AWS securityagent documentation change
Summary
Updated cross-region inference documentation with detailed processing locations, added distinction between geographic and global inference types, specified region-specific behaviors, and clarified data encryption during transit.
Security assessment
The changes enhance documentation about data residency and encryption during cross-region processing, which are security features. However, there's no evidence of a specific security vulnerability being addressed. The updates provide clearer security best practices regarding data location and encryption.
Diff
diff --git a/securityagent/latest/userguide/security-best-practices.md b/securityagent/latest/userguide/security-best-practices.md index 9e80727bd..2b5e3d1f8 100644 --- a//securityagent/latest/userguide/security-best-practices.md +++ b//securityagent/latest/userguide/security-best-practices.md @@ -108 +108 @@ Accessible URLs specify additional endpoints that the penetration testing enviro -AWS Security Agent will automatically select the optimal region to process your inference requests. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data will remain stored only in the region where the request originated, however, input prompts and output results may be processed outside that region. All data will be transmitted encrypted across Amazon’s secure network. +AWS Security Agent automatically selects the optimal Region to process your inference requests. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data remains stored only in the Region where the request originated; however, input prompts and output results might be processed outside that Region. We transmit all data encrypted across the AWS network. @@ -110 +110,12 @@ AWS Security Agent will automatically select the optimal region to process your -The following table describes where your inference requests are processed based on the geography where the request originated and the feature used. +AWS Security Agent uses two types of cross-region inference depending on the Region: + + * **Geographic cross-region inference** – Keeps data processing within specific geographic boundaries (such as US, EU, Australia, or Japan) for most features. For [Code Remediation](remediate-code-scan-findings.html), requests from Australia and Japan are processed in the European Union. Used in US East (N. Virginia) – `us-east-1`, US West (Oregon) – `us-west-2`, Asia Pacific (Sydney) – `ap-southeast-2`, Asia Pacific (Tokyo) – `ap-northeast-1`, Europe (Frankfurt) – `eu-central-1`, and Europe (Ireland) – `eu-west-1`. + + * **Global cross-region inference** – Routes inference requests to any [commercial AWS Region](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#region), optimizing available resources and enabling higher model throughput. Used in Asia Pacific (Mumbai) – `ap-south-1`, Asia Pacific (Singapore) – `ap-southeast-1`, and South America (São Paulo) – `sa-east-1`. + + + + +For Regions using global cross-region inference, input prompts and output results might be processed in any [commercial AWS Region](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#region). All data transmitted during cross-region operations remains on the AWS network and does not traverse the public internet. We encrypt data in transit between AWS Regions. + +The following table describes where your inference requests are processed based on the Region where the request originated and the feature used. @@ -114,6 +125,9 @@ Request origin | All features except Code Remediation | [Code Remediation](reme -European Union | European Union | European Union -United States | United States | United States -Australia | Australia | European Union -Japan | Japan | European Union - -Cross-Region inference is always enabled and cannot be opted out of. Cross-region inference is not impacted by customer policies in Service Control Policies (SCPs) or Control Tower that restrict customer content to specific regions. +United States — US East (N. Virginia) – `us-east-1`, US West (Oregon) – `us-west-2` | United States | United States +European Union — Europe (Ireland) – `eu-west-1`, Europe (Frankfurt) – `eu-central-1` | European Union | European Union +Australia — Asia Pacific (Sydney) – `ap-southeast-2` | Australia | European Union +Japan — Asia Pacific (Tokyo) – `ap-northeast-1` | Japan | European Union +South America — South America (São Paulo) – `sa-east-1` | Any commercial AWS Region | Any commercial AWS Region +India — Asia Pacific (Mumbai) – `ap-south-1` | Any commercial AWS Region | Any commercial AWS Region +Southeast Asia — Asia Pacific (Singapore) – `ap-southeast-1` | Any commercial AWS Region | Any commercial AWS Region + +Cross-Region inference is always enabled and cannot be opted out of. Cross-Region inference is not impacted by customer policies in Service Control Policies (SCPs) or AWS Control Tower that restrict customer content to specific Regions. For more information about how AWS Security Agent protects your data during cross-Region processing, see [Cross-Region data processing](./data-protection.html).