|
As we speak, we’re saying AWS Safety Agent in preview, a frontier agent that proactively secures your functions all through the event lifecycle. It conducts automated utility safety critiques tailor-made to your organizational necessities and delivers context-aware penetration testing on demand. By repeatedly validating utility safety from design to deployment, it helps forestall vulnerabilities early in growth.
Static utility safety testing (SAST) instruments look at code with out runtime context, whereas dynamic utility safety testing (DAST) instruments assess operating functions with out application-level context. Each varieties of instruments are one-dimensional as a result of they don’t perceive your utility context. They don’t perceive how your utility is designed, what safety threats it faces, and the place and the way it runs. This forces safety groups to manually overview all the pieces, creating delays. Penetration testing is even slower—you both wait weeks for an exterior vendor or your inside safety staff to seek out time. When each utility requires a guide safety overview and penetration check, the backlog grows rapidly. Purposes wait weeks or months for safety validation earlier than they will launch. This creates a spot between the frequency of software program releases and the frequency of safety evaluations. Safety shouldn’t be utilized to your complete portfolio of functions, leaving clients uncovered and knowingly delivery susceptible code to satisfy deadlines. Over 60 % of organizations replace internet functions weekly or extra usually, whereas almost 75 % check internet functions month-to-month or much less usually. A 2025 report from Checkmarx discovered that 81 % of organizations knowingly deploy susceptible code to satisfy supply deadlines.
AWS Safety Agent is context-aware—it understands your total utility. It understands your utility design, your code, and your particular safety necessities. It repeatedly scans for safety violations mechanically and runs penetration assessments on-demand immediately with out scheduling. The penetration testing agent creates a personalized assault plan knowledgeable by the context it has discovered out of your safety necessities, design paperwork, and supply code, and dynamically adapts because it runs primarily based on what it discovers, akin to endpoints, standing and error codes, and credentials. This helps floor deeper, extra subtle vulnerabilities earlier than manufacturing, guaranteeing your utility is safe earlier than it launches with out delays or surprises.
“SmugMug is happy so as to add AWS Safety Agent to our automated safety portfolio. AWS Safety Agent transforms our safety ROI by enabling pen check assessments that full in hours fairly than days, at a fraction of guide testing prices. We will now assess our companies extra regularly, dramatically lowering the time to determine and deal with points earlier within the software program growth lifecycle.” says Erik Giberti, Sr. Director of Product Engineering at SmugMug.
Get began with AWS Safety Agent
AWS Safety Agent supplies design safety overview, code safety overview, and on-demand penetration testing capabilities. Design and code overview examine organizational safety necessities that you simply outline, and penetration testing learns utility context from supply code and specs to determine vulnerabilities. To get began, navigate to the AWS Safety Agent console. The console touchdown web page supplies an outline of how AWS Safety Agent delivers steady safety evaluation throughout your growth lifecycle.
The Get began with AWS Safety Agent panel on the appropriate aspect of the touchdown web page guides you thru preliminary configuration. Select Arrange AWS Safety Agent to create your first agent house and start performing safety critiques in your functions.
Present an Agent house title to determine which agent you’re interacting with throughout totally different safety assessments. An agent house is an organizational container that represents a definite utility or venture you wish to safe. Every agent house has its personal testing scope, safety configuration, and devoted internet utility area. We suggest creating one agent house per utility or venture to take care of clear boundaries and arranged safety assessments. You’ll be able to optionally add a Description to offer context in regards to the agent house’s goal for different directors.
Whenever you create the primary agent house within the AWS Administration Console, AWS creates the Safety Agent Internet Software. The Safety Agent Internet Software is the place customers conduct design critiques and execute penetration assessments inside the boundaries established by directors within the console. Customers choose which agent house to work in when conducting design critiques or executing penetration assessments.
In the course of the setup course of, AWS Safety Agent presents two choices for managing consumer entry to the Safety Agent Internet Software: Single Signal-On (SSO) with IAM Id Middle, which allows team-wide SSO entry by integrating with AWS IAM Id Middle, or IAM customers, which permits solely AWS Id and Entry Administration (IAM) customers of this AWS account to entry the Safety Agent Internet Software immediately by the console and is finest for fast setup or entry with out SSO configuration. Whenever you select the SSO choice, AWS Safety Agent creates an IAM Id Middle occasion to offer centralized authentication and consumer administration for AppSec staff members who will entry design critiques, code critiques, and penetration testing capabilities by the Safety Agent Internet Software.
The permissions configuration part helps you management how AWS Safety Agent accesses different AWS companies, APIs, and accounts. You’ll be able to create a default IAM function that AWS Safety Agent will use to entry assets, or select an present function with applicable permissions.
After finishing the preliminary configuration, select Arrange AWS Safety Agent to create the agent.
After creating an agent house, the agent configuration web page shows three functionality playing cards: Design overview, Code overview, and Penetration testing. Whereas not required to function the penetration testing, in the event you plan to make use of design overview or code overview capabilities, you possibly can configure which safety necessities will information these assessments. AWS Safety Agent consists of AWS managed necessities, and you may optionally outline customized necessities tailor-made to your group. You can even handle which staff members have entry to the agent.
Safety necessities
AWS Safety Agent enforces organizational safety necessities that you simply outline in order that functions comply along with your staff’s insurance policies and requirements. Safety necessities specify the controls and insurance policies that your functions should observe throughout each design and code overview phases.
To handle safety necessities, navigate to Safety necessities within the navigation pane. These necessities are shared throughout all agent areas and apply to each design and code critiques.
Managed safety necessities are primarily based on trade requirements and finest practices. These necessities are prepared to make use of, maintained by AWS, and you may allow them immediately with out configuration.
When making a customized safety requirement, you specify the management title and outline that defines the coverage. For instance, you would possibly create a requirement referred to as Community Segmentation Technique Outlined that requires designs to outline clear community segmentation separating workload parts into logical layers primarily based on information sensitivity. Otherwise you would possibly outline Brief Session Timeouts for Privileged and PII Entry to mandate particular timeout durations for administrative and personally identifiable data (PII) entry. One other instance is Buyer-Managed Encryption Keys Required, which requires designs to specify buyer managed AWS Key Administration Service (AWS KMS) keys fairly than AWS managed keys for encrypting delicate information at relaxation. AWS Safety Agent evaluates designs and code in opposition to these enabled necessities, figuring out coverage violations.
Design safety overview
The design overview functionality analyzes architectural paperwork and product specs to determine safety dangers earlier than code is written. AppSec groups add design paperwork by the AWS Safety Agent console or ingest them from S3 and different linked companies. AWS Safety Agent assesses compliance with organizational safety necessities and supplies remediation steerage.
Earlier than conducting design critiques, verify you’ve configured the safety necessities that AWS Safety Agent will examine. You may get began with AWS managed safety necessities or outline customized necessities tailor-made to your group, as described within the Safety necessities part.
To get began with the Design overview, select Admin entry below Internet app entry to entry the online app interface. When logged in, select Create design overview. Enter a Design overview title to determine the evaluation—for instance, when assessing a brand new function design that extends your utility—and add as much as 5 design information. Select Begin design overview to start the evaluation in opposition to your enabled safety necessities.
After finishing a design overview, the design overview element web page shows the overview standing, completion date, and information reviewed within the Particulars part. The Findings abstract reveals the rely of findings throughout 4 compliance standing classes:
- Non-compliant – The design violates or inadequately addresses the safety requirement.
- Inadequate information – The uploaded information don’t comprise sufficient data to find out compliance.
- Compliant – The design meets the safety requirement primarily based on the uploaded documentation.
- Not relevant – The safety requirement’s relevance standards point out it doesn’t apply to this method design.
The Findings abstract part helps you rapidly assess which safety necessities want consideration. Non-compliant findings require updates to your design paperwork, whereas Inadequate information findings point out gaps within the documentation the place safety groups ought to work with utility groups to assemble extra readability earlier than AWS Safety Agent can full the evaluation.
The Recordsdata reviewed part shows all uploaded paperwork with choices to look and obtain the unique information.
The Overview findings part lists every safety requirement evaluated throughout the overview together with its compliance standing. On this instance, the findings embrace Community Segmentation Technique Outlined, Buyer-Managed Encryption Keys Required, and Brief Session Timeouts for Privileged and PII Entry. These are the customized safety necessities outlined earlier within the Safety necessities part. You’ll be able to seek for particular safety necessities or filter findings by compliance standing to concentrate on objects that require motion.
Whenever you select a particular discovering, AWS Safety Agent shows detailed justification explaining the compliance standing and supplies beneficial remediation steps. This context-aware evaluation helps you perceive safety issues particular to your design fairly than generic safety steerage. For designs with noncompliant findings, you possibly can replace your documentation to deal with the safety necessities and create a brand new design overview to validate the enhancements. You can even select Clone this design overview to create a brand new evaluation primarily based on the present configuration or select Obtain report to export the whole findings for sharing along with your staff.
After validating that your utility design meets organizational safety necessities, the subsequent step is implementing those self same necessities as builders write code.
Code safety overview
The code overview functionality analyzes pull requests in GitHub to determine safety vulnerabilities and organizational coverage violations. AWS Safety Agent detects OWASP Prime Ten frequent vulnerabilities akin to SQL injection, cross-site scripting, and insufficient enter validation. It additionally enforces the identical organizational safety necessities utilized in design overview, implementing code compliance along with your staff’s insurance policies past frequent vulnerabilities.
When your utility checks in new code, AWS Safety Agent verifies compliance with organizational safety necessities that transcend frequent vulnerabilities. For instance, in case your group requires audit logs to be retained for under 90 days, AWS Safety Agent identifies when code configures a 365-day retention interval and feedback on the pull request with the precise violation. This catches coverage violations that conventional safety instruments miss as a result of the code is technically practical and safe.
To allow code overview, select Allow code overview on the agent configuration web page and join your GitHub repositories. You’ll be able to allow code overview for particular repositories or join repositories with out enabling code overview if you wish to use them for penetration testing context as an alternative.
For detailed setup directions, go to the AWS Safety Agent documentation.
On-demand penetration testing
The on-demand penetration testing functionality executes complete safety testing to find and validate vulnerabilities by multistep assault eventualities. AWS Safety Agent systematically discovers the applying’s assault floor by reconnaissance and endpoint enumeration, then deploys specialised brokers to execute safety testing throughout 13 danger classes, together with authentication, authorization, and injection assaults. When offered supply code, API specs, and enterprise documentation, AWS Safety Agent builds deeper context in regards to the utility’s structure and enterprise guidelines to generate extra focused check instances. It adapts testing primarily based on utility responses and adjusts assault methods because it discovers new data throughout the evaluation.
AWS Safety Agent assessments internet functions and APIs in opposition to OWASP Prime Ten vulnerability sorts, figuring out exploitable points that static evaluation instruments miss. For instance, whereas dynamic utility safety testing (DAST) instruments search for direct server-side template injection (SSTI) payloads, AWS Safety Agent can mix SSTI assaults with error forcing and debug output evaluation to execute extra advanced exploits. AppSec groups outline their testing scope—goal URLs, authentication particulars, menace fashions, and documentation—the identical as they might temporary a human penetration tester. Utilizing this understanding, AWS Safety Agent develops utility context and autonomously executes subtle assault chains to find and validate vulnerabilities. This transforms penetration testing from a periodic bottleneck right into a steady safety observe, decreasing danger publicity.
To allow penetration testing, select Allow penetration check on the agent configuration web page. You’ll be able to configure goal domains, VPC settings for personal endpoints, authentication credentials, and extra context sources akin to GitHub repositories or S3 buckets. You could confirm possession of every area earlier than AWS Safety Agent can run penetration testing.
After enabling the aptitude, create and run penetration assessments by the AWS Safety Agent Internet Software. For detailed setup and configuration directions, go to the AWS Safety Agent documentation.
After creating and operating a penetration check, the element web page supplies an outline of check execution and outcomes. You’ll be able to run new assessments or modify the configuration from this web page. The web page shows details about the newest execution, together with begin time, standing, period, and a abstract of found vulnerabilities categorized by severity. You can even view a historical past of all earlier check runs with their findings summaries.
For every run, the element web page supplies three tabs. The Penetration check run overview tab shows high-level details about the execution, together with period and total standing. The Penetration check logs tab lists all duties executed throughout the penetration check, offering visibility into how AWS Safety Agent found vulnerabilities, together with the safety testing actions carried out, utility responses, and the reasoning behind every check. The Findings tab shows all found vulnerabilities with full particulars, together with descriptions, assault reasoning, steps to breed, impression, and remediation steerage.
Be a part of the preview
To get began with AWS Safety Agent, go to the AWS Safety Agent console and create your first agent to start automating design critiques, code critiques, and penetration testing throughout your growth lifecycle. In the course of the preview interval, AWS Safety Agent is freed from cost.
AWS Safety Agent is on the market within the US East (N. Virginia) Area.
To study extra, go to the AWS Safety Agent product web page and technical documentation.
