tech-advisor / training /data /raw /aws-devops-agent-security.md
aslanconfig's picture
Initial commit: Tech Advisor fine-tuned on AWS DevOps Agent docs
975da6d
|
Raw
History Blame Contribute Delete
1.72 kB
# AWS DevOps Agent Security
## Multi-layered security
AWS DevOps Agent implements security at multiple layers with internal access controls limiting scope of actions.
## Agent Spaces
Primary security boundary. Each Agent Space operates independently with its own configurations, permissions, and data isolation.
## Regional processing and data flow
+ Data stored in Agent Space region
+ Inference processed within geography (EU in EU, US in US, Australia in Australia, Japan in Japan)
+ Cross-region inference for Singapore, Mumbai, Sao Paulo routes globally
## Identity and access management
+ IAM Identity Center (OAuth 2.0, sessions up to 12 hours)
+ External IdP (Okta, Microsoft Entra ID)
+ IAM authentication link (10-minute sessions)
## Data protection
+ Encryption at rest with AWS-managed or customer-managed KMS keys
+ Encryption in transit for all data
+ PII not filtered - recommended to redact before storing in logs
## Agent journal and audit logging
+ Logs every reasoning step and action
+ Immutable once recorded
+ CloudTrail integration for all API calls
## Prompt injection protection
+ Limited write capabilities (only tickets/support cases)
+ Account boundary enforcement
+ AI safety protections (ASL-3)
+ Immutable audit trail
## Integration security
+ Native bidirectional integrations
+ MCP servers (OAuth 2.0, API keys)
+ Webhook triggers (HMAC)
+ Outbound communication (Slack, ticketing)
## Shared responsibility model
**AWS:** Security of retrieved data, native tools, infrastructure
**Customer:** User access management, trusted data sources, MCP server security, IAM role scoping, PII redaction
## Data usage
AWS does not use agent data to train models or improve the product.