose **Create security requirement** without enabling, the requirement
-## Edit a custom security requirement
+## Enable or disable a pack
@@ -139 +183 @@ If you choose **Create security requirement** without enabling, the requirement
-Modify an existing custom security requirement to update its definition, criteria, or remediation guidance.
+Enable or disable a security requirement pack to control whether AWS Security Agent evaluates the requirements it contains. You enable and disable packs as a unit.
@@ -145,3 +189 @@ Modify an existing custom security requirement to update its definition, criteri
-  3. Choose the **Custom security requirements** tab.
-
-  4. Select the custom security requirement you want to edit.
+  3. Choose the tab for the type of pack, and then select the pack.
@@ -149 +191 @@ Modify an existing custom security requirement to update its definition, criteri
-  5. From the _Actions_ menu, select **Edit**.
+  4. Do one of the following: