AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-07-01 · Documentation low

File: securityagent/latest/userguide/data-protection.md

Summary

Added 'Cross-Region data processing' section detailing data handling across regions

Security assessment

Documents security controls for cross-region data processing (encryption in transit, AWS network isolation) but doesn't indicate any security vulnerability fix.

Diff

diff --git a/securityagent/latest/userguide/data-protection.md b/securityagent/latest/userguide/data-protection.md
index 217ca957f..217441feb 100644
--- a//securityagent/latest/userguide/data-protection.md
+++ b//securityagent/latest/userguide/data-protection.md
@@ -7 +7 @@
-Encryption at restEncryption in transitKey managementInternetwork traffic privacyData deletion
+Encryption at restEncryption in transitKey managementInternetwork traffic privacyCross-Region data processingData deletion
@@ -73,0 +74,15 @@ In the default configuration, AWS Security Agent uses the public internet to rea
+## Cross-Region data processing
+
+AWS Security Agent uses [cross-region inference](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to optimize available compute resources and model availability. Depending on the Region where the request originates, we might process input prompts and output results in a different Region.
+
+  * In US East (N. Virginia) – `us-east-1`, US West (Oregon) – `us-west-2`, Asia Pacific (Sydney) – `ap-southeast-2`, Asia Pacific (Tokyo) – `ap-northeast-1`, Europe (Frankfurt) – `eu-central-1`, and Europe (Ireland) – `eu-west-1`, AWS Security Agent uses [geographic cross-region inference](https://docs.aws.amazon.com/bedrock/latest/userguide/geographic-cross-region-inference.html). For most features, data processing remains within the geographic boundary (such as US, EU, Australia, or Japan) where the request originated. For Code Remediation, requests from Australia and Japan are processed in the European Union. For feature-specific routing details, see the [Cross Region Inference table](./security-best-practices.html).
+
+  * In Asia Pacific (Mumbai) – `ap-south-1`, Asia Pacific (Singapore) – `ap-southeast-1`, and South America (São Paulo) – `sa-east-1`, AWS Security Agent uses [global cross-region inference](https://docs.aws.amazon.com/bedrock/latest/userguide/global-cross-region-inference.html). We might process input prompts and output results in any [commercial AWS Region](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#region).
+
+
+
+
+In all cases, your data remains stored only in the Region where the request originated. All data transmitted during cross-Region operations remains on the AWS network and does not traverse the public internet. We encrypt data in transit between AWS Regions.
+
+Cross-Region inference is always enabled and cannot be opted out of. For details on which Regions process requests for each feature, see the Cross Region Inference section in [Security best practices for AWS Security Agent](./security-best-practices.html).
+