AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation medium

File: prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-agents.md

Summary

Added survey link, updated image reference paths, modified heading formatting, and removed internal documentation links

Security assessment

While the document discusses security considerations for RAG implementations, the changes themselves are primarily formatting adjustments, image path updates, and navigation element modifications. The security content remains unchanged except for link removal, which doesn't introduce new security documentation or address vulnerabilities.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-agents.md b/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-agents.md
index 43ffafb37..8111b749e 100644
--- a//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-agents.md
+++ b//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-agents.md
@@ -10,0 +11,3 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
+Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
+---  
+  
@@ -13 +16 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
-RAG enables the LLM to provide up-to-date, context-specific responses by dynamically pulling relevant information from enterprise data sources. However, this integration introduces critical security challenges. Securing RAG implementations requires extending defense-in-depth principles from [Capability 1](./gen-ai-model-inference.html) and [Capability 2](./gen-ai-rag.html) to address how LLMs securely use data from external sources. The following diagram illustrates recommended AWS services for the Generative AI account RAG capability.
+RAG enables the LLM to provide up-to-date, context-specific responses by dynamically pulling relevant information from enterprise data sources. However, this integration introduces critical security challenges. Securing RAG implementations requires extending defense-in-depth principles from Capability 1 and Capability 2 to address how LLMs securely use data from external sources. The following diagram illustrates recommended AWS services for the Generative AI account RAG capability.
@@ -15 +18 @@ RAG enables the LLM to provide up-to-date, context-specific responses by dynamic
-![AWS services for the Generative AI account RAG capability.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/gen-ai-rag.jpeg)
+![Recommended services for the Generative AI account RAG capability.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/guide-img/a349f18f-a9fd-43a3-9a48-27534bf6412a/images/79ec66a6-987a-4982-842f-c5e2062b5bea.jpeg)
@@ -42 +45 @@ RAG systems face the following unique security risks:
-###### Design considerations
+**Design considerations**
@@ -44 +47 @@ RAG systems face the following unique security risks:
-Avoid customizing an FM with sensitive data (for more information, see [Capability 2](./gen-ai-rag.html)). Instead, use the RAG technique to interact with sensitive information. RAG provides the following advantages:
+Avoid customizing an FM with sensitive data (for more information, see Capability 2). Instead, use the RAG technique to interact with sensitive information. RAG provides the following advantages:
@@ -211 +214 @@ Use Amazon Macie to detect and generate alerts on potential sensitive data in Am
-This section discusses the AWS services that are recommended to build this capability securely. In addition to the services in this section, use Amazon CloudWatch and AWS CloudTrail as explained in [Capability 2](./gen-ai-rag.html).
+This section discusses the AWS services that are recommended to build this capability securely. In addition to the services in this section, use Amazon CloudWatch and AWS CloudTrail as explained in Capability 2.
@@ -247 +250 @@ Amazon Comprehend integrates with AWS CloudTrail, which captures API calls for A
-Macie identifies [sensitive data](https://docs.aws.amazon.com/macie/latest/user/data-classification.html) in your knowledge bases that is stored as data sources, model invocation logs, and prompt stores in Amazon S3 buckets. For Macie security best practices, see the _Amazon Macie_ section in [Capability 2](./gen-ai-rag.html).
+Macie identifies [sensitive data](https://docs.aws.amazon.com/macie/latest/user/data-classification.html) in your knowledge bases that is stored as data sources, model invocation logs, and prompt stores in Amazon S3 buckets. For Macie security best practices, see the _Amazon Macie_ section in Capability 2.