DEV Community

AWS Community Builders profile image Nao San
Nao San for AWS Community Builders

Posted on

[AWS] AWS Security Agent & DevOps Agent Setup Guide [FrontierAgents]

#aws #devopsagent #securityagent #frontieragents

This article is a machine translation of the contents of the following URL, which I wrote in Japanese:

https://qiita.com/Nana_777/items/b5edfacdb00c3e9f6d17

Introduction

AWS services classified as Frontier Agents include "Kiro Autonomous Agent," "AWS Security Agent," and "AWS DevOps Agent."
Since I don't yet have access to "Kiro Autonomous Agent," this article will explain the setup procedures for starting to use "AWS Security Agent" and "AWS DevOps Agent."
AWS Security Agent and AWS DevOps Agent are services where AI agents autonomously support security and reliability from development to operations.
By using these two services, you can build a configuration that automatically reviews GitHub pull requests using "Security Agent" and a configuration that monitors and investigates incidents using "DevOps Agent."

What are AWS Security Agent / DevOps Agent?

Frontier Agents

AWS Security Agent and DevOps Agent are services provided by AWS that are classified as "Frontier Agents." Frontier agents are a new category of AI agents that differ from traditional AI assistants in their higher level of autonomy, possessing the following three characteristics:

  • Autonomous: Once a goal is specified, the agent itself determines how to achieve it.
  • Scalable: It can execute multiple tasks simultaneously and distribute the workload.
  • Independent Operation: It can operate for hours to days without human intervention.

Currently, AWS offers three Frontier agents:

Agent Role
AWS Security Agent Security verification throughout the entire development lifecycle
AWS DevOps Agent Incident response, prevention, and operational improvement
Kiro Autonomous Agent Autonomous execution of development tasks

This article explains the setup procedures for the Security Agent and DevOps Agent.

AWS Security Agent

The AWS Security Agent is a service that automatically verifies the security of applications throughout the entire development lifecycle. It mainly has three functions.

  • Design Security Review: Before writing code, verify the design documentation against the organization's security requirements.
  • Code Security Review: Automatically analyze GitHub pull requests and provide vulnerability detection as pull request comments.
  • Penetration Testing: Run attack scenarios on-demand against deployed applications to discover vulnerabilities and automatically generate fix pull requests.

AWS DevOps Agent

The AWS DevOps Agent is a service that autonomously resolves and prevents incidents. It has three main functions:

  • Autonomous Incident Response: Immediately initiates investigation upon alert and identifies the root cause.
  • Preventive Recommendations: Analyzes past incident patterns and suggests improvements to observability, infrastructure, and pipelines.
  • Application Topology: Automatically maps and visualizes dependencies between resources.

Integration with GitHub

Both services work in conjunction with GitHub. The setup process is as follows:

Developer creates a pull request (PR) on GitHub
↓
Security Agent automatically detects the PR
↓
Developer posts a vulnerability report as a PR comment
↓
Developer fixes, merges, and deploys
↓
DevOps Agent detects the deployment and monitors by correlating code changes and metrics
Enter fullscreen mode Exit fullscreen mode

The Security Agent operates as a GitHub App and automatically generates comments on PRs and corrected PRs. The DevOps Agent also operates as a GitHub App, but it is read-only and uses code changes and deployment history as material for incident investigations.

This article explains the setup procedure for achieving this integration.

AWS Security Agent Setup

Creating an Agent Space

First, create an Agent Space for your Security Agent. An Agent Space is a logical container that holds the repositories and configurations that the Security Agent can access.

1: Open "AWS Security Agent" in the AWS Management Console.
*As of March 29, 2026, this is available in "United States (Northern Virginia)".

2: Select "Create Agent Space".
image.png

*On the initial screen, select "Set up AWSSecurityAgent".
image.png

3: Enter a name for the Agent Space (Example: test-security-space-2026)
image.png

4: Select "Set up AWS SecurityAgent" to complete the creation. Image 1

↓Confirm that AgentSpace has been created
Image 2

Adding GitHub Integration

Next, connect Security Agent and GitHub.

1: Select the Agent Space you created.
2: Select "Enable code review".
image.png

3: Select "GitHub" from "Create a new registration" and then select "Next".
image.png

4: Click "Install and authenticate". You will be redirected to:

image.png

5: On the GitHub side, select the account or organization where you want to install the AWS Security Agent GitHub App.

image.png

6: Select the repositories you want to allow access to:

  • "All repositories": Allow access to all repositories

  • "Only select repositories": Select only specific repositories (recommended)

image.png

7: Select "Install and authorize"
8: You will be redirected to the AWS console. Enter your registration name and select Connect.

image.png

Enabling Code Review

Once GitHub integration is complete, enable code review.

1: Select "Enable Code Review" in Agent Space.

image.png

2: Select your connected GitHub Organization or user.

image.png

3: Select the repository to enable code review (select using the checkbox) and select "Connect".

image.png

4: Select code review settings:

  • Security requirement validation: Check compliance with custom security requirements

  • Security vulnerability findings: Detect common security vulnerabilities

  • Security requirements and vulnerability findings: Check both (recommended)

image.png

5: Confirm that the code review is ready.

image.png

Setting Organizational Security Requirements (Optional)

To make Security Agent code reviews more effective, you can define organization-specific security requirements.

1: Select "Security Requirements" in Agent Space
image.png
image.png

2: Add a custom requirement (e.g., "API Resource Access Owner Check)
image.png
image.png

In the example screenshot above, the following definitions were made:
Security Requirement Name:

API Resource Access Owner Check
Enter fullscreen mode Exit fullscreen mode

Description:

Verify that the requesting user is the owner of the resource when retrieving, updating, or deleting resources at an API endpoint.
Enter fullscreen mode Exit fullscreen mode

Applicability:

Applies to all API endpoints that manage data per user. In particular, endpoints that access individual resources by specifying the resource ID in the path parameter (GET /resources/{id}, PUT /resources/{id}, DELETE /resources/{id}, etc.) are targeted.
Enter fullscreen mode Exit fullscreen mode

Compliance Condition:

Compliance: Handlers that retrieve, update, or delete resources should compare the authenticated user's ID with the resource owner ID and return a 403 Forbidden if they do not match.
Non-Compliance: Implementations that retrieve resources from the database using only the resource ID in the path parameter and return a response without owner verification.
Enter fullscreen mode Exit fullscreen mode

Corrective Guidance:

Add a check to compare the userId (owner ID) with the authenticated user's ID after retrieving the resource. If they do not match, return a 403 Forbidden response.
Enter fullscreen mode Exit fullscreen mode

3: Creating and Enabling Security Requirements
image.png
image.png

This setting is optional, but enabling it will allow the Security Agent to perform reviews in accordance with your team's standards.

Operation Verification

To verify that the setup was completed correctly, let's create a test PR.

1: Create a feature branch in the target repository.

2: Make some code changes and create a pull request (PR).

SecurityAgent reviews the PR, so you need to make some changes.

In this case, since the code was already on the branch, we made a change to add a README file.

image.png

3: Check if Security Agent posts the review results as a comment on the PR.

SecurityAgent and AmazonQ automatically review the PR, and
SecurityAgent "AWS Security Agent" The pull request is currently under review. Feedback will be submitted shortly.

AmazonQ: "The additions to the README documentation are well-structured and appropriate. The use case correctly demonstrates the API authentication pattern using Cognito, and all sensitive information is protected with appropriate placeholders. No critical issues were identified."

SecurityAgent: "No issues were identified."
The review proceeded in this manner.
image.png

If the Security Agent comments are displayed, the setup is complete.

Please also conduct a human review, and if there are no problems, merge the PR.

*Although the branch intentionally contained vulnerable code beforehand, the review only focused on the content of this PR.

AWS DevOps Agent Setup

Creating an Agent Space

You also need to create an Agent Space for the DevOps Agent. The DevOps Agent's Agent Space is a container that defines the AWS accounts to be monitored, tool integrations, and access permissions.

1: Open "AWS DevOps Agent" in the AWS Management Console.

2: Select "Create Agent Space" (or "Start Setup" the first time) to create the Agent Space.

image.png

Since I am Japanese, I selected "Japanese" for the Agent response language so that the results would be returned in Japanese.

image.png

image.png

Adding GitHub Integration

Connect the DevOps Agent to GitHub. The DevOps Agent's GitHub integration is registered at the AWS account level and can be shared across multiple Agent Spaces.

1: Open the "Features" tab on the details screen of the DevOpsAgent you created.
2: Click "Add Source" in the "Pipeline" section.
image.png
3: Select "Register" for "GitHub".
image.png
4: Select connection type:

  • User: Your personal GitHub account
  • Organization: GitHub Organization image.png

5: Clicking "Submit" will redirect you to GitHub.
6: Select the account to install the AWS DevOps Agent GitHub App.
image.png

7: Select the repository you want to allow access to.
image.png

8: Verify that the repository registered in the pipeline is displayed.
image.png

image.png

Difference from Security Agent: The DevOps Agent's GitHub App has read-only access to repositories. It receives deployment events and code changes and uses them for correlation analysis during incident investigations.

About Observability Tools

The DevOps Agent automatically gains access to Amazon CloudWatch within the same AWS account when creating an Agent Space. Since CloudWatch access permissions are included in the primary account's role settings, no additional connection configuration is required.

If you are using third-party tools such as Datadog, New Relic, Dynatrace, or Splunk, separate connection configuration is required. These can be added from the "Features" tab in the DevOps Agent.

Operation Verification

Verify that the setup was completed correctly.

Prerequisites: To check the topology and resource status of the DevOps Agent, some application must be deployed within your AWS account. If you haven't deployed one yet, please deploy your application first. The DevOps Agent currently operates in the US region, but it can also recognize resources from applications deployed in other regions, such as the Tokyo region.

1: Verify that the topology is built in the DevOps Agent Web App.

image.png

2: Ask a simple question in DevOps Agent Chat (e.g.: "Please tell me the current status of the resources."
image.png
image.png

If the topology is displayed and you receive a response in Chat, the setup is complete.

What you can do with DevOps Agent

In this chat, you can check various aspects of the deployed configuration with the AI.
It seems like it can be effectively used to check the system's contents and find areas for improvement.

For example, you can do the following:

Check Resource Details

If you ask, "Please tell me about the Lambda function [Lambda Name]," it will provide you with details about that resource, as shown below:
image.png

Vulnerability Assessment

If you ask, "Are there any vulnerabilities in the Lambda function's code?", it will provide you with a vulnerability assessment report.

image.png
image.png

Summary

This article explained the setup procedures for AWS Security Agent and DevOps Agent.

This setup enables the Security Agent to automatically review GitHub pull requests and identify vulnerabilities, while the DevOps Agent allows for the construction of application topologies, configuration verification, and incident monitoring and investigation.
We believe that applying SecurityAgent and DevOpsAgent can further improve the efficiency of security assessments and operational monitoring of deliverables. We will continue to share information about FrontierAgents in future articles.

References

What is AWS Security Agent?

https://docs.aws.amazon.com/securityagent/latest/userguide/what-is.html

About AWS DevOps Agent

https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent.html

Review code security findings in GitHub

https://docs.aws.amazon.com/securityagent/latest/userguide/review-code-findings-github.html

Public preview pricing and limits - AWS DevOps Agent

https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-public-preview-pricing-and-limits.html

AWS Security Agent FAQs

https://aws.amazon.com/security-agent/faqs/

Top comments (0)